SoylentNews is people
SoylentNews
Ars Technica reports that black boxes at sea may not always be so opaque:
Sometimes, that data can be awfully inconvenient. While the data in the VDR is the property of the ship owner, it can be taken by an investigator in the event of an accident or other incident—and that may not always be in the ship owner's (or crew's) interest. The VDRs aboard the cruise ship Costa Concordia were used as evidence in the manslaughter trial of the ship's captain and other crewmembers. Likewise, that data could be valuable to others—especially if it can be tapped into live.
It turns out that some VDRs may not be very good witnesses. As a report recently published by the security firm IOActive points out, VDRs can be hacked, and their data can be stolen or destroyed.
The US Coast Guard is developing policies to help defend against "transportation security incidents" caused by cyber-attacks against shipping, including issuing guidance to vessel operators on how to secure their systems and reviewing the design of required marine systems—including VDRs. That's promising to be a tall order, especially taking the breadth of systems installed on the over 80,000 cargo and passenger vessels in the world. And given the types of criminal activity recently highlighted by the New York Times' "Outlaw Ocean" reports, there's plenty of reason for some ship operators to not want VDRs to be secure—including covering up environmental issues, incidents at sea with other vessels, and sometimes even murder.
IOActive researchers looked specifically at the Furuno VR-3000, a VDR that was involved in a case in 2012 where data for a period during which Italian marines aboard a freighter fired upon an Indian fishing vessel "mysteriously" corrupted before investigators could access it. The marines, who were embarked aboard the freighter Enrica Lexie, claimed that they were in international waters and believed the fishermen to be pirates. The data that could have proven their location, along with communications data, was lost.
The VR-3000's Data Recording Unit is essentially a Linux-based personal computer with little in the way of security hardening. Other manufacturers use various industrial, real-time operating systems. But at least it's more secure than some of the other VDRs sold by Furuno. In another incident with a different, Windows XP-based VDR in 2012, data was corrupted when a crewmember on a Singapore-flagged ship inserted a USB drive into a port on the VDR—causing it to be infected with malware and for voice and navigation data to be overwritten. (No, that wasn't a typo: it was a Windows XP-based black box.)
(Score: 1, Interesting) by Anonymous Coward on Sunday December 13 2015, @05:02AM
Trying to make "black boxes" tamper-proof is probably an exercise in futility,
Even making the recording tamper-evident will involve DRM in the form on non-readable firmware that signs the logs with it's private key.
(Score: 1) by Ethanol-fueled on Sunday December 13 2015, @05:24AM
It still takes some amount of computer expertise in making it happen based on the information given in the article. It reeks of the paranoid hysteria that occurs everytime some government scientist or big security researcher finds a nontrivial way to compromise a system and everybody automatically starts flailing their arms and telling everyone that the terrorists are doing it.
The best part, though, was that the software encryption method in the code given was not proper encryption at all but merely a Scytale, [cryptool-online.org] a primitive substitution cypher.
(Score: 2) by frojack on Sunday December 13 2015, @07:35AM
Even making the recording tamper-evident will involve DRM in the form on non-readable firmware that signs the logs with it's private key.
Wait, did you miss this part of TFS:
The VR-3000's Data Recording Unit is essentially a Linux-based personal computer with little in the way of security hardening. ... In another incident with a different, Windows XP-based VDR in 2012...
You can see there is a LOT of hardening that can be done without going all crypto on the device. It just has to be waterproof, physically tamper evident, located somewhere it can be recovered without having to send divers into wrecks.
Its not that hard. Just stop using consumer gear for the computer control systems, and stop hooking them up to anything that can reach the internet.
The Coast Guard can mandate that in in a new york minute, and start enforcing it in a year.
No, you are mistaken. I've always had this sig.
(Score: 2) by HiThere on Sunday December 13 2015, @05:23PM
One thing that could be done is to use write once memory in the devices. The devices don't need to read their memory except when doing a dump, and if they can't overwrite memory, and writing includes time checks, then tampering would be rather evident unless the whole log was substituted.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.