A security researcher uncovers a path for pirates to spy on ships, and for members of the crew to cover their tracks in case of an accident.

It’s not just airplanes. Ships have “black boxes,” too. And a security researcher has discovered that these Voyage Data Recorders, or VDR’s, are highly vulnerable, according to Motherboard.

Ruben Santamarta of IOActive reported on the site’s blog this week that one of the devices used to record data for ships is open for hacking.

“…Security is not one of its main strengths of this equipment,” he wrote. “The mechanism to update firmware is flawed. Encryption is weak. Basically, almost the entire design should be considered insecure.”

He said the device can be fully compromised. 

“As a result, remote attackers are able to access, modify, or erase data stored on the VDR, including voice conversations, radar images, and navigation data,” Santamarta explained.

Motherboard highlighted the concept that pirate hackers could track and spy on ships, following crew communications and tracking the ship’s position.

But Santamarta also indicated that crew members could cover their tracks after accidents or wrongdoing, and cited cases where VDR information was deleted or destroyed after international incidents at sea.

Cybersecurity experts say this vulnerability could lead to other dangers as well, like industrial espionage or sabotage.

“Shipping is big money with big competition,” said Patrick C. Miller with Archer Security Group. “Until this issue is fixed, the integrity of this black box and its data is in question.” 

Patrick Coyle with Chemical Facility Security News asked whether there is a way to get this information to governing authorities who may need to watch for compromised VDR data.

“Ruben makes a good point about the potential problem of these vulnerabilities being used to modify the ‘official records’ of the VDR,” said Coyle. “This should be a problem of concern to the International Maritime Organization (and to a lesser extent the US Coast Guard), so how would this information officially get to them?”

Santamarta recommended in his blog that authorities keep watch. 

“Taking into account that we have demonstrated these devices can be successfully attacked, any data collected from them should be carefully evaluated and verified to detect signs of potential tampering,” he said.

Santamarta said IOActive notified ICS-CERT (the government’s Industrial Control Systems Cyber Emergency Response Team) about this vulnerability, and the company making the VDR in question said it would make a patch for customers in 2015, although IOActive does not know if the patch was produced.

An anonymous ex-CIA security expert noted that the model of VDR that was hacked has been discontinued by the manufacturer, though he does not know when it was discontinued. 

“A significant contributing factor would therefore be how extensively the product remains in use, as well as if there are existing plans for it to be phased out,” the security expert said. “It may very well be that the reason the ‘bugs’ still exist in this VDR is because it’s an old design! For example, an old computer running Windows XP presents a massive cybersecurity threat compared to a new machine running Windows 10.”

Daniel Lance with Archer Security Group said the shipping industry needs to take a closer look at its technology.

“If we were having this discussion about any other technology that both records and reports activity, privacy issues would be front and center,” Lance said. “Industrial transportation has adapted to on-board tech seemingly slower then other areas of travel, such as your own vehicle.”