DEF CON 33 made history with its first-ever Maritime Hacking Village, bringing together hackers, engineers, and policymakers to test the resilience of autonomous vessels, port cranes, and other maritime systems.
In this Exploited: The Cyber Truth episode, host Paul Ducklin is joined by Joe Saunders and Shiv Saxena from RunSafe Security to unpack what went down in Las Vegas. From real-world exploits to the broader implications for ICS and OT security, they explore how the maritime industry is adapting to emerging threats.
The discussion covers:
- Firsthand stories from the narco sub and port crane challenges
- How maritime hacking compares to past DEF CON villages
- Why memory safety and legacy vulnerabilities are critical blind spots
- How public hacking competitions accelerate industry-wide security improvements
Whether you’re defending ports, building autonomous systems, or securing embedded devices, this conversation offers valuable takeaways on staying ahead of adversaries—before the wake-up call arrives.
Speakers:
Paul Ducklin: Paul Ducklin is a computer scientist who has been in cybersecurity since the early days of computer viruses, always at the pointy end, variously working as a specialist programmer, malware reverse-engineer, threat researcher, public speaker, and community educator.
His special skill is explaining even the most complex technical matters in plain English, blasting through the smoke-and-mirror hype that often surrounds cybersecurity topics, and helping all of us to raise the bar collectively against cyberattackers.
Joe Saunders: Joe Saunders is the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics. He has built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.
Special Guest – Shiv Saxena: Shiv is a sales rep at RunSafe Security. He’s currently examining memory safety and supply chain security in medical devices, vehicles, and critical infrastructure. He is generally interested in the relationship between security and performance. Shiv has worked at security and observability companies, including Black Duck, Synopsys, and Datadog.
Episode Transcript
Exploited: The Cyber Truth, a podcast by RunSafe Security.
[Paul]
Exploited: The Cyber Truth, a podcast by RunSafe Security. Welcome back to Exploited: The Cyber Truth. I am Paul Ducklin, and I’m joined as usual by Joe Saunders, CEO and Founder of RunSafe Security.
Hello, Joe.
[Joe]
Hello, Paul. Great to be here and excited for today’s show.
[Paul]
You and I both, because there is a secret that we don’t yet know about DEF CON 33 that our special guest, Shiv Saxena, who is a sales executive at RunSafe, Shiv is going to tell us this secret. That’s waiting for us. Shiv, maybe before we start, I’ll just remind people what we’re planning to talk about in this episode, and that is DEF CON in review, maritime hacking and beyond.
In particular, what happened at the Maritime Hacking Village. Just for our listeners, the hacking villages are a noble DEF CON conference tradition. And there have been hacking villages in the past that have taken on satellites, voting machines, medical equipment, automobiles, all of that sort of stuff. But this is the first time that the maritime industry has been put to the test.
So Shiv, tell us what was up for hacking and how successful were the experts trying to break in?
[Shiv]
Yeah, happy to. Like you said, even though this was the first time the Maritime Hacking Village had its own village, you wouldn’t have been able to tell having entered. They had a big, diverse group of challenges and experts.
You were able to hack into an autonomous sub from Havoc AI. They had a captured drug smuggling vessel, actually.
[Paul]
A narco sub?
[Shiv]
Yes.
[Paul]
Grabbed from underwater by the US Coast Guard, I believe. Yes. So here’s the question that Joe and I don’t know the answer to. Did anyone get in?
[Shiv]
Yes, yes. So a few people got into the container as well. And then there was some social engineering required to identify some of the drug smuggling.
[Paul]
So the container challenge, that was a port crane, which had come all the way from Los Angeles, I believe. If you hacked the crane, then you could get into the container. Someone actually got in, didn’t they?
Right the way into the container.
[Shiv]
Yeah, yeah.
[Paul]
And what did they find?
[Shiv]
Hannock and Spencer Beer made it in, and I believe they found a couple crates of alcohol.
[Paul]
A beer bust. So in a real world scenario, that sort of attack could have been state-sponsored actors manipulating the contents of something that had either just arrived or was just about to depart from a port. So that would be a huge risk to the supply chain, wouldn’t it, in real life?
