Categories: SecurityWorkspace

Hack A Vessel: Warnings Over Serious Flaws In Shipping Industry Comms

Researchers have warned of gaping security holes in one of the shipping industry’s communications standards that leave them in danger of hacks from pirates or terrorists.

The vulnerabilities, discovered by Trend Micro researchers Kyle Wilhoit and Dr. Marco Balduzzi, working with independent researcher Alessandro Pasta, were resident in the Automatic Identification System (AIS), a vessel tracking system used by all commercial ships weighing over 300 metric tons.

Shipping hacks

A first set of flaws were found at the AIS Internet providers that collect AIS data and distribute them publicly. Attackers could intercept the data and manipulate it to change the apparent position, course, speed and name of the ship, amongst other details.

They could even create fake vessels, buoys, lighthouses and marine aircraft such as search and rescue helicopters.

There were also flaws in the AIS protocol itself, which was “designed with seemingly zero security considerations”, according to Trend. These could allow an attacker to impersonate a marine authority and permanently disable the AIS system.

“This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it,” Trend Micro said in a blog post.

Amongst the specific vulnerabilities in AIS were lack of authentication and zero validation to check where a message came from. Everything was sent in unencrypted and unsigned form, meaning intercepting and tampering were effortless.

It would be cheap for the attacker too. “While all the attacks we described above were carried out in our dedicated test lab setup – where we used specific software defined radio equipment – we have also proven that an attacker is able to carry out such attacks using a modified standard, easy to obtain VHF radio which costs approximately €150,” Trend added.

The company disclosed its findings to all the relevant parties, but said it would be difficult to fix the deep-seated problems with AIS. It would need to be updated across all vessels, whatever the cost, Trend added.

Earlier this year, Claudio Guarnieri, a researcher at Rapid7,  showed TechWeekEurope how he was able to track naval vessels using very similar techniques. After just four hours of work, he was able to .track 34,000 boats, many belonging to law enforcement and national governments, thanks to flaws in communications between ships.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • Clearly the authors have no idea about the shipping industry or AIS itself. AIS was designed as an aid to avoid ship to ship collisions and has to be used in conjunction with radar and other methods.

    AIS itself only has a range of 12-40nm (VHF range) , so vessel tracking for security reasons is done using satellite systems such as Inmarsat C. The data from the Satellite receiving stations to the end users (Security centres) can be encoded using SSl etc.

    Yes the system can be spoofed as can GPS, but its only an aid and is NOT and has NEVER been designed to be secure nor does it need to be.

    As for the comment about using a £150 radio is just plain stupid, the amount of work required is going to be enormous to implement a full AIS transponder from that. Possible, but it would be easier to purchase a proper AIS transponder. How useful that would be anyway is debatable plus the offenders position would be known to security forces straight away - it's a radio transmission!

  • I second Brian M and his explanation. This is just Trend Micro trying to gather trending. I would think it not worthy of publishing personally. Enough FUD around as it is.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

3 days ago