Monday 28 October 2013

Automatic Identification System (AIS) Hacking and Ramifications for Cruising Sailors

It has been known for sometime now that AIS can be hacked into and 'ghost ships' be added or removed from a known quadrant of ocean. This would be most disconcerting to any cruising sailors not knowing that they could rely on the data showing up on their on board AIS screen.

Here is a summary of how the 'attackers' could operate and broadcast misleading information:
Never say never to hackers as they have proven that pretty much anything can be hacked, especially when protocols are designed without any thought to security. This time, security researchers placed Automated Identification System (AIS) in the crosshairs and showed that this mandatory tracking system for about 400,000 ships is “comprehensively vulnerable to a wide range of attacks that could be easily carried out by pirates, terrorists or other attackers.”

At the Hack in the Box conference in Malaysia, Trend Micro’s Marco Balduzzi, Kyle Wilhoit and independent researcher Alessandro Pasta presented “Hey Captain! Where’s your Ship? Attacking Vessel Tracking Systems for Fun and Profit” [pdf]. They explained “how we have been able to hijack and perform man-in-the-middle attacks on existing vessels, take over AIS communications, tamper with the major online tracking providers and eventually fake our own yacht.” In fact, Balduzzi believes the attacks on shipping vessels are “much more feasible” than remotely attacking and hijacking an aircraft. He said, “The difference between the aircraft attacks and these is that the former are more difficult to perform, and therefore less likely to be performed by attackers in the wild.”
AIS attacker sequence image
AIS protocol “was designed with seemingly zero security considerations,” but is a mandatory tracking system “for all passenger ships and commercial (non-fishing) ships over 300 metric tons.”  By 2014, it is estimated that AIS will be on one million ships.

The team of security researchers divided attacks into two categories; the first exploits vulnerabilities in AIS Internet provider systems and the other exploits flaws in the AIS protocol itself.

Attacking online AIS services. Although AIS Internet providers collect AIS information and distribute it publicly, the Trend Micro blog explained, that attackers can modify “all ship details, such as position, course, cargo, flagged country, speed, name, MMSI (Mobile Maritime Service Identity) status etc.”

Attackers can “create and modify search and rescue marine aircraft such as helicopters, and light aircraft e.g. having a stationary search and rescue coast guard helicopter ‘take off’ and travel on a set course.” Additionally, attackers can create or modify “Aid to Navigations (AToN) entries, such as buoys and lighthouses. This leads to scenarios such as blocking the entrance to a harbor, causing a ship to wreck, etc.”

They also created a ghost ship, not the kind with ghouls intent on killing passengers, but a fake kind of shipping vessel in an attack that is similar to injecting ghost airplanes into radar. A pirate or terrorist attacker could tamper with data from an AIS service provider’s system to change the type of ship or the cargo it is carrying. Balduzzi and Wilhoit chose a real ship, the 60 meter-long Eleanor Gordon, that was physically located in the Mississippi River in southern Missouri, but made it appear as if the ship was on a lake in Dallas. For a scarier example, an attacker could create a fake ship that had all the same details of a real vessel and make it appear like an Iranian ship full of nuclear cargo was sitting off the coast of the US.

The second type of attack targets “flaws in the actual specification of the AIS protocol used by hardware transceivers in all mandatory vessels” and ranged from spoofing to denial of service attacks.

You know about man-in-the-middle attacks, hopefully, but they developed an attack called man-in-the-water spoofing. If a person falls overboard, there are safety beacon devices that send AIS packets, distress signals, to all ships nearby for rescue purposes; but the researchers were able to send a fake a ‘man-in-the-water’ distress beacon to any location that would “trigger alarms on all vessels within approximately 50 km.”

Other fake alerts an attacker could pull off include sending false weather warnings so ships would route around the supposed approaching storm. They also sent a fake a CPA (Closest Point of Approach) alert and triggered a collision warning alert. “In some cases this can even cause software on the vessel to recalculate a course to avoid collision, allowing an attacker to physically nudge a boat in a certain direction.”Hack in the Box presentations Attacking Vessel Tracking Systems for Fun and Profit"

In a denial of service-flavored attack, the researchers impersonated marine authorities “to permanently disable the AIS system on a vessel, both forcing the ship to stop communicating its position, and stop getting AIS notifications from all nearby vessels. This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it.”

The AIS protocol lacks a geographical validity check, meaning the location message is “accepted without question.” The lack of timestamps on valid and existing AIS information opens the way to replay attacks. There is no authentication built into the AIS protocol, so an attacker “can craft AIS packets that impersonate any other vessel on the planet, and all receiving vessels will treat the message as fact.” Lastly, the researchers said an attacker can easily intercept and modify all AIS messages, since they sent in an unencrypted and unsigned form.

Okay, but could these attacks really happen in the real world? You betcha, since the researchers said that after attackers conquer the “learning curve with the protocols, uses and implementations of AIS,” the “necessary equipment can be purchased for between $100 and $300, depending on the attack.”

However, on the other side of the argument Lloyds List Intelligence team have this to say:

Lloyd's List Intelligence's Ian Trowbridge said that in addition to the vulnerable technology - known as the Automatic Identification System (AIS) - other measures could be used to identify marine activity.
"The spoofing would immediately be identified by [Lloyd's List Intelligence] as a warp vessel," he said, "providing unexplained position reports outside of the vessel's speed/distance capability and thus subject to further investigation and validation."

The AIS system is used to track the whereabouts of ships travelling across the world's oceans.
or ships over a certain size, having AIS fitted is mandatory under international maritime law.
It is designed to transmit data about a ship's position, as well as other relevant information, so that movements can be seen by other boats as well as relevant authorities on shore.

One other use is to alert nearby ships when a man or woman is overboard - an alert that can easily be spoofed, says Trend Micro's Rik Ferguson.
"It boils down to the fact that the protocol was never designed with security in mind," he told the BBC.

"There's no validity checking of what's being put up there."
Using equipment bought for 700 euros (£600), the researchers were able to intercept signals and make vessels appear on the tracking system, even though they did not exist.
In one example, the team was able to make it look as if a ship's route had spelled out the word "pwned" - hacker slang for "owned".
AIS screen showing pwned attack data
The information broadcast by AIS is public - but when the system was first put in use, in the early 1990s, the technology required to receive the information was prohibitively expensive for those not directly involved in the industry. But now, a typical internet connection can be used to see the locations of boats, as well as an indicator of what type of cargo they may be carrying.

There has been speculation that Somali pirates have been making use of the system.
"It has long been thought that the pirates are basically using AIS as a shopping list," Mr Ferguson said, "seeing what's coming into local waters, and what cargo it may have."


However, Lloyd's List Intelligence noted that captains are permitted to disable AIS if they feel their crew could be endangered by it.

Whilst the cruising sailor probably has not too much need for concern, we are all aware that a number of smaller vessels including yachts have been taken by the pirates, so it is vital that the data supplied is accurate if and when recreational vessels venture into these areas.

You can read much more about the cruising sailors lifestyle in my book 'Sailing Adventures in Paradise' downloadable from my website http://www.sailboat2adventure.com/


2 comments:

Nicole Pereira said...

Here are some good thoughts in reply to all the Buzz about AIS Hacking

http://www.portvision.com/news---events/press-releases---news/bid/343898/AIS-Hacking-Buzz-Hype-and-Facts

Armstrong said...

Great

Automatic Identification System