Trend Micro researchers have discovered that flaws in the AIS vessel tracking system can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts and even permanently disable AIS tracking on any vessel.
Figure 1. 300 ton ships should not drive down the main street of a cityIn our previous blog post, we gave a brief introduction of the Automatic Identification System (AIS), a mandatory vessel tracking system for all commercial (non-fishing) ships over 300 metric tons, as well as passenger ships (regardless of size and weight). AIS works by acquiring GPS coordinates and exchanging a vessel’s position, course and information with nearby ships and offshore installations. It is currently installed in around 400,000 vessels. As the world becomes more connected to the “Internet of Things”, Trend Micro’s Forward Looking Threat researchers continue to look into technologies that could be abused by attackers in the near future. Earlier today at the HITB security conference in Kuala Lumpur, , two researchers from this team (Kyle Wilhoit and Dr. Marco Balduzzi), together with independent researcher Alessandro Pasta, presented a series of experiments that showed AIS is comprehensively vulnerable to a wide range of attacks that could be easily carried out by pirates, terrorists or other attackers. Trend Micro took care to carry out responsible disclosure to all of the major standards bodies involved in AIS, as well as major online providers of AIS tracking information. The attacks can be divided into two parts. Firstly, we discovered that the main AIS Internet providers that collect AIS information and distribute them publicly have vulnerabilities that allow an attacker to tamper with valid AIS data and inject invalid AIS data, such as:
- Modification of all ship details such as position, course, cargo, flagged country, speed, name, MMSI (Mobile Maritime Service Identity) status etc.
- Creation of fake vessels with all the same details e.g. having an Iranian vessel with nuclear cargo show up off the coast of the US
- Create and modify Aid to Navigations (AToN) entries, such as buoys and lighthouses. This leads to scenarios such as blocking the entrance to a harbor, causing a ship to wreck, etc.
- Create and modify search and rescue marine aircraft such as helicopters, and light aircraft e.g. having a stationary search and rescue coast guard helicopter "take off" and travel on a set course.
- Impersonate marine authorities to permanently disable the AIS system on a vessel, both forcing the ship to stop communicating its position, and stop getting AIS notifications from all nearby vessels (essentially a denial of service attack). This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it.
- Fake a "man-in-the-water" distress beacon at any location that will also trigger alarms on all vessel within approximately 50 km.
- Fake a CPA alert (Closest Point of Approach) and trigger a collision warning alert. In some cases this can even cause software on the vessel to recalculate a course to avoid collision, allowing an attacker to physically nudge a boat in a certain direction.
- Send false weather information to a vessel, e.g. approaching storms to route around.
- Cause all ships to send AIS traffic much more frequently than normal, resulting in a flooding attack on all vessels and marine authorities in range.
- Lack of Validity Checks. It is possible to send an AIS message from any location for a vessel at another location e.g. you can send a message from a location near New York for a vessel that claims to be in the Gulf of Mexico, and it will be accepted without question. No geographical validity checks are carried out.
- Lack of Timing Checks. It is also possible to replay existing (valid) AIS information, because no timestamp information is included in the message e.g. you can replicate the position of a vessel.
- Lack of Authentication. There is no authentication built into the AIS protocol. That means that anyone who can craft a AIS packet can impersonate any other vessel on the planet, and all receiving vessels will treat the message as fact.
- Lack of Integrity Checks. All AIS messages are sent in an unencrypted and unsigned form, making them trivial to intercept and modify.