Hacker Demonstrates Attack on Superyacht IT Systems

The White Rose, which served as a testbed for GPS spoofing in 2013 (Yacht Harbour)

Published May 17, 2017 4:14 PM by The Maritime Executive

The recent worldwide ransomware attack on Windows-based computer systems has brought new awareness to the serious threat of hacking to corporate and government operations. For years, maritime agencies and industry groups have warned that this danger does not end at the water’s edge. Earlier this month, a cybercrime specialist working for the mobile device company demonstrated the vulnerabilities of a superyacht's IT systems, using a boat's WiFi connection to gain control of many vital functions – including navigation and the onboard CCTV.  

“We had control of the satellite communications,” said Murray, speaking to the Guardian earlier this month. “We had control of the telephone system, the Wi-Fi, the navigation . . . And we could wipe the data to erase any evidence of what we had done.” Murray and his team gained access to the yacht's systems within 30 minutes.

The key vulnerability was the high-power WiFi router. "Owners like to have strong WiFi . . . But this means that the network extends quite far from the actual ship to other vessels and the shore," Murray said. 

Murray demonstrated his team's results at the Superyacht Investor London conference, a gathering of yacht yards and yacht market lenders. Experts at the conference told the Guardian that hacking of yacht systems is a very real problem – especially for the collection of compromising photos of high-profile owners and guests. There are simpler vulnerabilities, too: if anyone on board discloses the ship's position by means of social media, extortionists can dispatch photographers to collect images from shore or from another vessel. 

GPS spoofing presents another maritime cyber challenge – not just for yacht owners, but for merchant shipping as well. In 2013, college students and researchers from UT Austin managed to divert the yacht White Rose (exname White Rose of Drachs) with a spoofing device, without setting off alarms or raising the suspicions of the bridge team. When they transmitted a fake signal to the yacht's GPS antenna, the chart plotter on the bridge showed that the vessel had drifted "off course." The crew altered the yacht's heading to compensate. In actuality, they were turning the vessel off its intended course because their GPS showed a false, offset position (below).