Voyage data recorders used on ships can end up leveraged by attackers to remotely execute arbitrary commands with root privileges, a researcher said.
A voyage data recorder (VDR) collects information from various ship sensors — including position, speed, radar, and audio recordings from the bridge — to help investigators identify the cause of maritime incidents.
VDRs should be able to withstand extreme shock, pressure and heat to ensure data stored on them remains intact in case of an incident.
Ruben Santamarta, a researcher at security firm IOActive, researched a VDR from Furuno, a Japanese company specializing in marine electronics.
Santamarta did not obtain a Furuno VR3000 device for his experiments, but the VDR’s firmware and data extraction software allowed him to conduct static analysis and QEMU (Quick Emulator is a free and open-source hosted hypervisor that performs hardware virtualization) user-mode emulation.
The analysis revealed holes, including weak encryption, insecure authentication, a flawed firmware update mechanism, and various services plagued by buffer overflow and command injection vulnerabilities.
The vulnerabilities found in the Furuno VDR can end up exploited by an unauthenticated attacker with access to the vessel’s network to remotely execute arbitrary commands with root privileges and fully compromise the device. The attacker can access, modify or delete files from the VDR, including data that can be important for investigating an incident, such as radar images, navigation data, and audio recordings.
Bad guys can also use the access to the VDR to spy on a ship’s crew, Santamarta said in a blog post.
“Taking into account that we have demonstrated these devices can be successfully attacked, any data collected from them should be carefully evaluated and verified to detect signs of potential tampering,” he said.
IOActive notified ICS-CERT about the existence of the vulnerabilities in October 2014. ICS-CERT worked with JPCERT/CC to inform Furuno, which promised to release a patch “sometime” in 2015.
IOActive said it is not aware if a patch is available, but it’s worth pointing out Furuno no longer sells the VR3000 VDR analyzed by the security firm.