A security researcher has revealed that a particular model of a Voyage Data Recorder (VDR), or a ship’s black box, put bluntly, is vulnerable to hackers who can track a ship’s route. Just as significantly, the device is also vulnerable to tampering or sabotage by anyone who can access the device, including its crew.
Tech-saavy pirates could potentially hack a ship’s Voyage Data Recorder (VDR) to track its movements and even spy on a ship’s crew, with the device directly connected to microphones in the bridge of the vessel.
The discovery was made by Ruben Santamarta, a security researcher at security firm IOActive who wrote in a blog that the widely used Furuno VR-3000, a VDR commonly adopted by many ships around the world contains multiple vulnerabilities that could lead to exploits wherein malicious attackers could remotely (!) execute arbitrary commands with complete root privileges.
The hack of a VDR could lead to significant speculation of the how and the why in which a VDR would be tampered. Santamarta explains:
From a security perspective, it seems clear VDRs pose a really interesting target. If you either want to spy on a vessel’s activities or destroy sensitive data that may put your crew in a difficult position, VDRs are the key.
The complete account of the report and findings can be read here.
It is important to note that Santamarta did not have access to the hardware of the device itself. His findings stem from his research of the software and the firmware of the suspect VDR and the results are eye-opening, while the vulnerabilities have since been verified independently with the actual device itself.
After spending some hours reversing the different binaries, it was clear that security is not one of [the] main strengths of this equipment…The mechanism to update firmware is flawed. Encryption is weak.
Basically, the entire design should be considered insecure.
That makes for a damning verdict of the security fallacies of a multi-million dollar ship’s data recorder.
With root privileges comes the means for an attacker to gain the means to trigger a complete compromise of the device. This includes the ability to “access, modify, or erase data stored on the VDR, including voice communications, radar images, and navigation data.”
The Tampering of VDRs
While pirates are an exception in this century, aside from those off the coast of Somalia, the many operating in the South China Sea and pirates in the Gulf of Guinea and Nigeria, there is a far more plausible reason for a ship’s VDR to be tampered. Destroying evidence, to sabotage a potential investigation.
For instance, a notable diplomatic stand-off between India and Italy was triggered when two Indian fishermen were shot by Italian marines who were private security hired by the shipping company on board the Enrica, a merchant ship. As it turns out, the data found from the sensors and voice recordings stored in the VDR during the specific time frame of the incident was corrupted. To this day, the Enrica Lexie case, as it is dubbed, continues to stroke tensions between the two countries.
The International Maritime Organization (IMO) mandates that all VDR devices installed on or after July 2006 should have the means to extract stored data onto a laptop, usually through a USB. Unsurprisingly, a USB port brings with it the means for an exploit.
A few weeks after the Enrica incident, a Singaporean ship was involved in a hit-and-run incident off the Indian coast. Three fishermen were killed, while one disappeared and was subsequently rescued. The captain of the ship was arrested.
The subsequent investigation showed that four crew members were aware of the incident while one was responsible for plugging in a pen-drive into the VDR, sabotaging it by rewriting the files and corrupting the voice data recorded on the VDR.
Working with the relevant authorities, security firm IOActive was able to relay the information of the vulnerabilities to Furuno. The vulnerabilities were also reproduced and verified, proving the company’s claims. Furuno has since committed to provide a patch to seal the holes in its device “sometime in the year of 2015,” writes Santamarta.
Hacked reached out to Furuno and the company wasn’t immediately available for a comment at the time of publishing.
Images from Shutterstock.