Monday 28 October 2013

Automatic Identification System (AIS) Hacking and Ramifications for Cruising Sailors

It has been known for sometime now that AIS can be hacked into and 'ghost ships' be added or removed from a known quadrant of ocean. This would be most disconcerting to any cruising sailors not knowing that they could rely on the data showing up on their on board AIS screen.

Here is a summary of how the 'attackers' could operate and broadcast misleading information:
Never say never to hackers as they have proven that pretty much anything can be hacked, especially when protocols are designed without any thought to security. This time, security researchers placed Automated Identification System (AIS) in the crosshairs and showed that this mandatory tracking system for about 400,000 ships is “comprehensively vulnerable to a wide range of attacks that could be easily carried out by pirates, terrorists or other attackers.”

At the Hack in the Box conference in Malaysia, Trend Micro’s Marco Balduzzi, Kyle Wilhoit and independent researcher Alessandro Pasta presented “Hey Captain! Where’s your Ship? Attacking Vessel Tracking Systems for Fun and Profit” [pdf]. They explained “how we have been able to hijack and perform man-in-the-middle attacks on existing vessels, take over AIS communications, tamper with the major online tracking providers and eventually fake our own yacht.” In fact, Balduzzi believes the attacks on shipping vessels are “much more feasible” than remotely attacking and hijacking an aircraft. He said, “The difference between the aircraft attacks and these is that the former are more difficult to perform, and therefore less likely to be performed by attackers in the wild.”
AIS attacker sequence image
AIS protocol “was designed with seemingly zero security considerations,” but is a mandatory tracking system “for all passenger ships and commercial (non-fishing) ships over 300 metric tons.”  By 2014, it is estimated that AIS will be on one million ships.

The team of security researchers divided attacks into two categories; the first exploits vulnerabilities in AIS Internet provider systems and the other exploits flaws in the AIS protocol itself.

Attacking online AIS services. Although AIS Internet providers collect AIS information and distribute it publicly, the Trend Micro blog explained, that attackers can modify “all ship details, such as position, course, cargo, flagged country, speed, name, MMSI (Mobile Maritime Service Identity) status etc.”

Attackers can “create and modify search and rescue marine aircraft such as helicopters, and light aircraft e.g. having a stationary search and rescue coast guard helicopter ‘take off’ and travel on a set course.” Additionally, attackers can create or modify “Aid to Navigations (AToN) entries, such as buoys and lighthouses. This leads to scenarios such as blocking the entrance to a harbor, causing a ship to wreck, etc.”

They also created a ghost ship, not the kind with ghouls intent on killing passengers, but a fake kind of shipping vessel in an attack that is similar to injecting ghost airplanes into radar. A pirate or terrorist attacker could tamper with data from an AIS service provider’s system to change the type of ship or the cargo it is carrying. Balduzzi and Wilhoit chose a real ship, the 60 meter-long Eleanor Gordon, that was physically located in the Mississippi River in southern Missouri, but made it appear as if the ship was on a lake in Dallas. For a scarier example, an attacker could create a fake ship that had all the same details of a real vessel and make it appear like an Iranian ship full of nuclear cargo was sitting off the coast of the US.

The second type of attack targets “flaws in the actual specification of the AIS protocol used by hardware transceivers in all mandatory vessels” and ranged from spoofing to denial of service attacks.

You know about man-in-the-middle attacks, hopefully, but they developed an attack called man-in-the-water spoofing. If a person falls overboard, there are safety beacon devices that send AIS packets, distress signals, to all ships nearby for rescue purposes; but the researchers were able to send a fake a ‘man-in-the-water’ distress beacon to any location that would “trigger alarms on all vessels within approximately 50 km.”

Other fake alerts an attacker could pull off include sending false weather warnings so ships would route around the supposed approaching storm. They also sent a fake a CPA (Closest Point of Approach) alert and triggered a collision warning alert. “In some cases this can even cause software on the vessel to recalculate a course to avoid collision, allowing an attacker to physically nudge a boat in a certain direction.”Hack in the Box presentations Attacking Vessel Tracking Systems for Fun and Profit"

In a denial of service-flavored attack, the researchers impersonated marine authorities “to permanently disable the AIS system on a vessel, both forcing the ship to stop communicating its position, and stop getting AIS notifications from all nearby vessels. This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it.”

The AIS protocol lacks a geographical validity check, meaning the location message is “accepted without question.” The lack of timestamps on valid and existing AIS information opens the way to replay attacks. There is no authentication built into the AIS protocol, so an attacker “can craft AIS packets that impersonate any other vessel on the planet, and all receiving vessels will treat the message as fact.” Lastly, the researchers said an attacker can easily intercept and modify all AIS messages, since they sent in an unencrypted and unsigned form.

Okay, but could these attacks really happen in the real world? You betcha, since the researchers said that after attackers conquer the “learning curve with the protocols, uses and implementations of AIS,” the “necessary equipment can be purchased for between $100 and $300, depending on the attack.”

However, on the other side of the argument Lloyds List Intelligence team have this to say:

Lloyd's List Intelligence's Ian Trowbridge said that in addition to the vulnerable technology - known as the Automatic Identification System (AIS) - other measures could be used to identify marine activity.
"The spoofing would immediately be identified by [Lloyd's List Intelligence] as a warp vessel," he said, "providing unexplained position reports outside of the vessel's speed/distance capability and thus subject to further investigation and validation."

