SoylentNews

takyon [soylentnews.org] writes:

[ADD SOFTWARE TOPIC]

Ars Technica reports that black boxes at sea may not always be so opaque [arstechnica.com]:

Sometimes, that data can be awfully inconvenient. While the data in the VDR is the property of the ship owner, it can be taken by an investigator in the event of an accident or other incident—and that may not always be in the ship owner's (or crew's) interest. The VDRs aboard the cruise ship Costa Concordia were used as evidence [www.ansa.it] in the manslaughter trial of the ship's captain and other crewmembers. Likewise, that data could be valuable to others—especially if it can be tapped into live.

It turns out that some VDRs may not be very good witnesses. As a report recently published by the security firm IOActive [ioactive.com] points out, VDRs can be hacked, and their data can be stolen or destroyed.

The US Coast Guard is developing policies to help defend against "transportation security incidents" [uscg.mil] caused by cyber-attacks against shipping, including issuing guidance to vessel operators on how to secure their systems and reviewing the design of required marine systems—including VDRs. That's promising to be a tall order, especially taking the breadth of systems installed on the over 80,000 cargo and passenger vessels in the world. And given the types of criminal activity recently highlighted by the New York Times' "Outlaw Ocean" reports [nytimes.com], there's plenty of reason for some ship operators to not want VDRs to be secure—including covering up environmental issues, incidents at sea with other vessels, and sometimes even murder.

[EXTENDED COPY]

IOActive researchers looked specifically at the Furuno VR-3000, a VDR that was involved in a case in 2012 where data for a period during which Italian marines aboard a freighter fired upon an Indian fishing vessel "mysteriously" corrupted before investigators could access it. The marines, who were embarked aboard the freighter Enrica Lexie [indiatimes.com], claimed that they were in international waters and believed the fishermen to be pirates. The data that could have proven their location, along with communications data, was lost.

The VR-3000's Data Recording Unit is essentially a Linux-based personal computer with little in the way of security hardening. Other manufacturers use various industrial, real-time operating systems. But at least it's more secure than some of the other VDRs sold by Furuno. In another incident with a different, Windows XP-based VDR in 2012, data was corrupted when a crewmember on a Singapore-flagged ship inserted a USB drive into a port on the VDR—causing it to be infected with malware and for voice and navigation data to be overwritten. (No, that wasn't a typo: it was a Windows XP-based black box [furunousa.com].)

Original Submission