[Shiv]
Yeah, that’s correct. I think if you follow the main megatrends in society today, all industries are becoming increasingly connected and intelligent. And while that creates a lot of growth in society and a lot of innovation, that is also a much greater surface area for attackers like those who managed to crack the code at DEF CON.
[Paul]
They got into the container. They found loads of beer, I guess. Good for them.
But what happens now? How does the world become a better place because of what they managed to do in the world’s eye? Why does this benefit the good guys rather than the bad guys going, hey, we’ll do that?
[Shiv]
In my preparation for visiting the Maritime Hacking Village, I did some studying into naval history. And I found this academic, Andrew Lambert, who has a thesis that a society, in order to become a sea power, has to massively change its culture and investments. And I think what you saw with the Maritime Hacking Village, that was a concerted effort to redirect the very cool and diverse hacking community in the West towards focusing on new intelligent infrastructure within hacking.
This is just starting to scratch the surface, getting people familiar with the idea of container ports or pump controls or autonomous subs. So I think the benefit overall to society is that we are taking these expertise and applying it to critical infrastructure that our economy functions off of. Before I started studying this just as an American millennial, my exposure to ships and maybe attacking ships came from like Pirates of the Caribbean, where you’d see Jack Sparrow and Orlando Bloom commandeering a vessel.
And back in the early 1700s, if you wanted to commandeer a vessel, that meant replacing the people who were operating propulsion weaponry, navigation with your own people.
[Paul]
Yes, it was haul alongside, fire your cannons, board, fight with cutlasses, take over the vessel in person.
[Shiv]
Exactly. But if you fast forward today, a lot of these vessels don’t have any people. All of those functions, again, propulsion, navigation, payloads, are handled by machines and computers.
So if you actually want to attack and take control of those vessels today, you need the type of offensive engineering expertise that we saw at the Maritime Hacking Village at DEF CON this year.
[Paul]
If the legitimate pilot can be remote, then the pirate pilot, whether it’s a ship or an aircraft, could be remote as well. So in amongst all of that, what was a standout conversation for you?
[Shiv]
It’s hard to say. There was a lot of different groups. You could have conversations with policymakers, people coming from naval strategy out of Penn State, and then you could also have just deep offensive engineering conversations.
Duncan Woodbury’s experience coming from hacking into automobiles, being applied to maritime vessels, was quite illuminating to me because they faced very similar challenges in terms of a disparate supply chain, increasing complexity in terms of the capabilities of these vessels. But that’s all happening at the same time as we’re seeing the West at large facing a
new sort of near-peer adversary.
[Paul]
When it comes to security problems that we might consider specific to what you might call level zero of industrial control systems, the motor actuators, the valve operators, the pump switch gear, and all of that stuff, what sort of interest did you have about memory safety issues in particular, which is, I know, something that everyone at RunSafe is very, very passionate about with very good reason.
[Shiv]
Well, in terms of memory safety, I would say that it’s very important to get started today in maritime hacking because we do need to get through some of the low-hanging fruit. And a lot of that can be in really basic things like attacking network connectivity with old credentials and that type of thing. So I think what you’ll see in the beginning of these challenges is that a lot of people are focused on some of the entry-level things.
But then when it comes to the deeper controls within these embedded systems, as you start adding more chips, more compute, that’s where you’ll start finding very old systems that have been running for decades that this generation of hackers at DEF CON don’t necessarily have experience with. And those are also some of the most damaging types of exploits, most sophisticated exploits that a lot of our adversaries are skilled with. I would say from a memory safety perspective, it’s very important to invest today in deep understanding of the Singapore supply chain stack and some of that legacy code that has all these memory safety vulnerabilities in that are not quite so easy to patch.
[Paul]
So Joe, maybe I can ask you at this point, what was it that led you and RunSafe to want to sponsor the Maritime Hacking Village specifically? What brought the passion about the ships?
[Joe]
Well, I think you can tell even talking with Shiv that RunSafe is mission-focused around what are the threats that affect critical infrastructure and society, and certainly US interest and national security interest. If you add all that up and consider all those factors and then look at how much commerce is done by way of shipping and transportation-related cargo, and then you combine that with the advent of autonomous systems in general and what’s happening in South China Sea and just the geopolitical nature of it, from our perspective, it’s vitally important that we get security right for not only these kinds of vessels, but all of critical infrastructure.
