
Sinking container ships by hacking load plan software - QAPereo
https://www.pentestpartners.com/security-blog/sinking-container-ships-by-hacking-load-plan-software/
======
acrooks
I work at a company
([https://www.stage3systems.com](https://www.stage3systems.com)) that builds
software for the marine shipping industry.

Currently we are expanding one of our products for a large container ship
owner so we can import these loading condition files into the product for both
long-term analysis and also short-term alerting. Once this project is
complete, a fleet superintendent will be able to set up alerts so that they
get a push notification when we calculate that a load is risky or unbalanced.
Hopefully this sort of thing will add an extra layer of validation before a
ship sails from port.

Fortunately, for our customer, they build quite robust ships and do not skimp
on cost. But due to the economics of shipping right now, a number of owners in
the world cut costs wherever they can. This includes reducing the amount of
steel used in critical support beams which could increase the risk of a vessel
breaking in half [1]. Sadly this makes a hack like this even more risky,
because the combination of marginal errors, bad weather and a frail ship could
be more than enough to cause a big problem.

[1]
[https://en.wikipedia.org/wiki/MOL_Comfort](https://en.wikipedia.org/wiki/MOL_Comfort)

------
Nokinside
It's possible to cut the ship in half in port if the ship is loaded or
unloaded in the wrong order. Each cargo hold must be filled evenly. Filling
one hold first and leaving others empty bends the ship and breaks it.

I have seen a picture of broken bulk carrier in the Rotterdam harbor when
loadmaster made an error.

~~~
nradov
Yes that can definitely happen. I went scuba diving on the Eurobulker X
shipwreck in Greece. It was a bulk freighter that broke amidship and sank
because the three holds weren't loaded evenly. (Some of the locals suspect it
was done intentionally as insurance fraud.)

[http://www.iefimerida.gr/news/229327/nayagio-toy-
eurobulker-...](http://www.iefimerida.gr/news/229327/nayagio-toy-eurobulker-x-
fortigo-ploio-poy-kopike-sta-dyo-exo-apo-ti-halkida-eikones)

------
wyldfire
<Chuckle> \-- with all of the containerization metaphors these days I assumed
"container ships" was just some logical collection of containers. Heck, the
docker logo uses these same shipping containers.

------
derwiki
Vaguely reminds me of the virus in the movie _Hackers_.

~~~
rubyfan
I immediately thought that from the title.

“The little boat flipped over.”

[https://getyarn.io/yarn-
clip/552a53c2-894a-4b79-bcf1-e9eadfb...](https://getyarn.io/yarn-
clip/552a53c2-894a-4b79-bcf1-e9eadfb9d2e5)

~~~
Terr_
"Well, the front fell off."

[https://www.youtube.com/watch?v=3m5qxZm_JqM](https://www.youtube.com/watch?v=3m5qxZm_JqM)

------
supahfly_remix
I don't have enough domain knowledge to provide a reality check, but wouldn't
the ship or loading staff notice something isn't correct and stop the load?
It's not like these systems have never had bugs and should be trusted
wholeheartedly.

Pentest companies like to put up bogeymen to scare people into using their
services.

~~~
danielvf
Simply making it so that heavy containers go high and light ones low would
likely not affect the ship until it it hits bad weather. The load is still
centered on the ship at the dock, so it would not list. The total weight is
still correct, so the ship is the right depth in the water.

However, the loading crew might not even notice a modest list. The EL FARO,
while loading before its fatal trip into a hurricane, had a bit of a list. The
loading crew didn’t notice, but someone else at the port took a photo[1],
emailed it to the relevant people, and got it fixed.

