The Automatic Identification System (AIS) is used worldwide in order to track shipping vessels. Researchers from a computer security company Trend Micro found that the system can be hacked using cheap radio equipment, making fake vessels to appear, real ones to disappear, and to issue false emergency alerts.
According to the researchers, it was possible to compromise the AIS system from the root level. More specifically they used AIS equipment available on the market (costing approximately 700 euros) connecting it to a computer in the vicinity of a port. After that the researchers intercepted signals from nearby crafts and send out modified versions to make it appear to other AIS users that a vessel was somewhere it was not.
With a similar approach the researchers were able to force ships to stop broadcasting their movements through AIS by using a feature that lets authorities manage how nearby AIS transmitters operate. As if this was not enough transmissions could also be sent out representing fake vessels or structures (e.g. lighthouses, navigational buoys etc.).
One important aspect of the above findings is that by faking AIS signals it is possible stage fake emergencies lets say a man overboard emergency, a collision or a grounding.
The researchers, Marco Balduzzi, Kyle Wihoit and Alessandro Pasta, were able to fool AIS online services (e.g. Marine Traffic) making a real tugboat disappearing from the Mississippi and reappearing on a Dallas lake, as if a different version of the Philadelphia Experiment was being conducted.
The AIS is an easy target because the signals are not encrypted and so it is easy to use software to craft a signal designed to do mischief. According to Marco Balduzzi all the ships out there are affected by this problem which is not tied to the hardware but to the protocol being used, mainly because the protocol was designed at a time when it was not easy to create such software.
Faking AIS signals is a very important issue and can affect directly safety in the shipping industry. For this reason, the researchers communicated with the three international organizations behind AIS, that is the International Maritime Organization (IMO), the International Association of Marine Aids to Navigation and Lighthouse Authorities (IALA) and the ITU Radiocommunication Sector (ITU-R), but only received a response from ITU-R stating that only a formal paper submitted via a government with IMO membership or an organization with consultative status would lead to any response in “fixing” the issue. This shows that these organizations may be unaware of the more matured world of vulnerability disclosure that takes place in the security industry.
Sources: MIT Technology Review, BBC, ABC, Trend Micro Blog
Officer of the Watch 
Reblogged this on Naval Matters.