Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

Paul:
Welcome back to Exploited: The Cyber Truth. I’m Paul Ducklin, joined today by Joe Saunders, CEO and founder of RunSafe Security. Hello and welcome back, Joe.

Joe:
Hello, Paul. Good to be here.

Paul:
You’re looking forward to this one, aren’t you?

Joe:
The topic is great—and, of course, I really like today’s guest.

Paul:
Who is, ladies and gentlemen, Duncan Woodbury, cofounder, president, and CEO of Liberas. Welcome, Duncan.

Duncan:
Thank you. Great to be here.

Paul:
The reason we’re excited about this episode is a very special subject: “Hacked at Sea” with a subtitle of “On the Frontline of Maritime Cybersecurity.” Cue talking-like-a-pirate jokes. More than just maritime security, Duncan, you’re also in charge of the Maritime Hacking Village at DEF CON 33 in Las Vegas, August 2025—basically, the world’s biggest hacker convention. So what’s a Maritime Hacking Village?

Duncan:
DEF CON is the largest hacker conference in the world every year. It’s become the most prolific and well-known. It’s not a vendor conference—it’s definitely not RSA, and it’s not Black Hat. DEF CON is the place where the down-and-dirty hacker community comes to present real security research. There are no sponsored talks. About ten years ago, this concept of a “village” emerged—informal hacker collectives focused on bringing real-world systems from each infrastructure sector to DEF CON to hack, defend, and learn from. These include the Maritime, Car Hacking, Biohacking, Aerospace, and Voting Villages.

Paul:
Yes. And for our listeners, some of the embedded device types that have featured in the past have included everything from electronic voting machines to NASA spacecraft and satellites. What do you aim to achieve by setting hackers loose against maritime devices?

Duncan:
Let’s zoom in a bit. What we do at villages is bring people together to perform security research against real-world critical infrastructure systems. People from all over the world come to DEF CON, and yes, that makes some nervous—bringing autonomous watercraft or aerospace systems and letting anyone hack them. But doing this in the open creates two key effects. First, it helps develop a competent cybersecurity workforce—something there’s no real pipeline for, especially in maritime. Second, it encourages low-cost vulnerability research and tool development. At DEF CON, we cram as many systems onto the floor as possible and build gamified hacking challenges around them—storylines that guide participants through reverse engineering maritime systems. Our theme this year is “Digital Blockade in the Pacific.” By making it fun and interesting, we can produce powerful results in just 20 hours of conference time.

Paul:
So what are some of the top challenges you’ll be putting out?

Duncan:
It’s going to get spicy. We secured a drug smuggling vessel confiscated by the U.S. Coast Guard—people will get the chance to hack on it. We’ll have at least two unmanned surface vessels, or USVs—like drones for water. These are the future of maritime warfare and ISR (Intelligence, Surveillance, Reconnaissance). One is 11 feet, the other 14 feet, carrying various payloads. We prioritize real systems and avoid simulations—emulations are the limit. That means we take real-world systems out of their operational context and adapt them for DEF CON. We’ll also have a real crane control system donated by one of the largest ports in the Western Hemisphere. If you hack the crane control system—through a setup mirroring real-world port configurations—you’ll use it to open a real container.

Paul:
Now that sounds like a supply chain attack of a very special sort. A pick-and-place robot for full-size shipping containers, basically.

Joe:
100% right. Given how much global commerce depends on maritime routes, ports are massive targets. Disrupting these systems could have enormous economic consequences. That’s why the “Digital Blockade” theme fits so well—it’s not just a technical game. The economic implications are huge. A digital blockade in the South China Sea, for example, could result in both corporate and nation-state intelligence loss, and cause major disruption.

Paul:
Duncan, when it comes to the cyber threat landscape at sea, what are the biggest challenges and risks we haven’t yet confronted?