[1] [http://3kbo302xo3lg2i1rj8450xje.wpengine.netdna-
cdn.com/wp-c...](http://3kbo302xo3lg2i1rj8450xje.wpengine.netdna-cdn.com/wp-
content/uploads/2017/10/EL-Faro-Final-photo.jpg)

~~~
dzhiurgis
Isn't there a watch on the ship to monitor the key information at pretty much
any time? I think most ships over 30 meters or so have constant staff there.

Plus there must be a checklist when departing, ship balance info, etc.

------
kwillets
This is essentially what capsized the Saewol and killed hundreds of people.

It can be detected with empirical tests however. Almost every ship should
right itself from a roll within ten seconds or so, so anyone with a stopwatch
can detect misloading. There are monitors that measure this continuously as
well.

At one point I was thinking of making a phone app for this, so that ferry
passengers could check stability themselves.

~~~
mordechai9000
Just to make sure I understand - are you saying that on a properly loaded
ship, no more than ten seconds should pass between the deck going out of level
and then returning to level? Does it matter if it's rolling side to side, or
front to back?

~~~
kwillets
Side-to-side. There's a certain design range where it's not too fast and not
too slow, and some inspectors check for it.

[https://en.wikipedia.org/wiki/Metacentric_height#GM_and_roll...](https://en.wikipedia.org/wiki/Metacentric_height#GM_and_rolling_period)

Also, there's random motion that may look like roll when it's the sea surface
that's showing the motion, so there are methods to filter that out and extract
the actual rolling period.

------
oasisbob
First thought is that this would be a fun situation for the Underhanded C
Contest, but it seems rather similar to the 2009 scenario:

[http://www.underhanded-c.org/_page_id_22.html](http://www.underhanded-c.org/_page_id_22.html)

------
siculars
Isn't there verifying load software built in on the dock? The crane lifts the
box so it knows how much it weighs and it also knows where it put it. How is
there not a 3D map of load distribution at the time the ship is loaded and
before it sails?

~~~
nraynaud
there are sensors for the attitude of the boat

------
mbell
So the real life Da Vinci virus?

------
NicoJuicy
Similar to this, since i'm in ecommerce. Does anyone know of "load plan
software" for packages.

Given the height, width and depth of every product and the package dimensions
available?

~~~
provost
It's interesting that the lack of this data was one of the failure points for
Target's $4.4 billion USD Canadian expansion that ended in failure. It's a
really interesting story [0]

> A team assigned to investigate the problem discovered an astounding number
> of errors. Product dimensions would be in inches, not centimetres or entered
> in the wrong order: width by height by length, instead of, say, length by
> width by height. Sometimes the wrong currency was used. Item descriptions
> were vague. Important information was missing. There were myriad typos. “You
> name it, it was wrong,” says a former employee. “It was a disaster.”

> Getting the details from suppliers largely fell on the young merchandising
> assistants. In the industry, information from vendors is notoriously
> unreliable, but merchandising assistants were often not experienced enough
> to challenge vendors on the accuracy of the product information they
> provided.

> The investigative team estimated information in the system was accurate
> about 30% of the time.

[0] Source: [http://www.macleans.ca/economy/business/what-really-
happened...](http://www.macleans.ca/economy/business/what-really-happened-at-
target-canada-the-retailers-last-days/)

~~~
PakG1
Quality of data is probably one of the saddest reasons why systems can be
unreliable and bad decisions can be easily made in many organizations that
aren't technically oriented. It's the biggest reason why I think data analysis
logic and/or data modeling should somehow be incorporated into public high
school curriculum plans. Systems will work better when the people who use them
have a better appreciation for caring about the quality of their data and also
the nature of data relationships in databases. This is completely separate
from the concepts taught in programming classes, but of course related.

Better understanding of the nature of data -> better data -> more useful
systems -> better business decisions -> better business performance. I see too
many people get frustrated and make poor decisions because they are unable to
comprehend the nature of data. Productivity would soar if people understood
how to model and take care of data. It's only one aspect of a complex issue,
of course. Good UI, system uptime reliability, and so many other things also
matter for whether an organization gets everything it really needs from a
system.

------
senectus1
I work for a company that loads dirt (yeah ok "Iron Ore") on cape size
ships...

Filling the ships up is done with heavy consultation from the ships captain
and often isn't as obvious and simple as one (layman) might expect.

Hacking the process is definitely a concern. something we care about quite
seriously.

