Exposing Vulnerabilities in NMEA Gateways: Insights from Shodan and Honeypot Experiments

Authors

DOI:

https://doi.org/10.64552/wipiec.v12i1.128

Keywords:

Industrial Cyber-Physical System, Maritime Cybersecurity, NMEA, Honeypot, ICS Security

Abstract

Abstract—As connectivity increases through the Internet of Things (IoT) and Industry 4.0. Previously isolated systems gained remote access capabilities and became more exposed to cyberattacks. For example, in the maritime domain, the Global Maritime Transportation System (GMTS) is considered a high-potential target. Attacking a GMTS system with malware has been shown to influence ships or disrupt onboard operations. Another significant component of the ship network is an NMEA gateway. Prior research has shown evidence of NMEA gateways being exposed to the Internet, and our previous work experimentally demonstrated four practical attack vectors against such gateways: GPS spoofing, AIS injection, autopilot manipulation, and resource exhaustion. However, it remains unclear whether they have been targeted by adversaries or how an attacker could exploit them.

In this work, an NMEA gateway honeypot is designed, implemented, and deployed. The design of the honeypot is inspired by using Shodan, which is used to identify real and exposed NMEA gateways. Our Shodan results show that Internet-exposed NMEA gateways are widely spread. For instance, the refined $GPRMC-based Shodan query identified 4,305 unique endpoints that transmitted NMEA messages during the observation period, of which 1,542 were analyzed in detail to identify their vulnerabilities and other parameters, such as the attack window.  As per the honeypot, although no attacks against the specific NMEA gateway were captured, the honeypot logs captured other types of attacks, such as automated scanning and reconnaissance efforts. These findings indicate that NMEA gateways could become real targets in the near future if not configured or secured properly.

References

S. Shiva, S. Roy, and D. Dasgupta, “Game theory for cyber security,” in Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, 2010, pp. 1–4.

K. E. Hemsley and Dr. R. E. Fisher, “History of Industrial Control System Cyber Incidents,” Idaho National Lab. (INL), Idaho Falls, ID (United States), Dec. 2018. doi: 10.2172/1505628.

D. U. Case, “Analysis of the Cyber Attack on the Ukrainian Power Grid.” 2016. [Online]. Available: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/05/20081514/E-ISAC_SANS_Ukraine_DUC_5.pdf

P. Há. Meland, K. Bernsmed, E. Wille, Ø. J. Rødseth, and D. A. Nesheim, “A Retrospective Analysis of Maritime Cyber Security Incidents,” TransNav, vol. 15, no. 3, pp. 519–530, 2021, doi: 10.12716/1001.15.03.04.

International Shipping News, “Rising Threat of Maritime Cyberattacks,” International Shipping News, Oct. 2023, [Online]. Available: https://www.hellenicshippingnews.com/rising-threat-of-maritime-cyberattacks/

“Maritime Cyber Attack Database (MCAD) | NHL Stenden university of applied sciences.” Accessed: Dec. 12, 2023. [Online]. Available: https://www.nhlstenden.com/en/maritime-cyber-attack-database

United Nations Conference on Trade and Development (UNCTAD), “World Mercant Fleet.” 2026. [Online]. Available: https://unctadstat.unctad.org/insights/theme/243

United Nations Conference on Trade and Development (UNCTAD), “World seaborne trade.” [Online]. Available: https://unctadstat.unctad.org/insights/theme/244

J. Franco, A. Aris, B. Canberk, and A. S. Uluagac, “A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems,” Aug. 04, 2021, arXiv: arXiv:2108.02287. Accessed: Jan. 31, 2024. [Online]. Available: http://arxiv.org/abs/2108.02287

M. Lucchese, F. Lupia, M. Merro, F. Paci, N. Zannone, and A. Furfaro, “HoneyICS: A High-interaction Physics-aware Honeynet for Industrial Control Systems,” in Proceedings of the 18th International Conference on Availability, Reliability and Security, Benevento Italy: ACM, Aug. 2023, pp. 1–10. doi: 10.1145/3600160.3604984.

“HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems | Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.” Accessed: Dec. 12, 2023. [Online]. Available: https://dl.acm.org/doi/abs/10.1145/3372297.3423356

J. Pijpker and S. J. McCombie, “A Ship Honeynet to Gather Cyber Threat Intelligence for the Maritime Sector,” in 2023 IEEE 48th Conference on Local Computer Networks (LCN), Daytona Beach, FL, USA: IEEE, Oct. 2023, pp. 1–6. doi: 10.1109/LCN58197.2023.10223347.

Y. Yigit, O. K. Kinaci, T. Q. Duong, and B. Canberk, “TwinPot: Digital Twin-assisted Honeypot for Cyber-Secure Smart Seaports,” in 2023 IEEE International Conference on Communications Workshops (ICC Workshops), May 2023, pp. 740–745. doi: 10.1109/ICCWorkshops57953.2023.10283756.

M. Struijk, J. Pijpker, and F. Mohsen, “Demonstrating Practical Attacks on Maritime Cyber-Physical Systems via Exposed NMEA Gateways,” in 2025 14th Mediterranean Conference on Embedded Computing (MECO), IEEE, 2025, pp. 1–4.

