Feeds

Leaky security could scuttle global ship-tracking system

Nuke-carrying Iranian ghost ships could be on the USA's radar right now

Protecting against web application threats using SSL

Security researchers have found a major flaw in the Automatic Identification System (AIS), a mandatory tracking system for ships, which could leave the 400,000 vessels currently using it globally wide open to terrorists or pirates.

Trend Micro’s Kyle Wilhoit and Marco Balduzzi and independent researcher Alessandro Pasta presented their findings at the HITB security conference in Kuala Lumpur this week.

They claimed that AIS has been designed “with seemingly zero security considerations”, potentially allowing hackers to create fake vessels, disable tracking or create false SOS or collision alerts.

Given that the system is mandatory for all commercial ships over 300 metric tons and all passenger ships regardless of weight, the security flaws highlighted in the research are nasty.

AIS works by grabbing GPS data on a ship’s position, course and other info and exchanging it with nearby ships and AIS base stations along the coastline.

However, in a blog post, Wilhoit and Balduzzi explained that they’d found vulnerabilities not only in the AIS protocol but also within service providers such as Marine Traffic which use AIS info on their public-facing sites.

They claimed some of the main providers have vulnerabilities which would allow a hacker to “tamper with valid AIS data and inject invalid AIS data”, leading to a variety of possible outcomes.

These include changing vital ship details such as position, course, speed, cargo or unique MMSI (Mobile Maritime Service Identity).

It could also allow the creation of fake vessels – they gave the example of an Iranian ship filled with nuclear cargo turning up off the US coast.

Hackers could force shipwrecks by “creating and modifying Aid to Navigations (AToN) entries, such as buoys and lighthouses”, and even spoof the take-off and flight of search and rescue aircraft.

Wilhoit and Balduzzi also found flaws in the AIS protocol used in hardware transceivers installed in all vessels using the system.

This could lead to the following scenarios, they claimed:

Impersonate marine authorities to permanently disable the AIS system on a vessel, both forcing the ship to stop communicating its position, and stop getting AIS notifications from all nearby vessels (essentially a denial of service attack). This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it.

Fake a “man-in-the-water” distress beacon at any location that will also trigger alarms on all vessel within approximately 50 km.

Fake a CPA alert (Closest Point of Approach) and trigger a collision warning alert. In some cases this can even cause software on the vessel to recalculate a course to avoid collision, allowing an attacker to physically nudge a boat in a certain direction.

Send false weather information to a vessel, e.g. approaching storms to route around.

Cause all ships to send AIS traffic much more frequently than normal, resulting in a flooding attack on all vessels and marine authorities in range.

The problem, the duo claimed, is that AIS was “designed in a world before the Internet or software-defined radio”.

This means it lacks basic security measures such as geographical validity checks to ensure the accuracy of AIS messages; time-stamping of messages; authentication of message senders; and encryption to prevent message interception/modification.

Trend Micro said it will be releasing a white paper around the findings in due course and has already disclosed its research to all major AIS standards bodies and online AIS tracking info providers. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.