Digital ship pirates: Researchers crack vessel tracking system
In the maritime business, Automated Identification Systems (AIS) are a big deal. They supplement information received by the marine radar system, are used for a wide variety of things – including ship-to-ship communication – and are relied upon each and every day. Unfortunately, the AIS can also be easily hacked in order to do some real damage, claims a group of researchers presenting at the Hack In The Box Conference currently taking place in Kuala Lumpur.
Dr. Marco Balduzzi during the presentation.
Automated Identification Systems (AIS) transceivers can currently be found on over 400,000 ships sailing the high seas, and it is estimated that by 2014, that number will reach a million. The installation is mandatory for all passenger ships and commercial (non-fishing) ships over 300 metric tonnes, and it tracks them automatically by electronically exchanging data with other ships, AIS base stations, and satellites.
AIS hasn’t replaced the marine radar system – it has been added to it to enhance marine traffic safety. The system has been first mandated for some 100,000 vessels in 2002. In 2006, the AIS standards committee published the Class B type AIS transceiver specification, which enabled the creation of a lower cost AIS device and triggered widespread use.
The data exchanged includes everything that has to do with the position of the ship, the cargo it carries, information on nearby ships, etc. The system used by the ships to communicate with other ships, plot their course and follow it, avoid collision with other ships, reefs and things that may be floating nearby that could cause damage to the vessels, as well as to aid in accident investigation and in search and rescue operations.
The information is also sent to upstream providers such as Maritimetraffic.com, Vesselfinder.com or Aishub.net, where anyone can check a specific vessel’s position and additional information about it.
The upstream data sending can be effected via email, TCP / UDP, commercial software, smartphone apps, and radio-frequency gateways, and is sent via different types of messages (27 types in all). For example, message 18 delivers the position report (longitude, latitude, navigation status, an so on) and is sent every 30 second to 3 minutes depending on the speed of the ship, and message 24 provides the static report (type of ship, name, dimension, cargo type, etc) and is sent every 6 minutes.
Message type 8 is a binary broadcast message that can include any type of data, type 22 is for channel management (and only port authorities are allowed to use it). Type 14 is a safety-related broadcast message (and alerts of emergencies such as crew or passengers falling off board).
But, as Dr. Marco Balduzzi and Kyle Wilhoit of Trend Micro and independent security researcher Alessandro Pasta showed, AIS is vulnerable both at the implementation and at the protocol level.
The researchers detailed a couple of different attack vectors and divided the exploitations of threats into software and radio frequency (RF) attacks. The root of all problems is the same: there is no authentication and no integrity checks, so the apparent validation of spoofed and specially crafted packets is a huge problem.
The software attacks demonstrated to the full packed conference hall included:
AIS spoofing
There are a number of online AIS services that track vessel positions and locations around the world – the aforementioned Marine Traffic, Vessel Finder and AIS Hub are just some of them. These services are receiving AIS data and use maps to provide visual plotting that showcases global maritime traffic.
AIS services track vessels, but don’t do any checkups on who is sending AIS data. This data usually includes vessel identification, location details, course plotting and other data specific to the vessel in question. With this on mind, the attackers can send specially crafted messages that could mimic the location of an existing vessel, or even create a fake vessel and place it on its own virtual course. This can cause a bit of panic, especially because you can fake a whole fleet of let’s say war ships sailing on course to an enemy country or showing up off the coast of it.
Ship hijacking
This variation of the spoofing attack on AIS could be used to download the data of an existing ship, changing some of the parameters and submitting it to the AIS service. The result is virtual placement of a vessel on a completely different position or plotting a bizarre route that could include some “land sailing”.
Replay attacks
All of the packets above can be saved and stored locally and then replayed at any time. By using the script and a scheduling function on a local system, the attacker can carefully replay spoofed messages in specific timeframes.
The mentioned scenarios were just an introduction on what you can do when you have reverse engineered AIS and know how to modify the date and reuse it. The most interesting part of the research includes attacking vessels over RF. The researchers coded an AIS frame builder, a C module which encodes payloads, computes CRC and oes bit operations. The output of the program is an AIS frame which is transferred from a digital into the radio frequency domain.
Alessandro Pasta demonstrating their setup.
The hacks were crafted and tested in a lab that they built and which consists of GNURadio, transceiver service, bi and omni directional antennas, SDR (software defined radio), power amplifier, GPS antenna and a power LED (to mimic real life alert). The attacks include:
Man-in-the-water spoofing
Professional alpinists use avalanche safety beacons to alert rescuers after being buried by an avalanche. In the world of maritime safety, there are similar types of devices that send AIS packets as soon as someone drops in the water. This type of requests can also be spoofed, which was shown through the Python script called AiS_TX.py which is actually AIS transmitter. Because of maritime laws and best practices, everyone needs to address this type of an alert, so it is obvious how an attacker can wreak havoc in this way.
