Leading maritime cyber solutions expert Cydome is advising shipmanagers with assets transiting high-risk waters that disabling a vessel’s Automatic Identification System (AIS) is creating a false sense of security, as the vessel’s location and position can remain electronically visible.
In a Cydome research paper published this week, the company says turning off AIS can actually increase the risk of attack.
The advisory follows a surge in reported AIS blackouts across the Persian Gulf, including the Strait of Hormuz, amid growing concern around so-called “zombie ships” that appear to vanish from tracking systems.
The reality is that these ships and their locations remain exposed in many cases and potentially vulnerable through other connected gateways.
This research addresses a widening gap between traditional maritime security tactics and modern digital realities.
Cydome’s cyber research team says that relying on AIS deactivation without hardening satellite gateways, especially in high-tension corridors like the Strait of Hormuz, could leave a vessel “blindly exposed”.
“The crew believes they are hidden, while threat actors can still track and target the ship via its VSAT signature. Failing to bridge this gap doesn’t just risk a data breach; it could risk the physical safety of the crew, the integrity of the cargo, and much more.”
The Cydome security briefing points to AIS gaps lasting days as operators turn off transponders to protect their vessels and crews, but “deactivation does not cloak a vessel’s position”.
Nir Ayalon, Cydome CEO and co-founder, said the technical challenge for today’s fleet is that a vessel is never truly “off the grid”.
“While deactivating tracking is a recognised safety measure in high-risk zones, it does not silence the ship’s broader digital footprint, which could also disclose its location. Risk reduction must be approached through the lens of digital hygiene, minimising the discoverability of these background systems to ensure the vessel’s digital shadow does not provide a roadmap for adversaries.
“Many ship operators are not aware that the location remains publicly visible through the VSAT satellite communications devices which, unlike AIS, maintain continuous, internet-connected links between ship and shore.”
Cydome cyber experts were able to confirm that maritime VSAT infrastructure operating around the Hormuz Strait was extensively exposed, with management interfaces openly accessible from the internet, using default configurations, placing the ship’s location at risk of discovery.
“When a crew disables AIS to avoid detection, the VSAT terminal keeps on transmitting. The ship is invisible to coastal AIS stations, but the location remains visible to anyone with the right tools and knowledge of what to look for. This is not a vulnerability, but an actual design feature. Unfortunately, many operators are not aware of such risks and leave the ships exposed,” said Ayalon.
The company recounts events in 2025 where the hacktivist group Lab Dookhtegan successfully disrupted the communications of 116 tankers linked to companies affiliated with Iran. VSAT exposure provided both the reconnaissance surface and the attack vector in that incident. A second wave of attacks confirmed the findings.
The research highlights that an exposed VSAT interface is more than a tracking risk and can also serve as an entry point. As maritime communication hardware is often networked with onboard Operational Technology (OT), a threat at the satellite gateway could open a path for unauthorised access to the vessel’s navigation, propulsion, and power management controls, if the architecture is not segregated and secured.
Rather than treating AIS deactivation as an isolated security measure, Cydome recommends ship operators assess the broader attack surface created by interconnected onboard systems and proactively assess the maritime-specific cyber risks.
Alon Ayalon, Cydome’s Vice President for R&D, said: “Operators need to focus on risk exposure rather than visibility. The priority is to reduce the attack surface, not just the visibility of the vessel. That means auditing satellite communications for external exposure, enforcing authentication on all management interfaces, patching vulnerabilities, and eliminating insecure configurations.”
Source: Cydome