The AIS system is used to track the whereabouts of ships travelling across the world's oceans.
or ships over a certain size, having AIS fitted is mandatory under international maritime law.
It is designed to transmit data about a ship's position, as well as other relevant information, so that movements can be seen by other boats as well as relevant authorities on shore.

One other use is to alert nearby ships when a man or woman is overboard - an alert that can easily be spoofed, says Trend Micro's Rik Ferguson.
"It boils down to the fact that the protocol was never designed with security in mind," he told the BBC.

"There's no validity checking of what's being put up there."
Using equipment bought for 700 euros (£600), the researchers were able to intercept signals and make vessels appear on the tracking system, even though they did not exist.
In one example, the team was able to make it look as if a ship's route had spelled out the word "pwned" - hacker slang for "owned".
AIS screen showing pwned attack data
The information broadcast by AIS is public - but when the system was first put in use, in the early 1990s, the technology required to receive the information was prohibitively expensive for those not directly involved in the industry. But now, a typical internet connection can be used to see the locations of boats, as well as an indicator of what type of cargo they may be carrying.

There has been speculation that Somali pirates have been making use of the system.
"It has long been thought that the pirates are basically using AIS as a shopping list," Mr Ferguson said, "seeing what's coming into local waters, and what cargo it may have."

However, Lloyd's List Intelligence noted that captains are permitted to disable AIS if they feel their crew could be endangered by it.

Whilst the cruising sailor probably has not too much need for concern, we are all aware that a number of smaller vessels including yachts have been taken by the pirates, so it is vital that the data supplied is accurate if and when recreational vessels venture into these areas.

You can read much more about the cruising sailors lifestyle in my book 'Sailing Adventures in Paradise' downloadable from my website

Friday 18 October 2013

Automatic Identification System (AIS) Update for Cruising Sailors and Yachtsmen

To all our readers my apologies for the layout and quality problems of this post. There is currently a glitz in the Blogger software which affects some blogs and not others. Google are working on the problem so hopefully they will have a fix shortly. Meanwhile, here goes for this issue of sailboat2adventure blog.  

AIS (Automatic Identification System) is raising its head again. We have discussed previously in several posts the benefits of this system and the value of it for recreational sailors to have it installed in their vessels. Technology moves ahead at such a rapid rate nowadays that you only have to turn around and Boom! the up to the minute equipment you bought yesterday has already been superseded by a not only more advanced or integrated model, but also possibly somewhat cheaper!
Vesper Marine XB AIS transponder
We have conjectured in the past that AIS would be integrated into chart plotters and it already has. Then we had the arrival of AIS apps for smartphones and we have looked at those also. Now, we have a New Zealand company, Vesper, manufacturing and marketing very user friendly AIS transponders which appear to be sweeping the market for installations in recreational craft, especially sailing vessels. You can take a look at their range on their website

Vesper Marine Watch Mate AIS transponder
The current debate raging is whether or not to have the AIS integrated into the chart plotter or have a dedicated stand alone installation. As in all things everyone has differing opinions and here are a few postings you can view on Cruisers Forum:

Read with interest and make your decisions based on your requirements for your vessel.

As a refresher have a look at this extract from Wikipedia showing the wealth of data that AIS can deliver to the cruising sailor:

Broadcast information 
An AIS transceiver sends the following data every 2 to 10 seconds depending on a vessel's speed while underway, and every 3 minutes while a vessel is at anchor:
  • The vessel's Maritime Mobile Service Identity (MMSI) – a unique nine digit identification number.
  • Navigation status – "at anchor", "under way using engine(s)", "not under command", etc.
  • Rate of turn – right or left, from 0 to 720 degrees per minute
  • Speed over ground – 0.1-knot (0.19 km/h) resolution from 0 to 102 knots (189 km/h)
  • Positional accuracy:
    • Longitude – to 0.0001 minutes
    • Latitude – to 0.0001 minutes
  • Course over ground – relative to true north to 0.1°
  • True heading – 0 to 359 degrees (for example from a gyro compass)
  • True bearing at own position. 0 to 359 degrees
  • UTC Seconds – The seconds field of the UTC time when these data were generated. A complete timestamp is not present.
In addition, the following data are broadcast every 6 minutes:
  • IMO ship identification number – a seven digit number that remains unchanged upon transfer of the ship's registration to another country
  • Radio call sign – international radio call sign, up to seven characters, assigned to the vessel by its country of registry
  • Name – 20 characters to represent the name of the vessel
  • Type of ship/cargo
  • Dimensions of ship – to nearest meter
  • Location of positioning system's (e.g., GPS) antenna on board the vessel - in meters aft of bow and meters port of starboard
  • Type of positioning system – such as GPSDGPS or LORAN-C.
  • Draught of ship – 0.1 meter to 25.5 meters
  • Destination – max. 20 characters
  • ETA (estimated time of arrival) at destination – UTC month/date hour:minute
  • optional : high precision time request, a vessel can request other vessels provide a high precision UTC time and datestamp
 In light of all this valuable information delivered to you on your screen, it is difficult to mount an argument against installing AIS in your boat.

AIS data extract courtesy Wikipedia, images courtesy Vesper Marine 

You can read much more about the cruising lifestyle in my book ‘Sailing Adventures in Paradise’ downloadable from my website