Turning Off AIS While Transiting Hormuz Offers False Sense Of Security, Advises Cydome<\/p>\n
Leading maritime cyber solutions expert Cydome is advising shipmanagers with assets transiting high-risk waters that disabling a vessel\u2019s Automatic Identification System (AIS) is creating a false sense of security, as the vessel\u2019s location and position can remain electronically visible.<\/p>\n
In a Cydome research paper published this week, the company says turning off AIS can actually increase the risk of attack.<\/p>\n
The advisory follows a surge in reported AIS blackouts across the Persian Gulf, including the Strait of Hormuz, amid growing concern around so-called \u201czombie ships\u201d that appear to vanish from tracking systems.<\/p>\n
The reality is that these ships and their locations remain exposed in many cases and potentially vulnerable through other connected gateways.<\/p>\n
This research addresses a widening gap between traditional maritime security tactics and modern digital realities.<\/p>\n
Cydome\u2019s cyber research team says that relying on AIS deactivation without hardening satellite gateways, especially in high-tension corridors like the Strait of Hormuz, could leave a vessel \u201cblindly exposed\u201d.<\/p>\n
High-tension corridors like the Strait of Hormuz, could leave a vessel \u201cblindly exposed\u201d, says Nir Ayalon, Cydome CEO and co-founder, pictured right<\/p>\n
\u201cThe crew believes they are hidden, while threat actors can still track and target the ship via its VSAT signature. Failing to bridge this gap doesn\u2019t just risk a data breach; it could risk the physical safety of the crew, the integrity of the cargo, and much more.\u201d<\/p>\n
The Cydome security briefing points to AIS gaps lasting days as operators turn off transponders to protect their vessels and crews, but \u201cdeactivation does not cloak a vessel\u2019s position\u201d.<\/p>\n
Nir\u00a0 Ayalon, Cydome CEO and co-founder, said the technical challenge for today\u2019s fleet is that a vessel is never truly \u201coff the grid\u201d.<\/p>\n
\u201cWhile deactivating tracking is a recognised safety measure in high-risk zones, it does not silence the ship\u2019s broader digital footprint, which could also disclose its location. Risk reduction must be approached through the lens of digital hygiene, minimising the discoverability of these background systems to ensure the vessel\u2019s digital shadow does not provide a roadmap for adversaries.<\/p>\n
\u201cMany ship operators are not aware that the location remains publicly visible through the VSAT satellite communications devices which, unlike AIS, maintain continuous, internet-connected links between ship and shore.\u201d<\/p>\n
Cydome cyber experts were able to confirm that maritime VSAT infrastructure operating around the Hormuz Strait was extensively exposed, with management interfaces openly accessible from the internet, using default configurations, placing the ship\u2019s location at risk of discovery.<\/p>\n
\u201cWhen a crew disables AIS to avoid detection, the VSAT terminal keeps on transmitting. The ship is invisible to coastal AIS stations, but the location remains visible to anyone with the right tools and knowledge of what to look for. This is not a vulnerability, but an actual design feature. Unfortunately, many operators are not aware of such risks and leave the ships exposed,\u201d said Ayalon.<\/p>\n
The company recounts events in 2025 where the hacktivist group Lab Dookhtegan successfully disrupted the communications of 116 tankers linked to companies affiliated with Iran. VSAT exposure provided both the reconnaissance surface and the attack vector in that incident.\u00a0 A second wave of attacks confirmed the findings.<\/p>\n
An AI generated image of a ship transmitting location data though satellite communication systems<\/p>\n
The research highlights that an exposed VSAT interface is more than a tracking risk and can also serve as an entry point. As maritime communication hardware is often networked with onboard Operational Technology (OT), a threat at the satellite gateway could open a path for unauthorised access to the vessel\u2019s navigation, propulsion, and \u00a0power management controls, if the architecture is not segregated and secured.<\/p>\n
Rather than treating AIS deactivation as an isolated security measure, Cydome recommends ship operators assess the broader attack surface created by interconnected onboard systems and proactively assess the maritime-specific cyber risks.<\/p>\n
Alon Ayalon, Cydome\u2019s Vice President for R&D, said: \u201cOperators need to focus on risk exposure rather than visibility. The priority is to reduce the attack surface, not just the visibility of the vessel. That means auditing satellite communications for external exposure, enforcing authentication on all management interfaces, patching vulnerabilities, and eliminating insecure configurations.\u201d<\/p>\n
hellenicshippingnews…<\/p>\n