AIS Security:Your Questions Answered

After a week since our presentation at HiTB Kuala Lumpur 2013, our findings regarding Automatic Identification System (AIS) security have been picked up by notable media outlets, including ABC News, Softpedia, VesselFinder, Heise, Spiegel, and NetSecurity. It also raised some questions about AIS and, to a certain extent, our research. In this blog post, we want to briefly address some comments we received from Internet users concerning our recent research on AIS, a fundamental technology used by ships and vessel traffic services worldwide.

AIS was introduced as mandatory installation in 2002 to overcome the limitation of existing technology such as radars. It was supposed to enhance the safety of vessel traffic by using modern solutions like GPS and 3/4G Internet connectivity. Because the device proved to be useful, class-B devices were later introduced, which were designed for smaller boats such as yachts and sailing boats.

As a result, crew members were indirectly persuaded to rely more on AIS as opposed to traditional devices, since it comes with a more recent and reliable technology. Or at least it should be.

With our research, we actually showed the opposite. We showed that AIS, which is now deployed to over 400,000 installations globally, is not infallible. It is fundamentally broken and can be abused by attackers. Our first message, then, is that users must not completely trust AIS, as attackers can actively use it for malicious deeds,  such as piracy. In case of an attack, the final user (i.e. the captain), will not be able to distinguish between true and false information reported by the AIS transponder.

Paradoxically, traditional equipment for collision avoidance like sonars and radars are actually more reliable. For example,  think of how difficult it is to tamper with the waves they generate. Thus, it should be made mandatory to correlate AIS data with the other devices on board.  I have been told of vessels (both large and small ones like yachts) configured with autopilot running via AIS (for collision avoidance) –  which is very risky to say the least.  Please don’t do that!

Apart from collision avoidance, AIS is largely used (and nowadays) a de-facto standard in search and rescue operations. Search and rescue transponders (SARTs) are self-contained, waterproof transponders intended for emergency.

Modern SART devices (AIS-SARTs) use AIS position report to determine the presence and exact location of a man in water. The second type of SART devices (radar-SARTs) uses traditional radar technology. We believe that this modern SART device can be misused, such as when an attacker (i.e. a pirate) triggers a AIS-SART alert and lure a vessel into moving to a hostile and attacker-controlled location. Note that by law, a vessel is required to join a rescue operation. Currently, for a targeted ship, there is no way to unmask a spoofed SART message because no correlation can be done.

To conclude, our research disclosed fundamental flaws in the protocol specification of AIS affecting entirely all AIS transponders worldwide. Last August, we personally communicated with IMO, IALA and ITU-R – the three international organizations behind AIS – but only received response from the latter. Accordingly to MIT Technology Review, “only a formal paper submitted via a government with IMO membership or an organization with consultative status would lead to any response”. However, this waiting for a “formal submission” from a government/member organisation  can be a roadblock in promptly addressing the issues surrounding AIS. This also shows that these organizations may be unaware of the more matured world of vulnerability disclosure that takes place in the security industry.  We believe that they should push for more discussions around AIS security, wherein groups such as Trend Micro can share their research and participate.

With our work, we hope to raise awareness and lead the involved parties e.g. CERTs, maritime coastguards and authorities, into soliciting for a more robust and secure AIS standardization.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

AIS Security:Your Questions Answered

Read more: AIS Security:Your Questions Answered

Story added 22. October 2013, content source with full text you can find at link above.