National Marine Electronics Association (NMEA), “National Marine Electronics Association.” 2026. [Online]. Available: https://www.nmea.org/

R. Murthy and R. Ghaffari, “Shipboard Networks and Communications Systems,” in Maritime Transportation Systems, J. Beckman and others, Eds., Pressbooks, 2025. [Online]. Available: https://pressbooks.pub/maritimesecurity11/chapter/shipboard-networks-and-communications-systems-murthy-ghaffari/

A. Ribeiro, “Maritime cyber incidents jump 103%, as CYTUR warns smart ships under fire; urges secure by design overhaul.” [Online]. Available: https://industrialcyber.co/reports/maritime-cyber-incidents-jump-103-as-cytur-warns-smart-ships-under-fire-urges-secure-by-design-overhaul/

S. Krile, D. Kezić, and F. Dimc, “NMEA Communication Standard for Shipboard Data Architecture,” Naše more.

National Marine Electronics Association, “NMEA 0183 Standard.” 2025. [Online]. Available: https://www.nmea.org/nmea-0183.html

National Marine Electronics Association, “NMEA 2000 Standard.” 2025. [Online]. Available: https://www.nmea.org/nmea-2000.html

Actisense (Active Research Ltd), NMEA OneNet and Ethernet Networking Guide. Poole, United Kingdom: Active Research Limited, 2023. [Online]. Available: https://actisense.com/wp-content/uploads/2023/07/NMEA-OneNet-and-Ethernet-Networking-guide-1.pdf

A. Oruc, V. Gkioulos, and S. Katsikas, “Towards a Cyber-Physical Range for the Integrated Navigation System (INS),” JMSE, vol. 10, no. 1, p. 107, Jan. 2022, doi: 10.3390/jmse10010107.

Actisense, “Pro-Mux-2.” Accessed: Apr. 20, 2024. [Online]. Available: https://actisense.com/products/pro-mux-2/

E. S. Raymond and the G. project, “AIVDM/AIVDO Protocol Decoding.” [Online]. Available: https://gpsd.gitlab.io/gpsd/AIVDM.html

I. Progoulakis, P. Rohmeyer, and N. Nikitakos, “Cyber Physical Systems Security for Maritime Assets,” JMSE, vol. 9, no. 12, p. 1384, Dec. 2021, doi: 10.3390/jmse9121384.

K. Tam and K. Jones, “MaCRA: a model-based framework for maritime cyber-risk assessment,” Jan. 2019, doi: 10.1007/s13437-019-00162-2.

C. Hemminghaus, J. Bauer, and E. Padilla, “BRAT: A BRidge Attack Tool for Cyber Security Assessments of Maritime Systems,” TransNav, vol. 15, no. 1, pp. 35–44, 2021, doi: 10.12716/1001.15.01.02.

S. Brouwer, J. Pijpker, and F. Mohsen, “HoneyShip: Unveiling Cyber Threats to Maritime VSAT Systems with a High-Interaction Honeypot,” in 2025 IEEE 8th International Conference on Industrial Cyber-Physical Systems (ICPS), IEEE, May 2025. doi: 10.1109/icps65515.2025.11087909.

S. Brouwer, J. Pijpker, and F. Mohsen, “HoneyShip: Data from a Maritime VSAT Honeypot and Open Internet Reconnaissance.” 2025. doi: 10.34894/7SS2RW.

A. Amro, “Cyber-Physical Tracking of IoT devices: A maritime use case,” in Norsk IKT-konferanse for forskning og utdanning, 2021.

S. J. McCombie and J. Pijpker, “A Ship Honeynet Project to Collect Data on Cyber Threats to the Maritime Sector,” presented at the CYBER 2022, The Seventh International Conference on Cyber-Technologies and Cyber-Systems, Nov. 2022, pp. 81–85.

transmitterdan, “VDRplayer.” Accessed: Jul. 07, 2024. [Online]. Available: https://github.com/transmitterdan/VDRplayer

V. Florea, “Checkpot: Honeypot Checker.” 2018. [Online]. Available: https://github.com/vladalexgit/checkpot

R. Gabrys, D. Silva, and M. Bilinski, “HoneyGAN Pots: A Deep Learning Approach for Generating Honeypots.” 2024. [Online]. Available: https://arxiv.org/abs/2407.07292

Downloads

Published

2026-06-15

How to Cite

Pijpker, J., Struijk, M. ., & Mohsen, F. (2026). Exposing Vulnerabilities in NMEA Gateways: Insights from Shodan and Honeypot Experiments. WiPiEC Journal - Works in Progress in Embedded Computing Journal, 12(1), 8. https://doi.org/10.64552/wipiec.v12i1.128

Issue

Vol. 12 No. 1 (2026): WiPiEC Journal

Section

Full Paper

License

Copyright (c) 2026 Jeroen Pijpker, Marten Struijk, Fadi Mohsen

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

License Terms: 

Except where otherwise noted, content on this website is lincesed under a  Creative Commons Attribution Non-Commercial License (CC BY NC) 

Use, distribution and reproduction in any medium, provided the original work is properly cited and is not used for commercial purposes, is permitted.

Copyright to any article published by WiPiEC retained by the author(s). Authors grant WiPiEC Journal a license to publish the article and identify itself as the original publisher. Authors also grant any third party the right to use the article freely as long as it is not used for commercial purposes and its original authors, citation details, and publisher are identified, in accordance with CC BY NC license. Fore more information on license terms, click here