Pirate Hackers Can Easily Spy on Ships Through Insecure 'Black Boxes'

A security researcher also warns that crew members can easily hide evidence of accidents or malfeasance.

Dec 9 2015, 3:00pm

Image: Daniel Ramirez/Flickr

Pirate hackers could track and spy on ships and cargo vessels by remotely hacking into their "black boxes," according to a security researcher.

Ruben Santamarta, a security researcher at the well-known firm IOActive, found that a particular model of Voyage Data Recorder (VDR), the popular Furuno VR-3000, a device that's essentially the equivalent of an aircraft's black box, has several bugs that make it very easy for the crew to tamper with it or for a hacker to hack it remotely.

"Basically, almost the entire design should be considered insecure," Santamarte wrote in a blog post published on Wednesday. "Remote attackers are able to access, modify, or erase data stored on the Voyage Data Recorder, which includes voice conversations, radar images and navigation data."

The vulnerabilities he found in the VR-3000 make it "really easy to hack into these devices," Santamarta told Motherboard in a phone interview.

"It's really easy to hack into these devices."

While these devices should not be—and normally aren't—connected directly to the internet, according to Santamarta, they are still connected to the internal network of the ship. So if a hacker is able to compromise the computer of a crew member and infect it with malware, it can then compromise the VDR.

That way, a hacker could spy on the crew's communications (VDRs collect data from microphones on ships' bridges), and track the ship's position by accessing its navigational data, Santamarta explained.

Even though that's possible, this is an unlikely scenario, Santamarta told me. What worries him the most is the possibility of the ship's own crew attempting to tamper with the device, and delete or manipulate data after an accident. Santamarta pointed to real incidents where something like that could've actually already happened.

In February of 2012, Italian marines shot two Indian fishermen off the coast of India. The marines claimed they thought the fishermen were pirates. Data from the Italian ships' VDR was reportedly corrupted and unavailable to investigators, and Indian authorities suspected the data had been destroyed on purpose. Also in 2012, a ship from Singapore was involved in a hit-and-run, killing three fishermen. One of the crewmembers of the ship inserted a USB drive in the VDR and deleted data, according to local reports (in this case, the ship was equipped with a VR-3000).

A Furuno VR-3000 (Image: Furuno)

Santamarta posited that in similar cases of accidents where the crew might want to hide its guilt, it'd be possible to take advantage of the bugs he found to delete important evidence.

Furuno did not answer to a request for comment. But Santamarta wrote in his blog post that the company was alerted of the bugs in 2014, and promised a patch "sometime in the year of 2015," but it's unclear if the patch has already been issued.

There's no evidence anyone has ever taken advantage of these vulnerabilities, but this research proves that, once again, everything is hackable.