Blog: Maritime Security

Stealing container ship cargo through LOC messaging

Ken Munro 14 Dec 2015

In previous blogs I looked at hacking and manipulating  container ship loading plans to destabilise a ship. However, criminals will be far more interested in using these techniques to re-route containers.

Similar techniques appear to have been used to steal containers in the past. There’s a really interesting legal case here between Glencore international and MSC Mediterranean Shipping  around a case of two missing containers containing ~$1M of cobalt.

At ~$200/kg, a forty foot equivalent shipping container could hold >$500,000 of the metal cobalt involved in the above case, so very valuable cargo!

Here I’m going to look at the techniques that could have been used. Personally, I suspect the Glencore/MSC case involved insiders somewhere in the cargo handling chain who know how to operate the front end GUIs to the shipping systems.

But what about hacking the back end messaging systems to achieve the same and more?

Interesting attacks could include:

  • Sending a container with valuable goods to a rogue address
  • Identifying containers with valuable cargo, so pirates can steal from whilst on board
  • Shipping narcotics and obscuring their actual destination to avoid detection

And many others

This isn’t fanciful – targeted piracy has already happened too. Several reports have been made where a ship is boarded by pirates, but only contents of a few containers are taken. High value items, obviously.

I’m going to look at different EDIFACT message features that could be manipulated to achieve this. Read my earlier BAPLIE messaging blog for a primer.

BAPLIE is used to create the stowage plan on board ship, ensuring safety and efficiency of the vessel. It is collated from numerous sources, all of which deal with EDI messaging from vessels, line operators, terminals, agents.

Fundamentally, it deals with who/what/where/when in relation to a container.

Let’s say you want to identify a container with valuable cargo and re-route it somewhere

You’ll need to understand quite a few different message formats, but the whole process is easily automated:

COSTOR: for a packing or unpacking facility to stuff (pack) a shipping container with goods

COPARN: an order to release, to make available, to accept, to call down containers or to announce the impending arrival of containers

COREOR: to release import/export containers.

COARRI: discharge (unload) or load containers from a ship

CODECO: reporting containers arriving at or leaving a container terminal (‘gate in’ / ‘gate out’)

There are plenty of other messages that deal with other parts of the shipping process, but the interesting part of all the above messages is the LOC or ‘location’ segment.

If you can change this, you change where the container goes. Trivial theft!

Changing cargo destination

The LOC location code is used in many places in EDIFACT messaging. Here’s the specification:

0200 LOC Place/location identification

A segment to identify a location or country related to the equipment, such as: – stowage cell – (final) place/port of discharge – transhipment place – place of delivery – country of origin/destination.

If you read a sample message, you’ll find LOC used for stating for example:

  • The location of where a message was sent from (the physical office/factory address, not the EDI terminal address)
  • A location where customs might be required
  • Where a container was hired from and where it was off-hired
  • Transport destinations for calculating freight charges.
  • Place of registry, e.g. for the source of bank payments

For the purpose of theft, one might attempt the following:

  1. Send a COPRAR message to have the container discharged (offloaded) at the wrong port.
  2. Send a COPINO message to alert the container terminal that a land based carrier (truck!) will be arriving at a certain time to collect the container.
  3. Wait for the CODECO message from the terminal to state that the stolen container has left the port.
  4. Profit!

In each case, the LOC code can modified to suit the rogue destination. I believe the relevant codes in a COPRAR message are in segment 0270:

In the COPINO message, it’s likely to be segment 0120 that needs to be modified.

Although the entire message system is so complicated that you’ll need to inspect each message to be certain of the correct code to modify.

Finally, the shipping destination message may need to have its NAD (name and address) field modified also.

Two factor authentication

In some larger ports, there is a system of PIN codes that the truck driver needs to present in order for the cargo to be released.

This was the crux of the legal case above: somehow someone had accessed the PINs and had presented the correct one. Guess how the PINs are sent to the terminal to be compared with the drivers PIN? EDI!

Again, manipulate the EDI messaing so your fake PIN is the one presented by the driver and the container is stolen.


Any user of EDI messaging for anything financial, maritime or not, should check that their systems are secured from message manipulation and related fraud through container theft.

Ensure that two factor authentication using a PIN or other shared secret is operating effectively. Make sure that those PINs can’t be intercepted using the very system you use to share them.

Ports particularly should be on high alert for container theft.