And "Spoof!", The Ship Was Gone
Researchers from Trend Micro have discovered a loophole that could allow hackers to manipulate a ship's Automatic Identification System (AIS). Using just laptops and cheap radio equipment, the researchers found that they were able to change the position of ships that currently existed, create ships out of thin air, and modify Aid to Navigation (AToN) entries such as buoys and lighthouses. Their research was presented last week at the Hack in the Box conference in Kuala Lumpur, Malaysia.
Hundreds of thousands of commercial and recreational ships, along with port authorities worldwide, use AIS to track and monitor the positions of ships. In 2004, the International Maritime Organisation (IMO) mandated that AIS transponders be installed on all vessels over 299 tonnes. Presently over 400,000 ships have the technology installed. An AIS transponder onboard allows the ship to send a radio signal with its location and other information, including ship type, for all other AIS systems to see. Along with other systems, private companies such as MarineTraffic.com have access to the data as part of an "open, community-based project".
Sites such as MarineTraffic.com were one area the researchers discovered security was low. "AIS is comprehensively vulnerable to a wide range of attacks that could easily be carried out by pirates, terrorists or other attackers," announced TrendMicro on their blog. "We discovered that the main AIS internet providers that collect AIS information and distribute them publicly have vulnerabilites that allow an attacker to tamper with and inject AIS data." However, speaking with ABC News, Demetris Memos, Managing Director of MarineTraffic.com said that this was of little concern and that the technology to send out AIS signals was inexpensive.
"This is not encrypted, this is open," he said. "Anyone with a device can broadcast their position and then they're a vessel."
Researchers Kyle Wilhoit and Marco Balduzzi from Trend Micro seem to disagree. They attempted to notify numerous maritime authorities regarding the issue but only one United Nations agency that deals with global communications responded back. "They seem to be on board with changing the protocol," said Wilhoit, "but it's one of those foundational problems that will take time to fix."
The AIS vulnerability comes only months after a similar vulnerabilty was found in GPS signals. In June, a team of researchers from the University of Texas, Austin were able to overpower an $80 million dollar super yacht's navigation system and redirect it to a course of their choice.