And so the Maritime Hacking Village, I think a lot of people inside RunSafe Security recognize the importance of it because of its national security interest and geopolitical implications. And I love the fact that Shiv talked about the historical nature of naval power, its influence on the
world, and how those that control the seas ultimately do control a lot of power in the geopolitical struggles between nations and whatnot. And so if you add all that up, like I said, it’s vitally important to have security at the forefront in today’s modern maritime industry.
[Paul]
Do you think that there is a tendency in the cybersecurity industry in general, if I could use a maritime metaphor, put up the periscope and just try and look as far forward as possible and go, oh, let’s embrace all this new technology while we’re still struggling with what I generally refer to as the sins of the past?
[Joe]
There is a pressure to think about, even with new technology, what features am I releasing? Do I have the best capability, the best differentiation on my particular vessel? Do I have the latest technology?
And so a lot of it is about what new capability do we bring? And I think in the cybersecurity realm, thinking through what the consequences of some kind of compromise or some kind of attack is also extremely important. So I almost think we need two periscopes in that sense.
One to look at what features do we need in these vessels? And the other one is what are the potential consequences if given an attack? And as we’ve seen with other security researchers, I think by virtue of bringing the Maritime Hacking Village to DEF CON with Duncan’s leadership, getting creative minds around what can be done and what can be exploited will help everyone put the proper perspective on both the consequences of an attack while balancing forward
thinking features and new product development in general.
[Shiv]
And from a maritime perspective, I don’t know that the layperson would even be familiar with the fact that we have drones that are autonomous, driving themselves through the ocean today.
[Paul]
Yes, when you hear drone, you think of something that flies. You don’t tend to think of them as ships on or below the surface that basically go to sea and maybe spend their whole working life never coming back to port.
[Shiv]
Yeah, exactly. I mean, a lot of these are solar-powered. They’re navigating themselves.
They’re communicating with satellites. They have Starlink. So I don’t think people are necessarily familiar that technology has gotten to that point in maritime strategy. And I would say it’s understandable for America and the West at large to develop these features for the capabilities that they provide. Every new innovation, every new feature that you create is another opportunity for the attacker to exploit. Not only is there an increased surface area where every line of code, every new chip that’s added to the vessel is another opportunity for a mistake or for innovation on the attacker’s side.
It also means the payoff of getting control of that vessel is higher because now you have something capable of much more.
[Paul]
So what do you say to the naysayers, and you do hear them quite frequently, who hear about things like Maritime Hacking Villages, and this was certainly a thing when voting machines were put up for hacking for the first time at DEF CON, who say, why don’t you do all this secretively? Why don’t you do all this in the back room? Because if you do the hacking publicly, then aren’t you tipping off the attackers?
How does that benefit the good guys doing this all publicly?
[Shiv]
I would go back to Andrew Lambert’s sea power states, which is that you can’t do this in secret because you need to shift the entire culture of a society to gain these capabilities. If it’s just a small group of people that no one’s ever heard about, they might be able to make some advancements, and they absolutely have, but until you actually take the entire power and workforce and put them towards a singular goal, you’re not gonna be able to compete, and you’re certainly not gonna be able to compete with China, who has a massive labor advantage in offensive cyber security, as well as entire departments dedicated to maritime strategy.
[Paul]
And they also have laws now, don’t they, that if you find, say, a zero-day bug in China, then although eventually you can disclose it and bask in the reflected glory, you’re obliged to reveal it privately to the state apparatus first. If you’re the good guys, you better be ahead because otherwise you’re going to be further and further behind, so to speak. Would you agree with that?
[Shiv]
Yeah, correct. China has a very sophisticated approach to the zero-day market that we can definitely learn from.
[Paul]
So Joe, do you think the outlook from what happened at DEF CON in particular and in the hacking villages bodes well for us this year? Do you think that it will cause, dare I say it, a sea
change in the industry’s attitude towards security, particularly in autonomous or industrial control systems?
