{"id":6263,"date":"2025-12-18T04:05:25","date_gmt":"2025-12-18T04:05:25","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6263"},"modified":"2025-12-18T04:05:25","modified_gmt":"2025-12-18T04:05:25","slug":"raspberry-pi-used-in-attempt-to-take-over-ferry","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6263","title":{"rendered":"Raspberry Pi used in attempt to take over ferry"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A recent attack on a ferry, in which an attacker reportedly plugged a tiny computer called a <a href=\"https:\/\/www.raspberrypi.com\/\" target=\"_blank\" rel=\"noopener\">Raspberry Pi<\/a> into the network in an attempt to break into the vessel\u2019s operations, offers an important lesson for enterprise CISOs: one analyst estimated that half of all enterprises would likely be compromised by the same attack on their physical environment.<\/p>\n<p>The ferry was \u201cimmobilized Saturday in the southern French port of S\u00e8te as it prepared to sail to Algeria\u201d because of the attack attempt, according to <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2025-12-16\/passenger-ferry-held-for-hours-after-suspected-russian-hack\" target=\"_blank\" rel=\"noopener\">a report from Bloomberg<\/a>. The Raspberry Pi device \u201cwas paired with a cellular modem, enabling remote access to the ferry\u2019s internal computer network and external connections.\u201d\u00a0<\/p>\n<p>The good news was that the attack attempt was halted because of good security procedures onboard, the story said. \u201cInvestigators said segregation between office and operational networks, along with the absence of remote access to critical controls, prevented lateral movement and ruled out sabotage or hijacking scenarios.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Enterprise controls \u2018watching the wrong roads\u2019<\/h2>\n<p>The question for enterprise cybersecurity executives is how well their land-based buildings \u2014 offices, stores, gas stations, bank branches, manufacturing facilities, and so forth \u2014 would have held up under a similar physical attack. Analysts and other security experts were not optimistic about how they would have fared.\u00a0<\/p>\n<p>\u201cMost enterprise security programs are still built for the wrong kind of intruder. They are built for the person who breaks in, not the person who walks in. And the rogue device story is the clearest signal of that shift,\u201d said <a href=\"https:\/\/greyhoundresearch.com\/svg\/\" target=\"_blank\" rel=\"noopener\">Sanchit Vir Gogia<\/a>, the chief analyst at Greyhound Research. \u201cA Raspberry Pi class device with a cellular modem is not just a clever gadget, it is a way to create a new perimeter from inside your building.\u201d<\/p>\n<p>He pointed out that an attacker \u201cdoes not have to fight your firewalls if they can step around them. They do not need to beat your VPN if they can bring their own internet connection into your wiring closet. That is the part that should keep CISOs awake, because it means a lot of the controls we celebrate are watching the wrong roads. If the traffic leaves through cellular, it does not cross your monitored gateways. Your SOC can be doing everything right and will still see nothing.\u201d<\/p>\n<p><a href=\"https:\/\/www.infotech.com\/profiles\/fred-chagnon\" target=\"_blank\" rel=\"noopener\">Fred Chagnon<\/a>, principal research director at Info-Tech Research Group, agreed with Gogia\u2019s concerns.\u00a0<\/p>\n<p>\u201cMost offices have dozens of live Ethernet ports in lobbies, under conference tables, and in hallways. These should be administratively disabled at the switch level by default. A port should only be activated when a specific, authorized MAC address is verified via 802.1X authentication,\u201d Chagnon said. <\/p>\n<p>He added, \u201cmodern threat actors use MAC Spoofing to make a Raspberry Pi look like a legitimate VoIP phone or printer. CISOs should invest in tools, like Sepio or advanced NACs, that perform physical layer fingerprinting. These tools analyze the electrical and timing characteristics of the hardware to detect if a \u2018printer\u2019 is actually a Linux-based implant.\u201d<\/p>\n<p>Chagnon also encouraged extensive use of port locks that require a key, and some type of tamper-evident tape over chassis and ports. \u201cSecurity sweeps should include looking for extra wires, unauthorized USB hubs, or small boxes that don\u2019t match the asset inventory,\u201d he added. \u201cIf a door to a restricted area is opened and a new, unknown device simultaneously appears on that local switch, the SOC should receive a high-priority correlated alert.\u201d<\/p>\n<p>Forrester Senior Analyst <a href=\"https:\/\/www.forrester.com\/analyst-bio\/paddy-harrington\/BIO18204\" target=\"_blank\" rel=\"noopener\">Paddy Harrington<\/a> said that many enterprise security executives \u201cforget how susceptible these things are to attack\u201d and specifically pointed to IoT and OT devices as prime targets. Too many security people, Harrington said, are looking at what shadow devices, such as fitness trackers, are supposed to do, and not focusing on the access the device could get as the start of a backdoor attack.