Researchers hack AIS and prove several security holes

Researchers at cyber security company Trend Micro have published a research paper on marine equipment, namely AIS.

The company has explored several ways the equipment can be manipulated posing several possible threats for ships at sea.

It was possible for the researchers to both manipulate the data sent from an AIS station, as well as control external AIS stations. Correlating this to a real life situation this means that AIS data sent to other vessels can be wrong causing ships to not be able to recognize the location of nearby ships or conclude which ships are close. Furthermore data such as speed was manipulated which between two ships could mean that prospects of a collision could be hidden, despite ship operators relying on predictive alerts for collisions.

The equipment used for this was primarily put together for test purposes, but the paper indicates that gradually improved coverage was achieved by implementing a stronger antenna and using an amplifier. In reality, according to the research paper, it is possible to cover a distance of 16.5 kilometers. In small straits or with a ship at sea it is possible to take advantage of the vulnerabilities in AIS from a very great distance thus ensuring utmost anonymity.

The seriousness of the security holes in AIS is by the researchers considered fairly critical, due to the dependency of ships on AIS. AIS is mandatory and is thought to enhance the safety of seafarers. Operations related to AIS such as Sear And Rescue alerts which can effectively cause faked distress alerts. This can have fatal consequences and can be used to send the respective coast guard or other vessels to a location for hijacking.

The researchers were able to manipulate the data of an AIS from a remote location, meaning that in theory hijacking an AIS at sea could be possible.

Trend Micros software test can be criticized in the sense that a lot of focus was put on the distribution of data to online providers of AIS data. The critique here comes from the fact, that online providers of live AIS data cannot be considered a source for valid AIS security, since they more often than not act as intercepting parties. Ships are not required to share their data with online providers, it is merely online providers that “catch” AIS data and share it online.

However, in the defence of Trend Micros research, online providers use authentic and industry AIS equipment thus representing a correct industry AIS station which could in fact be a ship. Later in their paper, TrendMicro states that they also conducted part of the experiment with their own AIS equipment. Furthermore operational conditions of possible attackers were also considered in the research.

The researchers have in their paper emphasized the disinformation-part in manipulating the AIS, for example by suggesting disinformation in terms of weather forecasts, but also remotely overloading AIS of any given ship poses a threat to the dependency of AIS. The research showed that the system was highly receptive of ddos attacks using mostly open source software and equipment of maximum 1.000 euros.

A spokesperson at IMO said that the organization could not consider the research without a written submission by the researchers. This indicates a critical standpoint of the IMO. It does not support free research to avail the industry with improvements and issues. Essentially the IMO claimed that it would not consider research, if it was not directed at the organization. This however does not mean that the issues are not present, but rather that the IMO does not want to consider them in maritime security.

Trend Micro presented their research at the respected “HackInABox” conference in Kuala Lumpur.

Leave a Reply