October 21, 2013
Widely-Used Ship Identification System Is Vulnerable To Hacking
redOrbit Staff & Wire Reports - Your Universe OnlineAIS), which is used by an estimated 400,000 ships worldwide, according to Tom Simonite of MIT Technology Review. Vessels that use the system transmit radio signals relaying their location along with some other data, so that other captains and port authority personnel can follow each craft as it is displayed on a map updated in real-time.
International Maritime Organization rules mandate that passenger vessels and cargo ships over 300 metric tons must use AIS, and other marine fixtures (including buoys and lighthouses) can also use the system to transmit their location, Simonite said. AIS does not require any sort of authentication or encryption mechanism, and it is that weakness that the researchers said could make it an easy target for cyber attacks.
“AIS is currently the best system for collision avoidance, maritime security, aids to navigation and accident investigations,” Marco Balduzzi, Senior Threat Researcher with Trend Micro’s Forward Looking Threat research division, explained in an October 13 blog entry. “Given its importance in marine safety, we conducted a comprehensive security evaluation of AIS, tackling it from a software, hardware, and radio frequency perspective.”
“Because the systems evidently lacked security controls,” Balduzzi and his colleagues “were able to waltz right in and cause trouble using cheap radio equipment,” said Gizmodo’s Adam Clark Estes. “They could make fake ships appear out of nowhere, real ships disappear inexplicably and create fake emergency alerts. In one case they made a real tugboat disappear from the Mississippi River and appear in a lake near Dallas.”
Using equipment that cost less than $1,000, the research team was even able to make it look as though one vessel had traversed a route that spelled out the word “pwned” (hacker slang for “owned”), according to BBC News. Furthermore, they told the British news agency that hackers would be able to send out fake distress calls, alerting ships than a passenger was overboard.
“The researchers showed that their spoof signals were faithfully reproduced on the maps provided by online services that monitor AIS data,” Simonite said. The researchers attempted to notify several international marine and communication authorities, but only received a response from the International Telecommunications Union, a United Nations agency that deals with global communications policy.”
The Trend Micro experts said that the UN agency appears to be willing to make changes to the protocol. However, those changes will take time, and will almost certainly require the replacement of existing equipment – likely to be a costly endeavor. “The good news,” Estes noted, “is that the good guys got to this one first.”