Threats at Sea: A Security Evaluation of AIS
Automatic Identification System (AIS) is a system used to enhance maritime safety by providing real-time information such as tracking and monitoring for ships. Since its inception in 2002, it has already been installed in 300,000 vessels across the globe to monitor marine traffic and avoid vessel collisions. The system has also been proven to be useful for accident investigation as well as search-and-rescue (SAR) operations.
This Trend Micro paper introduces AIS and its operations, and provides a general overview of how it works, as well as its benefits. This study also provides a unique angle in evaluating the security issues of these systems by introducing threats that affect both its online implementation and its protocol specifications. Over the course of the research, those that have been identified are categorized into three macrocategories: spoofing, hijacking, and availability disruption. Each threat has been pored over in detail to determine if it is software- or radio frequency (RF)-based or both.
Software- and RF-Based Threats
Ship spoofing is the process that involves the crafting of a valid but nonexistent vessel by assigning static information such as ship name, identifiers (MMSI and call sign), flag, ship type, manufacturer, and even dimensions like ship status, position, speed, course, and destination to the fictitious ship.
This kind of attack provides an array of malicious attack scenarios, like making it appear like a particular vessel is with the jurisdiction of an adversarial nation. Ship spoofing could cause issues for automated systems identifying data and making inferences based on collected information from AIS.
Other forms of attacks based both on software and radio frequency are discussed in the full report.
Software-Based AIS Threats
AIS installations on ships require software to provide data to online providers. While useful, there are also security issues with their implementations. The research looked into three popular online AIS providers and found security issues with all three in terms of how they vet sources and authenticate data. A deeper discussion on this can be seen in the full report.
RF-Based AIS Threats
- CPA spoofing: Closest point of approach (CPA) works by computing the minimal distance between two ships. Generally, CPA spoofing involves faking a possible collision with a target ship. This then triggers a CPA alert, which could eventually lead the target off-course prompting it to hit a rock, or run aground during low tide or shallow waters.
- AIS-SART spoofing: Aiding search-and-rescue operations is also part of the common functions of the AIS and SARTs help detect and locate vessels and people in distress. Radio-beacon systems similar to those used in mountaineering equipment are utilized to locate and rescue victims. AIS-SART spoofing takes place when an attacker, usually pirates, generates false distress beacons to lure victims into a trap that leads them to hostile and attacker-controlled sea spaces.
- Faking weather forecasts: Dynamic data to reflect a change in the condition of the weather is also communicated by the AIS. False updates on weather forecasts are sometimes communicated, like updating authorities of a coming sunny day when in reality, the opposite is to be expected.
Other forms of radio frequency-based attacks are carefully discussed in the evaluation conducted in the research.
Making full use of a software-based transmitter introduced by Trend Micro researchers, this study discovered and experimentally proved that both AIS’s implementation and the protocol specification are affected by several threats, opening keys to malicious actors to explore attack possibilities. Responsible disclosure notifications have been handed out to involved international organizations to improve overall security given the immense importance of AIS as cyber-physical system in the marine industry.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report