Never say never to hackers as they have proven that pretty much anything can be hacked, especially when protocols are designed without any thought to security. This time, security researchers placed Automated Identification System (AIS) in the crosshairs and showed that this mandatory tracking system for about 400,000 ships is “comprehensively vulnerable to a wide range of attacks that could be easily carried out by pirates, terrorists or other attackers.”
At the Hack in the Box conference in Malaysia, Trend Micro’s Marco Balduzzi, Kyle Wilhoit and independent researcher Alessandro Pasta presented “Hey Captain! Where’s your Ship? Attacking Vessel Tracking Systems for Fun and Profit” [pdf]. They explained “how we have been able to hijack and perform man-in-the-middle attacks on existing vessels, take over AIS communications, tamper with the major online tracking providers and eventually fake our own yacht.” In fact, Balduzzi believes the attacks on shipping vessels are “much more feasible” than remotely attacking and hijacking an airplane. He said, “The difference between the airplane attacks and these ones is that the former are more difficult to perform, and therefore less likely to be performed by attackers in the wild.”
AIS protocol “was designed with seemingly zero security considerations,” but is a mandatory tracking system “for all passenger ships and commercial (non-fishing) ships over 300 metric tons.” AIS works “by acquiring GPS coordinates and exchanging vessel’s position, course and information with nearby ships, offshore installations, i.e. harbors and traffic control stations, and Internet tracking and visualization providers.” By 2014, it is estimated that AIS will be on one million ships.
The team of security researchers divided attacks into two categories; the first exploits vulnerabilities in AIS Internet provider systems and the other exploits flaws in the AIS protocol itself.
Although AIS Internet providers collect AIS information and distribute it publicly, the Trend Micro blog explained, that attackers can modify “all ship details, such as position, course, cargo, flagged country, speed, name, MMSI (Mobile Maritime Service Identity) status etc.”
Attackers can “create and modify search and rescue marine aircraft such as helicopters, and light aircraft e.g. having a stationary search and rescue coast guard helicopter ‘take off’ and travel on a set course.” Additionally, attackers can create or modify “Aid to Navigations (AToN) entries, such as buoys and lighthouses. This leads to scenarios such as blocking the entrance to a harbor, causing a ship to wreck, etc.”
They also created a ghost ship, not the kind with ghouls intent on killing passengers, but a fake kind of shipping vessel in an attack that is similar to injecting ghost airplanes into radar. A pirate or terrorist attacker could tamper with data from an AIS service provider’s system to change the type of ship or the cargo it is carrying. Balduzzi and Wilhoit chose a real ship, the 60 meter-long Eleanor Gordon, that was physically located in the Mississippi River in southern Missouri, but made it appear as if the ship was on a lake in Dallas. For a scarier example, an attacker could create a fake ship that had all the same details of a real vessel and make it appear like an Iranian ship full of nuclear cargo was sitting off the coast of the US.
The second type of attack targets “flaws in the actual specification of the AIS protocol used by hardware transceivers in all mandatory vessels” and ranged from spoofing to denial of service attacks.
You know about man-in-the-middle attacks, hopefully, but they developed an attack called man-in-the-water spoofing. If a person falls overboard, there are safety beacon devices that send AIS packets, distress signals, to all ships nearby for rescue purposes; but the researchers were able to send a fake a ‘man-in-the-water’ distress beacon to any location that would “trigger alarms on all vessels within approximately 50 km.”
Other fake alerts an attacker could pull off include sending false weather warnings so ships would route around the supposed approaching storm. They also sent a fake a CPA (Closest Point of Approach) alert and triggered a collision warning alert. “In some cases this can even cause software on the vessel to recalculate a course to avoid collision, allowing an attacker to physically nudge a boat in a certain direction.”
In a denial of service-flavored attack, the researchers impersonated marine authorities “to permanently disable the AIS system on a vessel, both forcing the ship to stop communicating its position, and stop getting AIS notifications from all nearby vessels. This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it.”
The AIS protocol lacks a geographical validity check, meaning the location message is “accepted without question.” The lack of timestamps on valid and existing AIS information opens the way to replay attacks. There is no authentication built into the AIS protocol, so an attacker “can craft AIS packets that impersonate any other vessel on the planet, and all receiving vessels will treat the message as fact.” Lastly, the researchers said an attacker can easily intercept and modify all AIS messages, since they sent in an unencrypted and unsigned form.
Okay, but could these attacks really happen in the real world? You betcha, since the researchers said that after attackers conquer the “learning curve with the protocols, uses and implementations of AIS,” the “necessary equipment can be purchased for between $100 and $300, depending on the attack.”
All slides from “Hey Captain! Where’s your Ship? Attacking Vessel Tracking Systems for Fun and Profit” [pdf].