Captain Christoph Schaefer highlights the ways in which the superyacht cyber security threat is evolving…
Like many of my peers in the yachting industry, I’m acutely aware of the vulnerability of our on-board IT systems and I believe, just like everybody else, that I have a tendency to ignore the fact that more could be done. Is it ignorance or complacency? Or is it just a case of being overwhelmed by the topic, not really understanding how to protect myself against threats, imagined or real? I suppose it’s a bit of all of the above.
How real are the threats, and what damage could be done to a yacht? And how much can be put down to scaremongering – smooth operators cashing in on a perceived threat? Or the fear of our private life being made public, industrial espionage and the associated financial loss?
This complacency is driven by the feeling of being less vulnerable as an Apple junkie. Apple products have the advantage of running an inherently safe OS. Apple features a relatively restrictive platform and so introducing malware is not only more difficult, but also less effective because Apple’s market share is so small. To date, no viruses have been found on Macs, that being no self- replicating malware generally referred to as a virus. But just how feasible it is to introduce malware on an iPhone was clearly demonstrated with the attack on Jeff Bezos’s iPhone X.
However, it is not only software that is prone to attacks. An equally serious issue is the attack on hardware directly such as using a picocell set up close to a yacht that any roaming GSM mobile device will log into, only to reveal all mobile data and communications to an attacker before it becomes encrypted and sent off into the worldwide web. A set-up such as this is possible with off-the-shelf products for less than $400 and some IT knowledge. While it is way beyond my capabilities, there are a huge number of savvy IT technicians out there who could easily carry out an attack like this.
The threat of GPS spoofing and taking control of your navigation software and engine controls is, in my eyes, a minor one for yachts. While it might be a real consideration for commercial shipping, I feel that yachts are not really a promising target for this kind of attack.
If I discover a diesel mechanic poking around the luxury interior all alarm bells would go off. But do I know where the AV technician is wandering around the vessel while he is supposedly updating the Lutron controllers?
Christoph Schäfer
That said, I must admit to being overwhelmed by the multitude of system vulnerabilities that are just crying out to be exploited – by criminals as well as by the intelligence communities of dozens of states who feel they have an interest in knowing who is on board these yachts and what business is being conducted.
So how do I protect owners against the ignorance of their crew? How easy is it to place an expensive camera with a SD card infected with malware next to the boat, only to have one crewmember view the files on the SD card with an on- board computer, introducing malware and providing an entry point into the IT system? While firewalls can help protect us to a certain degree, onboard users, guests and crew alike have a limited understanding of cyber attacks. Phishing mails, and infected documents and websites, are becoming increasingly more sophisticated and difficult to recognise for what they are.
How do I keep track of the AV/IT technician coming onboard for the annual AV system service? Isn’t this technician potentially the biggest threat to our IT security? He spends hours hacking into the AV system, tweaking the remote-control iPads to interface with the AV system in the luxury interior. How do I monitor what he is actually doing during his days on board? Is he enabling the embedded microphone and camera of the iPad to record what is being said in the privacy of the staterooms? Is he installing a back door to the router to be able to view any file on board? Who is vetting the technicians? Their employers? How thorough is the background check they perform on their employees? How can I monitor what work they performed in their endless hours on board? If I discover a diesel mechanic poking around the luxury interior all alarm bells would go off. But do I know where the AV technician is wandering around the vessel while he is supposedly updating the Lutron controllers?
One thing is for sure: yachts are – and will remain – interesting targets for cyber attackers, whether driven by crimes such as industrial espionage or by security concerns, keeping tabs on the movements of illegal money or persons of interest to the intelligence community.
There are many people out there with an incentive to tap into the IT network of yachts, and there are no simple solutions. Each solution must be customised to a client’s specific needs and concerns. I’ve found that many owners are surprisingly nonchalant about this and are not really interested in investing an appropriate amount of money in cyber security.
As an industry, I believe we’ll have to invest heavily in education. Education of our crew and also of our owners. Jeff Bezos’s experiences of 2018 should be a wake-up call for all owners and also crew – how a seemingly harmless attachment on WhatsApp caused considerable embarrassment on an international level.