Duncan:
Seas are how nations and militaries project power—and how the global economy flows. Just look at the chaos from one ship stuck in the Suez Canal. Also, let’s not forget the Internet—subsea cables run the whole thing. In the U.S., 95% of GDP flows in and out of ports. A quarter of our GDP is directly tied to maritime industries, and 30 million U.S. jobs are in the sector—that’s nearly 10% of the population. Maritime infrastructure is what we call the last dinosaur. When I worked in electric power distribution, I didn’t think I’d find systems more legacy and disparate—but many maritime assets are just starting to use digital tech and automation. Spoofing and denial of GPS and AIS (automated identification systems) are big threats. Both protocols are unencrypted and unauthenticated, so anyone with a radio and a laptop can impersonate a ship or jam a GPS signal.

Paul:
Yes, even a minor GPS disruption when docking can have serious consequences.

Joe:
Exactly. And RunSafe focuses on hardening embedded software in systems that can’t easily be patched. Maritime systems are particularly vulnerable due to lack of historic cybersecurity attention. In automotive, things changed after the Jeep hack. Cybersecurity became a serious priority. But maritime hasn’t had that wake-up moment yet. There’s a ton of legacy and exposed code. What’s exciting about the Maritime Hacking Village is seeing autonomous vessels—new systems built by startups with very different development cycles and practices. They use COTS and open-source software, often without full awareness of the risks in their own code. DEF CON will teach us a lot this year.

Paul:
So there’s a whole new set of challenges with autonomous vessels. As we said in a recent podcast with Sparky Braun, some of these vessels, once launched, may never return to port in their entire working life. How do you go about securing something like that?

Duncan:
We have a lot of innovative technology, like what RunSafe builds—memory protection tech that can stop a vulnerability from compromising an entire system, even if it’s exploited. It’s a useful tool in the belt. Maritime systems are complex beasts. Nobody truly knows what’s under the hood—the PLCs, the ICS systems. And many ships haven’t had a patch since commissioning, sometimes 30–40 years ago. That creates a mess of ownership and accountability. Autonomous systems are a different story—simpler chains of accountability. That’s why we’re excited to bring them to DEF CON. We believe the vulnerability research we do on autonomous vessels will scale to larger maritime platforms.

Joe:
The development process for startups building autonomous vessels is wildly different from that of legacy manufacturers. Both can benefit from more secure software development. Established players need to increase automation and testing before deployment. Startups are racing to differentiate with advanced features, but they’re also using a lot of COTS and open source. Not inherently bad, but their faster cycles mean they also need automation and Secure by Design practices. The focus often isn’t on security—it’s on capability. That’s why runtime defenses, like memory protection, are critical. Also, generating a Software Bill of Materials helps you know what’s in your code and manage risk across the board.

Paul:
Joe, I want to go back to something Duncan said earlier—that it’s worthwhile to expose real-world systems to real hackers for the common good. A lot of people fear that kind of openness. They ask, “What if hackers find something and don’t tell me?” How do you reassure those folks?

Joe:
Well, to be cheeky, I’d say “hiding vulns sinks all ships.” If you don’t probe your systems, motivated actors will do it for you. Mature development and security practices include engaging with communities like DEF CON. You’ll benefit from the discoveries, and you’ll be better off in the long run. Vulnerabilities will be found eventually—better that you’re the one to find and fix them. If you ignore the problem, your adversaries won’t.

Paul:
And with regulations like the EU’s Cyber Resilience Act, organizations will be required to disclose vulnerabilities anyway. It’s not a matter of “if,” but “when.”

Joe:
Exactly. Most compliance programs expect timely disclosure and mitigation. If you don’t fix known issues, you’re out of compliance. The CRA requires producing a Software Bill of Materials and establishes liability if known vulnerabilities get exploited. That stick—legal and financial liability—should motivate organizations to adopt mature development and security practices.

Paul:
Duncan, how do you allow people to hack safely on something like a crane control system? You can’t have people dropping containers in a working port.

Duncan:
DEF CON is about fun first—serious second. But we don’t just let people go nuts. Everyone who wants to participate signs a hacker code of conduct. It’s legally binding and includes disclosure timelines, confidentiality, etc. If a vulnerability is found, vendors get first dibs to fix it before any public disclosure. Sometimes, the findings are never disclosed publicly at all. And in cases where a component—like a navigation system—is used across many maritime platforms, we’re especially careful with coordinated disclosure. We have strict rules.