[Joe]
I can imagine that folks that participate in the Maritime Hacking Village will bring forward their enthusiasm for what they learned and what transpired there. And I do think that a majority of the industry probably needs to hear more about what the Maritime Hacking Village is about and what was accomplished there. Product manufacturers who produce these kinds of vessels can look to Shiv as an expert in this area, or at least someone who’s participated and knows a lot of the folks involved in these things and RunSafe’s role in it.
I expect Shiv’s going to have a lot of great conversations just himself, and if that represents how others will talk about their experiences at DEF CON and the Maritime Hacking Village, then the word will spread pretty quickly. In that regard, I do think there’s good hope that this will help elevate the security posture in general. And at the same time, I know these things don’t change overnight either.
It’s kind of the sustained way of thinking about these problems and really having conversations directly one-on-one with folks who are producing these devices and whose information or operations depend on them and having those kinds of conversations about the security risks and what the consequences of if a nation state attacks their device or if some kind of hacker looks to compromise a device in general. I do think it will improve security, and I think it’s a function also of all the conversations that I know RunSafe will have, Shiv will have, and all the participants, and especially Duncan, who led the Maritime Hacking Village.
[Paul]
You’re willing to go and engage with technical communities face-to-face, actually get stuck in, and not just rely on reports or papers or things that may come out six months, nine months, 12 months later. It’s a little bit more of a confronting the problem head-on, isn’t it?
[Joe]
Yeah, and I think it’s also community and engaging with like-minded people. And I think those experiences inform how you go about your work efforts going forward. I actually would welcome Shiv’s thoughts on that because I’m sure he made really good contact with people and had interesting conversations, and that’s how community is built.
DEF CON fosters that kind of environment with the Hacking Villages, and Maritime Hacking Village, I think, is an important one going forward for everybody.
[Shiv]
Yeah, DEF CON has a tremendous density and diversity of talent.
[Paul]
That’s a great way of putting it, density and diversity. There are things that you can learn there that would probably take you years to find out elsewhere if you ever found them out at all.
[Shiv]
In that one village, I spoke to people about memory safety issues. I spoke about policy concerns. I spoke about how ships work today versus a hundred years ago.
I even randomly had a conversation with someone who was focused on quantum computing for computational chemistry. I mean, it was a very diverse group of people. Wow.
And when you have the opportunity to get those people in one area, focusing on one problem, you can really shift the way society operates and our capabilities at large at an accelerated rate that you can’t necessarily get when everyone’s off doing their own thing or potentially chasing after one hype cycle. I think it’s important to build and develop institutions you want to actually progress as a society.
[Paul]
Well said. You’re a sales guy. Normally you expect salespeople to stop, oh, talking about all the deals they’re going to close and all the contacts they made.
You haven’t mentioned that at all. You’ve just spoken about the fascinating, as you say, depth and density and diversity, which is really great to hear because as Joe has said many times before, confronting your own cybersecurity weaknesses is a strength. It’s not a weakness, is it?
[Shiv]
That’s correct. And I would say a lot of people, certainly a lot of engineering orgs, can often see security as a blocker or something that gets in the way. Yes.
But I would challenge that many of the strongest engineers that I’ve met have an offensive mindset. Somebody who I look up to, Halvar Flake, said in a presentation, the attacker is the only person paid to understand the entire system. And I think when you have that level of understanding of a system, you can innovate in ways that you wouldn’t have expected.
So I would just challenge all engineering organizations to really invest in security because it can have benefits beyond just maybe some of the compliance or boring stuff that people think about.
[Paul]
Joe, I can see you on my video nodding vigorously because I know you are really passionate about not doing any sort of checkbox compliance where you just do it so you get the certificate
that you can put in a frame and put on the wall. What new conversations do you think might come out of what you learned specifically from the Maritime Hacking Village? Changes in engineering operations in software development life cycle and so on.
[Joe]
Naturally, checkbox compliance doesn’t really move the needle for folks. It’s really thinking through how do I do the minimal I can? And I think one of the exciting things that Shiv brought back and mentioned about the Maritime Hacking Village is the deepness of conversation that you can have with folks.
More specifically, what I think in terms of new conversations going forward related to maritime, we definitely see that the US government is investing in Navy and investing in Indo-Pacific Navy-related assets. And a key aspect of that budget spend happens to be about autonomous vessels.
