Cydome is warning ship managers that disabling a vessel’s Automatic Identification System (AIS) while transiting high-risk waters such as the Strait of Hormuz may provide a false sense of security, because a ship’s position can remain electronically visible via other systems.
In a research paper published this week, the maritime cybersecurity company said turning off AIS can increase the risk of attack if satellite communications and other connected gateways are not secured. The advisory follows what it described as a surge in reported AIS blackouts across the Persian Gulf, including the Strait of Hormuz, amid concern about “zombie ships” that appear to vanish from tracking systems.
Cydome said that while AIS deactivation can remove a vessel from coastal AIS tracking, ships may still be discoverable through Very Small Aperture Terminal (VSAT) satellite communications systems that maintain continuous internet-connected links between ship and shore.
“The crew believes they are hidden, while threat actors can still track and target the ship via its VSAT signature. Failing to bridge this gap doesn’t just risk a data breach; it could risk the physical safety of the crew, the integrity of the cargo, and much more.”
Nir Ayalon, Cydome CEO and co-founder, said a vessel is never truly “off the grid”. “While deactivating tracking is a recognised safety measure in high-risk zones, it does not silence the ship’s broader digital footprint, which could also disclose its location. Risk reduction must be approached through the lens of digital hygiene, minimising the discoverability of these background systems to ensure the vessel’s digital shadow does not provide a roadmap for adversaries.
“Many ship operators are not aware that the location remains publicly visible through the VSAT satellite communications devices which, unlike AIS, maintain continuous, internet-connected links between ship and shore.”
The company said its researchers confirmed that maritime VSAT infrastructure operating around the Hormuz Strait was “extensively exposed”, including management interfaces accessible from the internet using default configurations.
“When a crew disables AIS to avoid detection, the VSAT terminal keeps on transmitting. The ship is invisible to coastal AIS stations, but the location remains visible to anyone with the right tools and knowledge of what to look for. This is not a vulnerability, but an actual design feature. Unfortunately, many operators are not aware of such risks and leave the ships exposed,” said Ayalon.
Cydome also pointed to events in 2025 involving hacktivist group Lab Dookhtegan, which it said disrupted the communications of 116 tankers linked to companies affiliated with Iran, alleging VSAT exposure provided both the reconnaissance surface and the attack vector.
The research note also argued that exposed VSAT interfaces can be more than a tracking risk, warning they may serve as an entry point into onboard networks. Cydome said that because maritime communications hardware is often networked with operational technology (OT), a compromise at the satellite gateway could open a path to systems supporting navigation, propulsion and power management if networks are not segregated and secured.
Cydome said that rather than treating AIS deactivation as an isolated measure, ship operators should assess the broader cyber exposure created by interconnected onboard systems.
Alon Ayalon, Cydome’s vice president for R&D, said: “Operators need to focus on risk exposure rather than visibility. The priority is to reduce the attack surface, not just the visibility of the vessel. That means auditing satellite communications for external exposure, enforcing authentication on all management interfaces, patching vulnerabilities, and eliminating insecure configurations.”
The Cydome security alert is available at https://cydome.io/disabling-ais-wont-hide-your-vessel/
