The voyage data recorders used on ships are plagued by many serious vulnerabilities that expose the devices to hacker attacks, researchers have warned.
A voyage data recorder, or VDR, is the equivalent of a black box on an airplane. The data recording system collects information from various sensors — including position, speed, radar, and audio recordings from the bridge — to help investigators identify the cause of maritime incidents.
Just like the black boxes on airplanes, VDRs are designed to withstand extreme shock, pressure and heat to ensure that the data stored on them is not destroyed in case of an incident.
However, there have been instances in which the data on a VDR from a ship involved in an incident had been tampered with. In an incident that took place in India, in which a cargo ship hit a smaller fishing vessel, the files on the cargo ship’s VDR were overwritten after crew members inserted a pen drive into the device. The press also reported that the ship’s main computer system was infected with malware.
Ruben Santamarta, a researcher at security firm IOActive, conducted an analysis of a VDR from Furuno, a Japanese company specializing in marine electronics. Last year, Santamarta published a report on security flaws in satellite communications systems such as the ones used by ships and aircraft.
The expert hasn’t managed to obtain the actual Furuno VR3000 device for his experiments, but the VDR’s firmware and data extraction software allowed him to conduct both static analysis and QEMU user-mode emulation.
The analysis revealed many security holes, including weak encryption, insecure authentication, a flawed firmware update mechanism, and various services plagued by buffer overflow and command injection vulnerabilities.
The vulnerabilities found in the Furuno VDR can be exploited by an unauthenticated attacker with access to the vessel’s network to remotely execute arbitrary commands with root privileges and fully compromise the device. The attacker can access, modify or delete files from the VDR, including data that can be important for investigating an incident, such as radar images, navigation data, and audio recordings.
Malicious actors can also use the access to the VDR to spy on a ship’s crew, Santamarta said in a blog post.
“Taking into account that we have demonstrated these devices can be successfully attacked, any data collected from them should be carefully evaluated and verified to detect signs of potential tampering,” the expert advised.
IOActive notified ICS-CERT about the existence of the vulnerabilities in October 2014. ICS-CERT worked with JPCERT/CC to inform Furuno, which promised to release a patch “sometime” in 2015.
IOActive says it’s not aware if a patch has been made available, but it’s worth pointing out that the VDR analyzed by the security firm, the VR3000, is no longer sold by Furuno. Santamarta told SecurityWeek that he can’t confirm if the current VDR model sold by the vendor, the VR-7000, is vulnerable.
UPDATE. Furuno says it has released new versions of the software to address the vulnerabilities in both VR-3000(S) and VR-7000 devices.
Related Reading: Satellite Telecom Vulnerable to Hackers