Paul:
So we’re talking about professional white-hat hackers, not random people off the street.

Duncan:
Exactly. DEF CON is a professional hacking conference. At the Car Hacking Village years ago, we used to just rent cars from Hertz and Enterprise. We didn’t tell them why—but maritime systems aren’t quite that accessible. Even still, we enforce disclosure and confidentiality policies. For example, the crane control system we’re bringing was donated by one of the largest ports in the Western Hemisphere. We rigged it to a container for an immersive demo, but it’s not a full 100-foot ship-to-shore crane.

Paul:
So is it a full-size container?

Duncan:
It’s an 8×8-foot container. Just a few decades ago, that was the standard size. Now a 40-foot container is considered two TEUs (Twenty-foot Equivalent Units), but this one’s real—just smaller. Not LEGO. Not a toy. The real deal.

Paul:
Impressive. And what about disclosure philosophy? Is it full disclosure or responsible disclosure?

Duncan:
We’ve moved as an industry toward responsible disclosure—coordinating with vendors, giving them time to fix issues. If we find a vulnerability in, say, a Siemens or ABB crane system or a widely used navigation module, we can’t afford to hide it. We must bring these systems into the open and let people hack them. OT cybersecurity talent is in short supply, especially in maritime. We need to shift from traditional perimeter and IT security models to the reality of OT and autonomous threats. Real systems, real hacking, real impact.

Paul:
And it’s cost-effective, too, right?

Duncan:
Definitely. A commercial pen test for a system might cost $250k to $1M and uncover a few high-severity issues. Last year, at the Biohacking Village, a vendor brought a $3.5M surgical robot and walked away with 49 high and critical severity vulnerabilities in 20 hours. That doesn’t replace professional testing, but it’s an incredibly valuable complement—quickly highlighting priority areas to fix.

Paul:
So if someone’s going to be in Vegas, can they just come and watch?

Duncan:
Absolutely. The Maritime Hacking Village is for everyone—not just hackers. We need people with maritime expertise, OT engineers, policy folks, network engineers, and more. There’s something for everyone—technical talks, policy talks, workshops, newbie challenges. Even if you’ve never written an exploit before, you’ll find people to help you learn.

Paul:
And no need to talk like a pirate.

Duncan:
You can just come and learn.

Paul:
Joe, to wrap us up: What would you say to product manufacturers in the maritime sector who’ve taken a more traditional or compliance-based approach—what can they do now to improve their cybersecurity?

Joe:
Start by getting a baseline—do penetration testing, and consider participating in something like the Maritime Hacking Village. Use secure development frameworks. Embrace Secure by Design practices. Generate a Software Bill of Materials, scan your software, and close the loop on vulnerability remediation. Use runtime defenses like memory protection. Then look at your tooling—use automated tools and upgrade your CI/CD (Continuous Integration/Continuous Deployment) pipelines. If you rely on manual testing, your development process slows dramatically. The more you automate, the more resilient and agile you become.

Paul:
Yes, CI/CD means don’t wait months to test—build security into every step. Don’t retroactively fix things. Fix them as you go.

Joe:
Exactly. And Duncan makes a great case: participating in the village can give you real insights. If you contribute your tech, you’ll benefit from the community’s research. At the very least, observe this year, get a sense of what needs to change, and then maybe contribute tech next year.

Paul:
Indeed. Confronting your weaknesses is not weakness—it’s strength. Otherwise, someone else will confront them for you. Duncan, when and where can people visit the Maritime Hacking Village?

Duncan:
DEF CON is our biggest event—it’s in Las Vegas at the Convention Center. The village will be open August 8th–10th. Your DEF CON badge gets you access to all the villages. But we’re global too—we’ll likely be at Code Blue in Tokyo (November), a NATO summit in Crete (September), possibly BruCON (September), and DistroCon Year One in January. DEF CON isn’t the only chance to see us.

Paul:
Excellent. Gentlemen, thank you for your passion, your fun, and your serious commitment to making the maritime world a cyber safer place. That’s a wrap for this episode of Exploited: The Cyber Truth. If you enjoyed the podcast, please subscribe, share, and tell your team about us. Stay ahead of the threat. See you next time.