Global shipping at risk, major security weakness in vessel tracking system exposed

A computer security team has found a way to fake ship positions by exploiting weaknesses in a globally-used vessel tracking system.

At the Hack In The Box 2013 security conference here, the largely Italian team said the Automatic Identification System (AIS) - used in over 400,000 installations - was not at all secure.

To prove their point, they showed how they were able to create an imaginary ship, complete with identity code, tonnage and even geographical coordinates off the Italian port city of Genoa earlier this year.

"We were looking into ships and how they communicated, and we found that the AIS had no authentication or security mechanism involved," said team member Dr Marco Balduzzi.

A senior threat researcher with IT security vendor Trend Micro, Balduzzi, his colleague Kyle Wihoit and independent researcher Alessandro Pasta studied the AIS, before coming up with attacks using the Internet and radio frequencies.

According to Balduzzi, AIS transponders are required to be installed in cargo ships weighing above 300 tons and all passenger-carrying vessels.

Starting about six months ago with some homemade equipment, the three were able to come up with at about eight types of security attacks.

These included registering fake ships on geographical coordinates, faking collision alerts and weather forecasts.

In one case they showed how an attacker could masquerade as a port authority and tell ships to change their AIS radio frequencies, isolating them from the rest of the world.

Calling it frequency-hopping, Pasta said; "The port authorities have the power to remote control the AIS installed in a vessel to switch (radio) frequencies".

"You can completely isolate a vessel, and only the attacker will know about the ship's state," he said.

The team said that except for the fake ship creation off the Italian coast, all other attacks were conducted in controlled lab environments.

They also informed various coast guards and marine-based agencies before carrying out their tests, including the International Telecommunication Union - Radiocommunication (ITU-R), which designed the AIS.

They added that ITU-R "acknowledged" the group's findings, and that they were looking forward to working with them.

Asked why the AIS didn't have any security measures in place, Pasta said its developers didn't think about this when they introduced it about 10 years ago.

The team said that though these attacks had not been repeated anywhere else, it was still a cause for concern.

"It's not just a Malaysian problem. It's a world problem," Balduzzi said when asked about a possibility of an attack in the Malacca Straits, which has some of the world's heaviest shipping traffic.
"We hope awareness can push ITU-R into fixing it. It's a pretty severe issue," he said.
Source: The Star