[Paul]
Yes, I think in a recent podcast, we had a guest who’d just come back from South Korea and noted that the military experts in South Korea are saying, we don’t need aircraft carriers anymore. Let’s take those billions and billions of dollars and let’s have loads of autonomous vessels that can go out and do lots more in lots of different places. That, once again, really is a sea change, pardon the pun, isn’t it?
[Joe]
It is a sea change. If you’re collecting data in and around Taiwan about the movement of vessels, about ports, or you’re detecting what happened when an underwater cable was severed, I think compromising those devices is as much about information collection as it is around disrupting an adversary and whatever their intentions might be. And so just as we saw
in Ukraine, drone warfare is here.
And I think in the waterways, it’s likely the same, and then some with the information collection that’s going on.
[Paul]
So Shiv, back to you. What was the most exciting technical feedback that you heard? What was the thing that lit up your brain cells the most?
[Shiv]
Well, I got into a decent conversation about using memory corruption attacks and return oriented programming chains. And it’s interesting to hear the mindset of hackers because in one sense, a lot of them don’t necessarily want to deal with memory if they don’t have to, because it’s so complicated and you get so low level. So it was just interesting to hear the
perspective that if I don’t have to do it, I don’t want to do it necessarily.
But at the same time, I recognize that it is one of the most powerful ways to actually get root access to a device. So it’s something I hear often when speaking to offensive engineers. It seems like people who are really adept at memory attacks is a subset of another subset in terms of engineers.
So I just thought it was an interesting perspective that I’ve been exploring over the past year.
[Paul]
So you mean that because you can still achieve an awful lot by social engineering attacks, guessing a password that hasn’t been changed for seven years, finding an MQTT server that was set up in a hurry and never correctly configured before it went live. I guess if that’s the way that people are getting in at the moment, there may be, unfortunately, a sort of untapped well of much lower level vulnerabilities that for all we know, state-sponsored actors may already have discovered and may be keeping in their little secret cupboard for the day when they need them sometime in the future.
[Shiv]
I agree. I think if today, a lot of maritime security might look like penetration testing of a cruise ship where you get access to the network in a few minutes, you pick a few locks and you can really do a lot of damage that way. I think we need to put the time and investment into getting to those deeper, more destructive types of exploits because the state-level actors with eight
figure, nine-figure budgets are definitely going to get them.
And until we invest in that level of capabilities, we’ll be behind.
[Paul]
You don’t need an infotainment system on a vessel that isn’t gonna have any passengers or staff. You can’t hack into it that way. So the old-school techniques suddenly come back to the fore.
[Joe]
Yeah, and I think the key is looking at what are the communications technology that’s on these devices? And then what can you do if you compromise a particular device? What can go wrong?
And if you look at, is there a tax surface available and is there a meaningful consequence that might motivate an attacker of a certain profile to go after that device, that really helps you think through what the risk scenarios are. If it is infotainment, if it is large cruise liners with lots of passengers, it may be more financially motivated or consumer data and things like that that you might be going after, or possibly even ransom going after the cruise liner itself.
[Paul]
That will certainly attract state-sponsored actors. And we know that some countries do do ransoms because it’s a way of getting foreign exchange. But when you’re at the cruise liner level, what you might call common or garden cyber criminals would find that exciting.
And who knows what they might uncover at the time and where they might choose to sell that information on.
[Joe]
Yeah, certainly. And those are the motivations. Then you look at these more military-oriented, naval-oriented systems.
The motivations behind that ultimately are to find ways to disrupt operations or to gain information that is otherwise not accessible. So it’s more about the information or the sabotage in those use cases. And perhaps even military-oriented ways to defeat an adversary and disrupt their fleet in general.
[Paul]
And perhaps to finish up, we can say something about a topic dear, in fact, to all of our hearts, because it is such a thorny matter. And a particular problem I imagine in the maritime sector, A, because it maybe hasn’t been dealt with quite as well as in some other sectors yet, and B, because of the sheer size and diversity of the maritime sector. And that is problems with the software supply chain.
