In addition to conventional radar, today’s ships use technology known as automated identification systems to track their movements, improving oversight, navigation, safety and, critically, collision avoidance. The technology is now mandatory for all passenger ships and all commercial ships weighing more than 300 metric tons. However, while AIS is a critical tool in avoiding collisions, it also contains some security vulnerabilities that could raise some trouble on the high seas, according to researchers from Trend Micro.
Researchers Marco Balduzzi and Kyle Wilhoit of Trend Micro, along with independent researcher Alessandro Pasta, have been studying potential threats created by the connected environments of the Internet of Things. AIS transponders on ships incorporate a GPS receiver and a VHF transmitter, sending location data to other ships, offshore installations such as ports and online tracking and visualization services. The technology is currently used by around 400,000 ships worldwide.
Attackers might target either the Internet providers that publish ship location data or flaws in the specification of the AIS protocol of the hardware itself, Wilhoit told Dark Reading. Fundamentally, the issue relates to the fact that AIS data is not authenticated by the receiver, leaving it susceptible to tampering and potentially enabling attackers to submit false data.
“I could go out, and I could pretend to be a boat, and they don’t even fact-check it,” Wilhoit told Dark Reading. “They don’t look at, OK … is this AIS sentence actually a boat? They don’t check any of that. So it’s all accepted as is. It’s accepted as true.”
This issue could allow attackers to modify the readouts of ship positions, create fake ships that appear on tracking systems or issue bogus collision alerts, the source reported. Although the learning curve for the systems is relatively high, the built-in protections are simple once an attacker gains access, Wilhoit said. Additionally, such attacks are cheap and easy to perform with equipment that can cost as little as $100. While updates can be rolled out to some of the popular tracking services, fully correcting the errors would require a redesign in the embedded software of devices in ships around the globe.
The difficulty of correcting such an error underscores the importance of designing products with security in mind. Particularly as more systems are built to transmit data, using tools such as static analysis software to catch security flaws at the design level is essential for vendors.