For the past year, security researchers have been urging the global shipping industry to shore up their cyber defenses after a spate of cargo thefts were linked to hackers. The researchers say they have seen elaborate hacks targeting logistics companies to hijack and redirect large amounts of their customers’ products into the hands of criminals, in what has become an alarming collusion between hackers and real-life organized crime gangs.
A delivery truck of stolen vapes here, a suspected lobster heist there.
One little-known and critical U.S. shipping tech company has spent the last few months patching its own systems following the discovery of a raft of simple vulnerabilities, which inadvertently left the doors to its shipping platform wide open to anyone on the internet.
The company is Bluspark Global, a New York-based firm whose shipping and supply chain platform, Bluvoyix, allows hundreds of big companies to transport their products and track their cargo as it travels across the globe. While Bluspark may not be a household name, the company helps to power a large slice of worldwide freight shipments, including retail giants, grocery stores, furniture makers, and more. The company’s software is also used by several other companies affiliated with Bluspark.
Bluspark told TechCrunch this week that its security issues are now resolved. The company fixed five flaws in its platform, including the use of plaintext passwords by employees and customers, and the ability to remotely access and interact with Bluvoyix’s shipping software. The flaws exposed access to all of the customer’s data, including their shipment records, dating back decades.
But for security researcher Eaton Zveare, who uncovered the vulnerabilities in Bluspark’s systems back in October, alerting the company to the security flaws took longer than the discovery of the bugs themselves — since Bluspark had no discernable way to contact it.
In a now-published blog post, Zveare said he submitted details of the five flaws in Bluspark’s platform to the Maritime Hacking Village, a non-profit that works to secure maritime space and, as with this case, helps researchers to notify companies working in the maritime industry of active security flaws.
Weeks later and following multiple emails, voicemails, and LinkedIn messages, the company had not responded to Zveare. All the while, the flaws could still be exploited by anyone on the internet.
As a last resort, Zveare contacted TechCrunch in an effort to get the issues flagged.
TechCrunch sent emails to Bluspark CEO Ken O’Brien and the company’s senior leadership alerting them to a security lapse, but did not receive a response. TechCrunch later emailed a Bluspark customer, a U.S. publicly traded retail company, to alert them of the upstream security lapse, but we also did not hear back.
... continue reading