How well is the maritime industry doing at the moment? What’s the room for improvement?
[Joe]
Well, I think we’re just getting started in understanding the supply chain in the software, but there’s a lot of commercial off-the-shelf components going into these autonomous systems. And so to the extent that those systems are adopting commercial off-the-shelf components, then it puts more and more pressure on the OEM, if you will, that’s bringing and assembling all those parts together to understand the security posture overall. And they will need to understand at some point the security posture of those individual components.
Unlike government build-out of big Navy fleets and ships, where there might be a deeper discipline around understanding the software supply chain and controlling those components and inspecting them, when you look to the commercial providers who are seeking the commercial off-the-shelf components for their vessels, part of their motivation is to reduce cost. And part of their motivation is to standardize what they purchase. And the more custom and the more tailored those components are, the higher the cost is.
There is an element where understanding what’s on those individual components is needed
and coming up with security to solve the risk implied in those commercial off-the-shelf software components.
[Paul]
Shiv, if you think back 10 years or however long ago it was to the infamous Jeep hack, where suddenly people realize, hey, automobiles may be at risk while they’re being driven. That was a sort of wake-up call. We haven’t really had a wake-up call quite like that in the maritime sector, have we?
How do you think the maritime industry can get ahead without having to have something terrible to happen first?
[Shiv]
Well, I would say the benefits of the Jeep hacking wake-up call is that it was done in a controlled environment by white hack researchers. So I think something like that happening in the maritime sector would be beneficial because it could happen in a way that doesn’t actually harm anybody.
[Paul]
Hence the Maritime Hacking Village, right? It’s a real-world scenario, but under controlled, well regulated circumstances with responsible disclosure.
[Shiv]
Exactly, and I think that’s the explicit stated goal of the director of the hacking village, Duncan Woodbury, which is that he wants to evolve maritime hacking culture in the same way that we’ve seen the evolution in automotive security in the last 10 years. There are a lot of very similar types of canned buses across all these things. So he even said, if you’re able to pop a zero day on some of these systems, it’ll be relevant to the entire industry.
So something like that is probably coming, I would guess, in the next year or two.
[Paul]
Oh, you mean that there might be something in the automotive supply chain that turns out to introduce exactly the same bug into the maritime supply chain in the same way that sometimes we hear about a bug in the Chrome browser, and then a month later, Apple will say, oh, by the way, we found that that same bug affected Safari. Who knew?
[Shiv]
Yeah, certainly. I mean, that’s possible. In fact, a lot of the engine makers who work in the automotive sector also build engines for maritime vessels as well.
[Paul]
Of course, yes. So Joe, will we get there?
[Joe]
Yeah, totally we’re gonna get there.
[Paul]
Good.
[Joe]
Folks like Shiv and Duncan and all the participants at the Maritime Hacking Village, there’s a community around that. We all recognize that seaports and ships and submarines and navies and autonomous vessels are more connected and they’re driven by automation and digital control and communications more so than compasses and captains and people. Obviously, we have to balance progress in features against risk in compromise, but with some of the tools that are out there with a mature software development life cycle, with a recognition that things can go wrong, with forms of exploit prevention and software available, the industry has a lot to learn from the other hacking villages and the other industries that have really invested in security.
And part of that, those lessons are to rely on proven tools that can help dramatically reduce the attack surface and build it in. I think Shiv said it well, if we incorporate it into our products as opposed to kind of wait for something to happen, the maritime industry can extend the lessons from all the other industries as well and we’ll get there faster. And I also think we’ll have to because I think conflicts coming, competition in South China Sea or the Indo-Pacific in general is gonna set an expectation that commercial providers of autonomous systems will need to incorporate security.
So it’s better to do it now than later.
[Paul]
Absolutely. And the good news is if you do it for yourself and for your product and for your services and for your company, then you’re essentially doing it for everyone else anyway. If I can conclude by borrowing from the Air Force and applying it to the Navy, it’s very much a case of onwards and upwards.
So gentlemen, thank you so much for your passion and your very, very community focused attitude to all of this. I’m glad they got into the container and that there was a party prize inside and I hope we learn an awful lot from that. So that is a wrap for this episode of Exploited: The Cyber Truth.
