Digital ship pirates: Researchers crack vessel tracking system
Posted on 16 October 2013.
In the maritime business, Automated Identification Systems (AIS) are a big deal. They supplement information received by the marine radar system, are used for a wide variety of things - including ship-to-ship communication - and are relied upon each and every day. Unfortunately, the AIS can also be easily hacked in order to do some real damage, claims a group of researchers presenting at the Hack In The Box Conference currently taking place in Kuala Lumpur.
Automated Identification Systems (AIS) transceivers can currently be found on over 400,000 ships sailing the high seas, and it is estimated that by 2014, that number will reach a million. The installation is mandatory for all passenger ships and commercial (non-fishing) ships over 300 metric tonnes, and it tracks them automatically by electronically exchanging data with other ships, AIS base stations, and satellites.
AIS hasn't replaced the marine radar system - it has been added to it to enhance marine traffic safety. The system has been first mandated for some 100,000 vessels in 2002. In 2006, the AIS standards committee published the Class B type AIS transceiver specification, which enabled the creation of a lower cost AIS device and triggered widespread use.
The data exchanged includes everything that has to do with the position of the ship, the cargo it carries, information on nearby ships, etc. The system used by the ships to communicate with other ships, plot their course and follow it, avoid collision with other ships, reefs and things that may be floating nearby that could cause damage to the vessels, as well as to aid in accident investigation and in search and rescue operations.
The information is also sent to upstream providers such as Maritimetraffic.com, Vesselfinder.com or Aishub.net, where anyone can check a specific vessel's position and additional information about it.
The upstream data sending can be effected via email, TCP / UDP, commercial software, smartphone apps, and radio-frequency gateways, and is sent via different types of messages (27 types in all). For example, message 18 delivers the position report (longitude, latitude, navigation status, an so on) and is sent every 30 second to 3 minutes depending on the speed of the ship, and message 24 provides the static report (type of ship, name, dimension, cargo type, etc) and is sent every 6 minutes.
Message type 8 is a binary broadcast message that can include any type of data, type 22 is for channel management (and only port authorities are allowed to use it). Type 14 is a safety-related broadcast message (and alerts of emergencies such as crew or passengers falling off board).
But, as Dr. Marco Balduzzi and Kyle Wilhoit of Trend Micro and independent security researcher Alessandro Pasta showed, AIS is vulnerable both at the implementation and at the protocol level.
The researchers detailed a couple of different attack vectors and divided the exploitations of threats into software and radio frequency (RF) attacks. The root of all problems is the same: there is no authentication and no integrity checks, so the apparent validation of spoofed and specially crafted packets is a huge problem.
The software attacks demonstrated to the full packed conference hall included:
AIS spoofing
There are a number of online AIS services that track vessel positions and locations around the world - the aforementioned Marine Traffic, Vessel Finder and AIS Hub are just some of them. These services are receiving AIS data and use maps to provide visual plotting that showcases global maritime traffic.
AIS services track vessels, but don't do any checkups on who is sending AIS data. This data usually includes vessel identification, location details, course plotting and other data specific to the vessel in question. With this on mind, the attackers can send specially crafted messages that could mimic the location of an existing vessel, or even create a fake vessel and place it on its own virtual course. This can cause a bit of panic, especially because you can fake a whole fleet of let's say war ships sailing on course to an enemy country or showing up off the coast of it.
Ship hijacking
This variation of the spoofing attack on AIS could be used to download the data of an existing ship, changing some of the parameters and submitting it to the AIS service. The result is virtual placement of a vessel on a completely different position or plotting a bizarre route that could include some "land sailing".
Replay attacks
All of the packets above can be saved and stored locally and then replayed at any time. By using the script and a scheduling function on a local system, the attacker can carefully replay spoofed messages in specific timeframes.
The mentioned scenarios were just an introduction on what you can do when you have reverse engineered AIS and know how to modify the date and reuse it. The most interesting part of the research includes attacking vessels over RF. The researchers coded an AIS frame builder, a C module which encodes payloads, computes CRC and oes bit operations. The output of the program is an AIS frame which is transferred from a digital into the radio frequency domain.
(...)