Frequency hopping
This is a damaging attack that can cause some serious issues for the safety of the targeted vessel. Every vessel is tuned in on a range of frequencies where they can interact with port authorities, as well as other vessels. There is a specific set of instructions that only port authorities can do which makes the vessel’s AIS transponder work on a specific frequency. The researchers showed that the malicious attacker can spoof this type of “command” and practically switch the target’s frequency to another one which will be blank. This will cause the vessel to stop transmitting and receiving messages on the right frequency effectively making it “disappear” and unable to communicate (essentially a denial of service attack). If performed by, let’s say, Somali pirates, it can make the ship “vanish” for the maritime authorities as soon it enters Somalia sea space, but visible to the pirates who carried out the attack.
From our discussion with Balduzzi and Pasta after their talk, they said that this is a big problem, especially because this frequency cannot be manually changed by the captain of the vessel.
Fake CPA alerting
As the attackers can spoof any part of the transmission, they are able to create a fake CPA (closest point of approach) alert. In real life this means that they would place another vessel near an actual one and plot it on the same course. This will trigger a collision warning alert on the target vessel. In some cases this can even cause software vessel to recalculate a course to avoid collision, physically an attacker to nudge a boat in a certain direction.
Arbitrary weather forecast
By using a type 8 binary broadcast message of the AIS application layer, the attackers can impersonate actual issuers of weather forecast such as the port authority and arbitrarily change the weather forecast delivered to ships.
Help Net Security’s Mirko Zorz during a discussion with Dr. Marco Balduzzi and Alessandro Pasta.
The researchers have been working on this for the last six months, and have banded together because of their respective expertise (Wilhoit on the software side, Pasta on electronics and telecommunication). They have performed other types of successful attacks, but haven’t had the chance to demonstrate them because there was no time.
“The attack surface is big. We can generate any kind of message. All the attacks we have shown here except the weather forecast attack have been successful,” they pointed out.
Countermeasures suggested by the researchers include the addition of authentication in order to ensure that the transmitter is the owner of the vessel, creating a way to check AIS messages for tampering, making it impossible to enact replay attacks by adding time checking, and adding a validity check for the data contained in the messages (e.g. geographical information).
The researchers have made sure that their experiments didn’t interfere with the existing systems. Most of them were performed in a lab environment, especially messages with safety implications.
Also, they have contacted the online providers and authorities and explained the issue. The former responded and have said they would try to do something about it, and among the latter, only the ITU Radiocommunication Sector (ITU-R) – the developers of the AIS standard and the protocol specification – has responded by acknowledging the problem.
“Are they doing something about it, or did they just say thanks for letting us know?” we asked them.
“It’s a complex matter. This organisation is huge, and they often work within workgroups, so there are a lot of partners involved in the decision making. They cannot do it by themselves. They were grateful to us for pointing out the problem, for how can you do something about a problem if you don’t know there is one to begin with?” Balduzzi told us. “They did help our investigation by giving us links to more information about the protocols to do more research, and they encouraged us to continue in that direction.”
The International Association of Lighthouse Authorities (IALA), IMO (International Maritime Organization) and the US Coast Guard are yet to comment on the findings.
The researchers said that they don’t have much hope that their research will result with prompt changes.
“Perhaps the media attention will help,” said Balduzzi. “But judging by the response received by Hugo Teso, who last year presented his research on airplane hijacking by interfering with its communication systems, the issue will not be addressed or fixed soon, and we don’t expect to get a lot of feedback from the governing bodies.”
On the other hand, they point out that their attacks are much more feasible than Teso’s. “The difference between the airplane attacks and these ones is that the former are more difficult to perform, and therefore less likely to be performed by attackers in the wild.” Also, they managed to test some of these attacks outside of a lab, so they are sure to work with systems already online.
The good news is that similar attacks haven’t yet been spotted being performed by malicious individuals. But, according to Balduzzi, the danger is big and real.
“It’s actually possible to do it by investing very little. For our experiment, we bought a SDR radio, which costs some 500 euros, but it’s possible to do it by using a VHF radio that costs around a 100 euros – a price that makes the technology accessible to almost anyone (including pirates). The threat is very real, and that’s why we talked upfront with the ITU,” they concluded.
Authors: Zeljka Zorz, Mirko Zorz, Berislav Kucan.