Ships Are Vulnerable to Hackers and Sabotage | Hacked: Hacking Finance

Ships Are Vulnerable to Hackers and Sabotage


Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.


Total Coverage 22nd August, 2017

ChronoPay Looks to Kickstart Bitcoin Adoption in Russia 29th May, 2017


Ships Are Vulnerable to Hackers and Sabotage

Posted on .
This article was posted on Wednesday, 19:53, UTC.

A security researcher has revealed that a particular model of a Voyage Data Recorder (VDR), or a ship’s black box, put bluntly, is vulnerable to hackers who can track a ship’s route. Just as significantly, the device is also vulnerable to tampering or sabotage by anyone who can access the device, including its crew.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Tech-saavy pirates could potentially hack a ship’s Voyage Data Recorder (VDR) to track its movements and even spy on a ship’s crew, with the device directly connected to microphones in the bridge of the vessel.

The discovery was made by Ruben Santamarta, a security researcher at security firm IOActive who wrote in a blog that the widely used Furuno VR-3000, a VDR commonly adopted by many ships around the world contains multiple vulnerabilities that could lead to exploits wherein malicious attackers could remotely (!) execute arbitrary commands with complete root privileges.

The hack of a VDR could lead to significant speculation of the how and the why in which a VDR would be tampered. Santamarta explains:

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

From a security perspective, it seems clear VDRs pose a really interesting target. If you either want to spy on a vessel’s activities or destroy sensitive data that may put your crew in a difficult position, VDRs are the key.

The complete account of the report and findings can be read here.

It is important to note that Santamarta did not have access to the hardware of the device itself. His findings stem from his research of the software and the firmware of the suspect VDR and the results are eye-opening, while the vulnerabilities have since been verified independently with the actual device itself.

After spending some hours reversing the different binaries, it was clear that security is not one of [the] main strengths of this equipment…The mechanism to update firmware is flawed. Encryption is weak.

Basically, the entire design should be considered insecure.

That makes for a damning verdict of the security fallacies of a multi-million dollar ship’s data recorder.

With root privileges comes the means for an attacker to gain the means to trigger a complete compromise of the device. This includes the ability to “access, modify, or erase data stored on the VDR, including voice communications, radar images, and navigation data.”

The Tampering of VDRs

While pirates are an exception in this century, aside from those off the coast of Somalia, the many operating in the South China Sea and pirates in the Gulf of Guinea and Nigeria, there is a far more plausible reason for a ship’s VDR to be tampered. Destroying evidence, to sabotage a potential investigation.

For instance, a notable diplomatic stand-off between India and Italy was triggered when two Indian fishermen were shot by Italian marines who were private security hired by the shipping company on board the Enrica, a merchant ship. As it turns out, the data found from the sensors and voice recordings stored in the VDR during the specific time frame of the incident was corrupted. To this day, the Enrica Lexie case, as it is dubbed, continues to stroke tensions between the two countries. Ship dusk

The International Maritime Organization (IMO) mandates that all VDR devices installed on or after July 2006 should have the means to extract stored data onto a laptop, usually through a USB. Unsurprisingly, a USB port brings with it the means for an exploit.

A few weeks after the Enrica incident, a Singaporean ship was involved in a hit-and-run incident off the Indian coast. Three fishermen were killed, while one disappeared and was subsequently rescued. The captain of the ship was arrested.

The subsequent investigation showed that four crew members were aware of the incident while one was responsible for plugging in a pen-drive into the VDR, sabotaging it by rewriting the files and corrupting the voice data recorded on the VDR.

Working with the relevant authorities, security firm IOActive was able to relay the information of the vulnerabilities to Furuno. The vulnerabilities were also reproduced and verified, proving the company’s claims. Furuno has since committed to provide a patch to seal the holes in its device “sometime in the year of 2015,” writes Santamarta.

Hacked reached out to Furuno and the company wasn’t immediately available for a comment at the time of publishing.

Images from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.

Feedback or Requests?

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

There are no comments.

View Comments (0) ...
The team:
Dmitriy Lavrov
Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
Jonas Borchgrevink
Jonas Borchgrevink is the founder of and He is a serial entrepreneur, trader and investor. He shares his own personal journey on // -- Discuss and ask Read More
Mate Csar
Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
Mati Greenspan
Senior Market Analyst at // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
Rakesh Upadhyay
Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
Pamela Meropiali
Account Manager
Pamela Meropiali is responsible for users on // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
Joseph Young
Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
A group of hackers believed to have sent malware to…