Hey, captain, what’s wrong with your vessel? Ships black boxes are vulnerable to hackers

January 12, 2016

Usually we say “black box” when we speak about flight data recorders, but these devices are implemented on ships as well. They are called Voyage Data Recorders, or VDRs. Maritime black boxes are required for all passenger and cargo vessels over 3,000 gross tons.

Just like an airplane’s black box, VDRs log everything what’s going on with a vessel at sea: weather conditions, radar images, position, speed and all audio communications. In case of an accident this device, placed into protective capsule with an acoustic beacon, becomes an automated version of ship’s logbook.

Hey, captain, what's wrong with your vessel? Ships black boxes are vulnerable to hackers

VDR helps investigators clarify, what’s happened with a vessel and why. For example, this device was used in the trial against the captain and crew members of infamous Costa Concordia cruise liner. Their culpable negligence resulted in the death of more than 30 passengers and wreckage the ship.

VDRs are used to investigate disasters of all kinds, including environmental incidents. In 2007 container vessel Cosco Busan rammed into the protective fender of the Delta Tower of the San Francisco – Oakland Bay Bridge in heavy fog. More than fifty thousand US gal of heavy fuel oil spilled from its tanks into San Francisco Bay. The crew refused to cooperate, but data extracted from ship’s VDR helped the National Transportation Safety Board determine the causes of the incident.

Unfortunately, sometimes voyage data recorders work not as good as they are cracked up to be. As the maritime industry in general, VDR developers do not care much about Internet security and protection of their connected devices. Besides, many shipowners use old solutions, which run outdated Windows XP. As a result, vulnerable devices with poor software update mechanisms and bad encryption frequently appear on the market. In this case all interested parties — from cybercriminals to seafarers and shipowners — can change or delete logged data, and that makes a VDR no good at all.

15 February 2012 Italian seafarers mistook two Indian fishermen for pirates and shot them. After the incident all crucial data recorded on VDR, produced by Furuno company, was found to be mysteriously corrupted. This incident resulted in a diplomatic scandal, and its investigation is still ongoing.

Later that year a cargo vessel Prabhu Daya flying the Singapore flag crash-dived a fishing boat off the Kerala Coast and tried to flee the scene. As a result, two fishermen died and the third disappeared. Later he was eventually rescued by another fishing vessel in the area. During the investigation authorities found out, that one of the crew members deliberately damaged the data on VDR: he had inserted a pen drive into the device and infected it with a virus, which in turn corrupted all the logs. Moreover, the main computer system of Prabhu Daya was also infected, as it had no security solution at all.

Recently security experts from IOActive examined a VR-3000 voyage data recorder produced by the aforementioned Furuno company. They have found out that the device is rather vulnerable to hacker attacks:

“Multiple services are prone to buffer overflows and command injection vulnerabilities. The mechanism to update firmware is flawed. Encryption is weak. Basically, almost the entire design should be considered insecure.”

As a result, terrorists, pirates and other malefactors can remotely spy on the conversations of crew members and their radio calls, as well as access, modify or erase data stored on the VDR.

Many VDR systems, though not connected to the Internet directly, use Ethernet and access the same network as satellite communications systems, which are already known to be vulnerable. That’s why criminals don’t need to be onboard to get access to VDR data — all they need is to break into the main computer system of a vessel.

And it’s quite possible. For example, in 2013 security researchers found out how to hijack Automatic Identification System, or AIS, used by an estimated 400,000 ships worldwide.

IOActive notified Furuno about these vulnerabilities in October 2014. The developer promised to provide a patch “sometime in the year of 2015.” It’s still unknown whether the patches have been distributed to ship operators, as nothing has been heard from Furuno since that time.

Until recently maritime industry did not care a lot about cyber security. And it was a mistake: as 90% of goods all over the world are transported by sea, shipping will always attract hackers. Nowadays attention is being increasingly focused on the cybersecurity questions. But unfortunately, it’s almost impossible to quickly change or update equipment for the whole world merchant fleet, which only in 2014 consisted of more than 85,000 of vessels and is known to increase from year to year. But changes are underway, and that’s good.