Web-based AIS fails hack security test, but navigation not threatened

A report that the automatic identification system (AIS) for ships is vulnerable to security breaches exaggerates the danger to the industry and fails to take into account details of how the system operates, according to maritime industry analysts.

At the Hack in the Box Security Conference in Malaysia in October 2013, researchers from the security software company Trend Micro demonstrated that hackers can manipulate Web data that includes ship information. Because of vulnerabilities in the public websites, hackers such as pirates can create fake ships and show the vessels anywhere in the world; change a ship’s name, speed and status; and create fake aids to navigation or modify existing ones.

AIS “is fundamentally broken and can be abused by attackers,” wrote Marco Balduzzi, a threat researcher with Trend Micro and main author of the report on AIS hacking.

However, manipulation of AIS data on these websites will not impact the safety or security of mariners, who should not be using Internet-based AIS systems, analysts say.

“I would suggest to the typical seaman and to the typical shore-based maritime operations, it is business as usual,” said Dean Rosenberg, chief executive of PortVision, a maritime technology company that provides AIS data to its customers. “Since AIS uses an unsecure protocol that is fully documented in the public domain, anyone who has the will (and a little electronics equipment) can do bad things. It is not news.”

In 2005, the International Maritime Organization (IMO) mandated the use of AIS for all passenger vessels and all commercial vessels exceeding 500 gross tons. The IMO required that ships provide information including their identity and position. The information is broadcast via a transponder on the vessel.

Since AIS is an open system, a worldwide business has sprung up that uses this public data to provide information to shipping and other companies. This is the main group impacted by false data created on the AIS websites. The rest of the maritime community should be using AIS in conjunction with other systems, including radar and electronic navigation.

“We never expected people to use (AIS) data to make navigation decisions,” said Jorge Arroyo, AIS subject matter chief for the U.S. Coast Guard.

However, Balduzzi said hackers could target a ship’s transponder to switch frequencies or delay a transmission. In this scenario, pirates could impersonate a maritime authority to disable the AIS system on a vessel, stopping the ship from broadcasting AIS data and keeping it from getting AIS signals from surrounding ships.

Balduzzi and his colleagues used a system called software-defined radio, which allows anyone to turn their laptop computer into a radio station that can attack and override signals from an AIS transponder. The equipment costs about $200.

But hacking into the actual AIS transponder is a challenge, Arroyo said. If an attacker did figure out a way to access it, he would need the specific software application to change the data fields in the device. That would be problematic because each transponder manufacturer uses its own proprietary operating system.

In addition, each AIS transponder can interrogate any other transponder. If that interrogation gets no response, the AIS transponder can send an address message asking the attacker who they are and what they are doing. If there is no response, the AIS transponder can then ask the attacker for an updated position every second, Arroyo said.

By Professional Mariner Staff