<\/p>\n<p>\u201cYou shouldn\u2019t be able to walk up to an Ethernet port and plug in anything. That device needs to be authenticated,\u201d Harrington said, adding that he estimates that 50% of all enterprises cut too many corners on device security. \u201cWhy should any IoT lightbulbs have access to financial data?\u201d he asked.<\/p>\n<p>When he confronts enterprise security leaders on physical security, he said, he gets pushback. For example, in a recent discussion about network segmentation, the executive told him, \u201cTo segment our environment to that degree is going to take a lot of time and effort, and we are redirecting our money elsewhere.\u201d<\/p>\n<p>Harrington said, \u201cI\u2019m sorry, but that is a poor excuse.\u201d<\/p>\n<p>However, one security executive, <a href=\"https:\/\/www.linkedin.com\/in\/fvillanustre\/\" target=\"_blank\" rel=\"noopener\">Flavio Villanustre<\/a>, CISO for the LexisNexis Risk Solutions Group, said that these types of physical attacks can be challenging to block.<\/p>\n<p>\u201cThe proliferation of inexpensive and very capable single board computers such as the Raspberry Pi have made this problem much harder. Intrusion detection in the network should have detected behavioral anomalies, but that\u2019s easier said than done if you have a large complex network and the Raspberry Pi looks like just another normal IoT device,\u201d Villanustre pointed out. \u201cAnd this is assuming that it was even connected to the network, rather than [to] some ancient serial bus in the ship\u2019s control systems.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Proceed with caution<\/h2>\n<p>Villanustre encouraged anyone discovering such a device to proceed cautiously.\u00a0<\/p>\n<p>\u201cDisconnecting the device could result in losing important forensic information if not careful. It\u2019s not too hard to equip the device with a tiny battery or supercapacitor that would give it enough time to wipe itself out if disconnected from the network or somehow tampered with,\u201d Villanustre said. \u201cTrying to send false information is even harder, because you would need to identify the protocols used by the device to know what to send. A bigger concern is if the device is connected to perhaps another device in the ship and could trigger a damaging action if tampered with. It could even detonate explosives.\u201d<\/p>\n<p>Whisper Security CEO <a href=\"https:\/\/www.linkedin.com\/in\/kakooch\" target=\"_blank\" rel=\"noopener\">Kaveh Ranjibar<\/a> added that his advice for dealing with this kind of physical discovery is \u201cimmediate isolation and forensic analysis, but with one critical step before physical removal: map the blast radius. Before you pull the plug, capture the device\u2019s network traffic. Who is it talking to? What domains is it querying?\u201d<\/p>\n<p>\u201cUsing infrastructure intelligence, you can often attribute the actor based on the neighborhood of the command-and-control servers they use, allowing you to understand if this is a script kiddie or a GRU operation before you touch the hardware,\u201d Ranjibar said.\u00a0<\/p>\n<p>\u00a0Ranjibar said that when such devices phone home, they may reveal a lot of usable information.\u00a0<\/p>\n<p>\u201cA rogue device like a Raspberry Pi, even with a cellular modem, isn\u2019t invisible. It has to phone home to receive commands or exfiltrate data. It creates an infrastructure footprint: a new IP address, a DNS resolution or a connection to a specific Autonomous System Number (ASN),\u201d Ranjibar said. <\/p>\n<p>\u201cCISOs need to move beyond just monitoring their internal LAN,\u201d he added. \u201cThey need continuous external infrastructure monitoring. If a device on your vessel or in your building starts communicating with a network block known for hosting state-sponsored malware, or if a new shadow asset appears on your perimeter, that is your tripwire. You might not catch the person planting the device, but you should instantly catch the device when it connects to the internet.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A recent attack on a ferry, in which an attacker reportedly plugged a tiny computer called a Raspberry Pi into the network in an attempt to break into the vessel\u2019s operations, offers an important lesson for enterprise CISOs: one analyst estimated that half of all enterprises would likely be compromised by the same attack on [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6264,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6263","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6263"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6263"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6263\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6264"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}