Researchers at Trend Micro report that an analysis of a vessel tracking system that is mandated on most large sea vessels has found that it is vulnerable to a range of possible software- and radio-based attacks.
The vulnerabilities could be exploited in ‘cyber-physical’ attacks against the Automated Identification System (AIS) that directed ships off course or confused officials by mis-reporting the actual location of vessels, the researchers found.
Trend Micro researchers Marco Balduzzi and Kyle Wilhoit presented their research at the Annual Computer Security Applications Conference (ACSAC) in New Orleans this month.
AIS is a global system for tracking the movement of vessels. It is intended to supplement marine radar and relies on ship, land and satellite-based systems to exchange data on ships’ position, course and speed and is used for everything from collision avoidance to security, ship-to-ship communications and weather forecasting. AIS is required to be deployed on all passenger vessels and on international-voyaging ships with gross tonnage of 300 or more. Today, it is used on more than 400,000 vessels, and those numbers are expected to grow, the researchers note.
However, Balduzzi and Wilhoit found that AIS is rife with exploitable software- and protocol vulnerabilities. Chief among them are flaws in the AIS protocol which was developed in a “hardware epoch” and lacks even basic security features such as authentication and message integrity checks.
While hacks of such systems would have required specialized hardware and software 10 or 15 years ago, the advent of tools like Software Defined Radio make it possible to craft sophisticated attacks with just a small investment, the researchers discovered.
In their work, Balduzzi and Wilhoit – working with an independent security researcher – were able to use software-defined radio based attacks to trigger a range of phony messages, from false SOS and “man in the water” distress beacons to fake CPA (or Closest Point of Approach) alert and collision warnings on an AIS system set up in a lab environment.
Separate tests also revealed that malicious AIS messages could be used to knock out VTS (Vessel Tracking System) servers by exploiting common software vulnerabilities like buffer overflows and SQL injection, the researchers wrote.
“Our findings show that both the implementation of AIS, as well as the protocol specification, are affected by several threats including spoofing, hijacking and availability disruption,” the researchers wrote in a blog post.
They warned that other, similar attacks against cyber-physical systems will become more common in the near future. A copy of their presentation at ACSAC can be found here.
Balduzzi and Wilhoit have written about vulnerabilities in the AIS system before. Early in 2014, they presented research on the possibility of conducting man-in-the-middle attacks against ships. However, their latest research expands the list of possible attacks against AIS infrastructure dramatically.