Inexpensive equipment can be used to disrupt vessel-tracking systems and important communications between ships and port authorities, according to two security researchers.
During the Hack in the Box conference in Amsterdam Thursday, Marco Balduzzi, a senior research scientist at Trend Micro, and independent security researcher Alessandro Pasta described three new attacks against the Automatic Identification System (AIS), which is used by over 400,000 ships worldwide.
AIS supplements information from marine radar systems and sends a ships’s identity, type, position, course, speed, navigational status and safety-related information to other ships, shore stations and aircraft. Port and coastal authorities also use the system to send important traffic information and other data back to the ships.
Balduzzi and Pasta warned last year that the lack of authentication and integrity-checking in the AIS communication protocol could allow pirates, terrorists or other attackers to create ghost vessels or spoof information received by the ships.
It’s also possible to disable AIS communications over a large region, Balduzzi said Thursday. An attacker could impersonate a port authority and tell all AIS systems—on ships, in shore stations, etc.—to stop transmission for a number of minutes, and then repeat the command when that interval passes in order to prolong the downtime, he said.
Balduzzi and Pasta experimented on land with a self-built AIS transmitter and power amplifier and achieved a signal range of 20 km, but at sea the range would be bigger because there are less obstacles. Using more power can also significantly boost the range.
The equipment used by the researchers cost US$600, but they said that an AIS transmitter could be built with cheaper components for under $100.
AIS communications can also be used as a channel to exploit vulnerabilities in the software running on the back-end systems that process and collect AIS data. For example, the researchers found an SQL injection vulnerability in a system used by ship captains to store weather forecasts received over AIS.
The vulnerability could be exploited to insert bogus weather information into the database or even delete the whole database, Balduzzi said.
The impact of using AIS to attack back-end systems depends on what those systems are designed to do and what kind of vulnerabilities they potentially have. If the system stores information about ship traffic in a harbor for example, inserting bad information into its database or deleting it can have serious consequences, the researcher explained.
A third attack presented Thursday involves the spoofing of Differential Global Positioning System (DGPS) information sent over AIS. DGPS data improves the accuracy of GPS-based localization from meters to centimeters.
A constant stream of spoofed DGPS data could make a ship deviate from its course, Balduzzi said. The result would be similar to that of a GPS spoofing attack demonstrated by researchers from the University of Texas at Austin last year, he said.
According to the International Maritime Organization (IMO), the United Nations agency responsible for the safety and security of shipping, the installation of AIS is required on all ships of 300 gross tonnage or more that are engaged on international voyages and for all passenger ships regardless of size.
The IMO did not immediately respond to a request for comment about the AIS attacks revealed Thursday at Hack in the Box.
According to Balduzzi and Pasta, AIS providers and maritime authorities generally acknowledged in the past that the lack of authentication and integrity checking in AIS is a problem, but said that captains are instructed to correlate information from multiple systems and not rely on AIS data alone.
“To me, if you have a system that’s supposed to enhance the previous systems, but is not secure and can report wrong information, then it’s useless,” Balduzzi said.
Completely fixing the problem would require redesigning the communication protocol to build in security, and then upgrading or replacing the AIS hardware installed on ships, in ports and ground stations. However, that’s not feasible in the short term, the researchers said. Using specialized software to detect anomalies in the AIS data can be a temporary solution, but won’t protect against all possible attacks like the denial-of-service ones, they said.