Italian team said that AIS has no authentication or security mechanism involved
AIS vessel tracking system can be easily hacked to make ships vanish, change routs and cargo description, a large Italian computer security team said during the Hack In the Box 2013 security conference,The Star Online reports.
To prove their point, they showed how they were able to create an imaginary ship, complete with identity code, tonnage and even geographical coordinates off the Italian port city of Genoa earlier this year.
“We were looking into ships and how they communicated, and we found that the AIS had no authentication or security mechanism involved,” said team member Dr Marco Balduzzi.
A senior threat researcher with IT security vendor Trend Micro, Balduzzi, his colleague Kyle Wihoit and independent researcher Alessandro Pasta studied the AIS, before coming up with attacks using the Internet and radio frequencies.According to Balduzzi, AIS transponders are required to be installed in cargo ships weighing above 300 tons and all passenger-carrying vessels.
Starting about six months ago with some homemade equipment, the three were able to come up with at about eight types of security attacks. These included registering fake ships on geographical coordinates, faking collision alerts and weather forecasts.
In one case they showed how an attacker could masquerade as a port authority and tell ships to change their AIS radio frequencies, isolating them from the rest of the world.
Calling it frequency-hopping, Pasta said; “The port authorities have the power to remote control the AIS installed in a vessel to switch (radio) frequencies”.
“You can completely isolate a vessel, and only the attacker will know about the ship’s state,” he said.
The team said that except for the fake ship creation off the Italian coast, all other attacks were conducted in controlled lab environments. They also informed various coast guards and marine-based agencies before carrying out their tests, including the International Telecommunication Union – Radiocommunication (ITU-R), which designed the AIS.