After a week since our presentation at HiTB Kuala Lumpur 2013, our findings regarding Automatic Identification System (AIS) security have been picked up by notable media outlets, including ABC News, Softpedia, VesselFinder, Heise, Spiegel, and NetSecurity. It also raised some questions about AIS and, to a certain extent, our research. We want to briefly address some comments we received from Internet users concerning our recent research on AIS, a fundamental technology used by ships and vessel traffic services worldwide.

AIS was made mandatory in 2002 to overcome the limits of existing technology such as radar. It was supposed to enhance the safety of ship traffic by using modern solutions like GPS and 3G/4G Internet connectivity. Because these devices proved to be useful, class-B devices were later introduced, which were designed for smaller boats such as yachts and sailing boats.

As a result, crew members were indirectly persuaded to rely more on AIS as opposed to traditional devices, since it comes with a more recent and reliable technology. Or, at least, it should be.

With our research, we actually showed the opposite. We showed that AIS, which is now deployed to over 400,000 installations globally, is not infallible. It is fundamentally broken and can be abused by attackers. Our first message, then, is that users must not completely trust AIS, as attackers can actively use it for malicious deeds,  such as piracy. In case of an attack, the final user (i.e. the captain), will not be able to distinguish between true and false information reported by the AIS transponder.

Paradoxically, traditional equipment for collision avoidance like sonars and radars are actually more reliable. For example, think of how difficult it is to tamper with the waves they generate. It should be made mandatory to correlate AIS data with the other devices on board.  I have been told of vessels (both large and small ones like yachts) configured with autopilot running via AIS (for collision avoidance) –  which is very risky to say the least.  Please don’t do that!

Apart from collision avoidance, AIS is largely used (and nowadays) a de facto standard for search and rescue operations. Search and rescue transponders (SARTs) are self-contained, waterproof transponders intended for emergency.

Modern SART devices (AIS-SARTs) use AIS position reports to determine the presence and exact location of a man in water. The second type of SART devices (radar-SARTs) uses traditional radar technology. We believe that these modern SART devices can be misused, such as when an attacker (i.e. a pirate) triggers a AIS-SART alert and lure a vessel into moving to a hostile and attacker-controlled location. Note that by law, a vessel is required to join a rescue operation. Currently, for a targeted ship, there is no way to unmask a spoofed SART message because no correlation can be done.

To conclude, our research disclosed fundamental flaws in the specification of AIS affecting all AIS transponders worldwide. Last August, we personally communicated with the International Maritime Organization (IMO), the  International Association of Marine Aids to Navigation and Lighthouse Authorities (IALA) and the  ITU Radiocommunication Sector (ITU-R) – the three international organizations behind AIS – but only received a response from the latter. According to the MIT Technology Review, “only a formal paper submitted via a government with IMO membership or an organization with consultative status would lead to any response”.

However, waiting for a “formal submission” from a government/member organisation can be a roadblock in promptly addressing the issues surrounding AIS. This also shows that these organizations may be unaware of the more matured world of vulnerability disclosure that takes place in the security industry.  We believe that they should push for more discussions around AIS security, wherein groups such as Trend Micro can share their research and participate.

With our work, we hope to raise awareness and lead the involved parties e.g. CERTs, maritime coastguards and authorities, into calling for a more robust and secure AIS standard.

In recent years, automated identification systems (AIS) have been introduced to enhance ship tracking and provide extra safety to marine traffic, on top of conventional radar installations. AIS is currently mandatory for all passenger ships and commercial (non-fishing) ships over 300 metric tons. It works by acquiring GPS coordinates and exchanging vessel’s position, course and information with nearby ships, offshore installations, i.e. harbors and traffic control stations, and Internet tracking and visualization providers.

Installed in an estimated 400,000 vessels, AIS is currently the best system for collision avoidance, maritime security, aids to navigation and accident investigations.

As the world becomes more connected to the “Internet of Things”, Trend Micro’s Forward Looking Threat researchers continue to look into any technologies that could be abused by attackers in the near future. Given its importance in marine safety, we conducted a comprehensive security evaluation of AIS, tackling it from a software, hardware, and radio frequency perspective.

This Wednesday myself, my colleague Kyle Wilhoit, and independent researcher Alessandro Pasta will be presenting at the Hack in the Box conference in Kuala Lumpur, Malaysia, one of the most well-known security conference in the industry. We will discuss how we were able to hijack and perform man-in-the-middle attacks on existing vessels, take over AIS communications, tamper with the major online tracking providers and eventually fake our own yacht and search and rescue vessels. We will release more details after the conference later this week.

Figure 1. Attacked AIS system

Over the last number of years there has been a noticeable rise in the number of reported targeted attacks, which are also commonly referred to as advanced persistent threats (APTs). Notable examples of said attacks include the Red October campaign or the IXESHE APT.

What sets a targeted attack apart from a widespread attack is purely the motivation behind the attackers and their victims. The actual tools used are largely irrelevant; the tools are identical, but the motivations of the attackers and the targeted victims set a targeted attack apart. For example, a Remote Access Tool (RAT) that infects users across 50 countries would be considered a widespread attack – while the same attack against two nuclear power plants against no one else is an example of a targeted attack. The tool is identical but the motivation of the attackers and their chosen targets set the attacks apart.

One thing that clear about targeted attacks is that they are difficult to detect, and not much research has been conducted so far in detecting these attacks.

Our paper discusses a new system we’ve called SPuNge that processes threat information gathered via feedback provided by the Smart Protection Network to detect potential targeted attacks for further investigation.

We use a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with the respect to the malicious resources they access and the industry in which they operate (e.g. oil & gas).

The techniques we adopt include a text-based hierarchical clustering aimed at finding clusters of similar malicious URLs, i.e. having common patterns in hostnames, paths or query strings. We correlate them with information on the users machine, such as their IP address, to identify groups of customers affected by the same threat. Finally, we automatically correlate these groups with both the industry and the geographical information to discover potential targeted attacks.

We used SPuNge to examine existing feedback from more than 20 million Trend Micro customers to see if the system was effective and useful in identifying threats. The tests were able to show that SPuNge is a powerful and useful tool in assisting cybercrime investigation.

The methodology of SPuNge is described in the paper Targeted Attacks Detection with SPuNge. In addition, we discussed this topic at PST2013, the eleventh International Conference on Privacy, Security and Trust which was recently held in Tarragona, Catalonia.