Vessel-tracking system vulnerable to denial-of-service, other attacks, researchers say

Attackers could disable Automatic Identification System communications over large areas or send fake localization information to ships

The Hack in the Box 2014 security conference takes place in Amsterdam May 29 - 30.

The Hack in the Box 2014 security conference takes place in Amsterdam May 29 - 30.

Inexpensive equipment can be used to disrupt vessel-tracking systems and important communications between ships and port authorities, according to two security researchers.

During the Hack in the Box conference in Amsterdam Thursday, Marco Balduzzi, a senior research scientist at Trend Micro, and independent security researcher Alessandro Pasta described three new attacks against the Automatic Identification System (AIS), which is used by over 400,000 ships worldwide.

AIS supplements information from marine radar systems and sends a ships's identity, type, position, course, speed, navigational status and safety-related information to other ships, shore stations and aircraft. Port and coastal authorities also use the system to send important traffic information and other data back to the ships.

Balduzzi and Pasta warned last year that the lack of authentication and integrity-checking in the AIS communication protocol could allow pirates, terrorists or other attackers to create ghost vessels or spoof information received by the ships.

It's also possible to disable AIS communications over a large region, Balduzzi said Thursday. An attacker could impersonate a port authority and tell all AIS systems -- on ships, in shore stations, etc. -- to stop transmission for a number of minutes, and then repeat the command when that interval passes in order to prolong the downtime, he said.

Balduzzi and Pasta experimented on land with a self-built AIS transmitter and power amplifier and achieved a signal range of 20 km, but at sea the range would be bigger because there are less obstacles. Using more power can also significantly boost the range.

The equipment used by the researchers cost US$600, but they said that an AIS transmitter could be built with cheaper components for under $100.

AIS communications can also be used as a channel to exploit vulnerabilities in the software running on the back-end systems that process and collect AIS data. For example, the researchers found an SQL injection vulnerability in a system used by ship captains to store weather forecasts received over AIS.

The vulnerability could be exploited to insert bogus weather information into the database or even delete the whole database, Balduzzi said.

The impact of using AIS to attack back-end systems depends on what those systems are designed to do and what kind of vulnerabilities they potentially have. If the system stores information about ship traffic in a harbor for example, inserting bad information into its database or deleting it can have serious consequences, the researcher explained.

A third attack presented Thursday involves the spoofing of Differential Global Positioning System (DGPS) information sent over AIS. DGPS data improves the accuracy of GPS-based localization from meters to centimeters.

A constant stream of spoofed DGPS data could make a ship deviate from its course, Balduzzi said. The result would be similar to that of a GPS spoofing attack demonstrated by researchers from the University of Texas at Austin last year, he said.

According to the International Maritime Organization (IMO), the United Nations agency responsible for the safety and security of shipping, the installation of AIS is required on all ships of 300 gross tonnage or more that are engaged on international voyages and for all passenger ships regardless of size.

The IMO did not immediately respond to a request for comment about the AIS attacks revealed Thursday at Hack in the Box.

According to Balduzzi and Pasta, AIS providers and maritime authorities generally acknowledged in the past that the lack of authentication and integrity checking in AIS is a problem, but said that captains are instructed to correlate information from multiple systems and not rely on AIS data alone.

"To me, if you have a system that's supposed to enhance the previous systems, but is not secure and can report wrong information, then it's useless," Balduzzi said.

Completely fixing the problem would require redesigning the communication protocol to build in security, and then upgrading or replacing the AIS hardware installed on ships, in ports and ground stations. However, that's not feasible in the short term, the researchers said. Using specialized software to detect anomalies in the AIS data can be a temporary solution, but won't protect against all possible attacks like the denial-of-service ones, they said.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiontrend microsecurityphysical securityAccess control and authenticationExploits / vulnerabilitiesdata protectionfraudInternational Maritime Organization

More about AlessandroTrend Micro AustraliaUnited Nations

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place