Maritime Security: Voyage Data Recorders Found Vulnerable to Hacking

Photo: IOActive
Photo: IOActive

Researchers with the security firm IOActive have found that ships’ Voyage Data Recorders (VDRs) are vulnerable to hacking and attacks.

VDRs, required for ships over 3,000 gross tons under international law, are the equivalent of ‘black boxes’ on aircraft, recording crucial data such as radar images, position, speed and bring audio, among other data. The data contained within is considered vital to accident investigators who are attempting to identify the root cause of an accident.

IOActive researchers found that looking into one model, the Furuno VR-3000, that the device can be easily hacked by those who may want to spy on a vessel’s activities or destroy sensitive data following an incident.

“After spending some hours reversing the different binaries, it was clear that security is not one of its main strengths of this equipment,” IOActive says in a blog post on its website. “Multiple services are prone to buffer overflows and command injection vulnerabilities. The mechanism to update firmware is flawed. Encryption is weak. Basically, almost the entire design should be considered insecure.”

The blog post adds:

Digging further into the binary services we can find a vulnerability that allows unauthenticated attackers with remote access to the VR-3000 to execute arbitrary commands with root privileges. This can be used to fully compromise the device. As a result, remote attackers are able to access, modify, or erase data stored on the VDR, including voice conversations, radar images, and navigation data.

More on IOActive’s research can be found on its website HERE.