One security researcher believes that pirates could very easily track and spy on ships by remotely hacking into their black boxes. One particular model of black box, Voyage Data Recorder (VDR), has been shown to contain several bugs which make it very accessible to remote hacks or other tampering.
According to security researcher Ruben Santamart, “Basically, almost the entire design should be considered insecure. Remote attackers are able to access, modify, or erase data stored on the Voyage Data Recorder, which includes voice conversations, radar images and navigation data.”
Although these VDR devices are typically not connected to the internet, they are connected to the internal network of the ship. If a hacker is able to compromise a computer used by a crew member, the hacker will then be able to compromise the VDR as well.
In doing this, a hacker would be able to spy on the ship’s communications and also track the ship by accessing its navigational data. However, Santamarta is most worried about the crew members themselves manipulating the VDR. It’s very likely that crew members could be tempted to delete contents within the VDR after an accident.
Such incidents are believed to have occurred in the past. In February of 2012, two Indian fishermen were shot by Italian marines who thought that they were pirates. The data from the Italian’s VDR was corrupted and unavailable for access. Indian authorities believe that the data was destroyed on purpose by the Italians who wanted to cover up the unfortunate incident.
Additionally, a similar incident that same year took place on a Singapore vessel. The Singapore ship was involved in a hit and run incident that killed three fishermen. It was later reported that one of the crewmembers of the ship deleted the data of the VDR. The ship featured the same VR-3000 system that Santamarta has called into question.
Furuno, the maker of the VR-3000, said that it was alerted of the security issues in 2014 and stated that it would offer a patch to fix the issues sometime this year. However, it is unknown if the patch was ever issued. Furuno declined to comment on the situation.