Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/11/2013
07:28 PM
50%
50%

Researchers Highlight Security Vulnerabilities In Ship-Tracking System

At the Hack in the Box conference, a group of researchers will demonstrate how attackers could fool a system meant to help ships avoid collisions

When it works normally, the Automatic Identification System (AIS) used by ships can be a captain's best friend, helping him or her avoid collisions on the high seas. Under the control of a hacker however, AIS could become a captain's worst enemy.

At the upcoming Hack in the Box Security Conference in Malaysia, a team of security researchers are preparing to demonstrate how an attacker could hijack AIS traffic and perform man-in-the middle attacks that enable them to turn the tracking system into a liability.

AIS is an automatic tracking system intended to help identify and locate vessels electronically to help avoid collisions on the water. AIS transponders on the ships include a GPS receiver and VHF transmitter, which transmits information to other vessels or base stations. AIS is required on many vessels, including international voyage ships weighing 300 tons or more and all passenger ships regardless of size.

According to Trend Micro's Kyle Wilhoit, one of the researchers who worked on the project, says the attacks can be broken up into two categories: those that target the AIS Internet providers that collect and distribute AIS information, and those that target flaws in the actual specification of the AIS protocol used by hardware receivers in all of the vessels. Without getting too deep into the vulnerabilities ahead of the presentation, which is slated for Oct. 16, Wilhoit explains that the upstream providers fail to authenticate AIS sentences coming from ships.

"I could go out, and I could pretend to be a boat, and they don't even fact-check it," he says. "They don't look at, OK ... is this AIS sentence actually a boat? They don't check any of that. So it's all accepted as is. It's accepted as true."

According to Wilhoit, these conditions could allow an attacker to tamper with valid AIS data and do everything from modify a ship's position to creating a fake vessel with the same details to fool anyone monitoring ships at sea.

The researchers are also prepared to demonstrate how the other set of attacks could be used to perform a variety of malicious actions, including fake "man-in-the-water" distress beacons -- which would trigger alarms on any vessels using AIS within approximately 50 KM -- as well as fake a CPA (closest point of approach) alert and trigger a collision warning alert.

"The complexity of the attack is what I would consider 'somewhat complex,'" Wilhoit says. "This is because the AIS protocols are typically not ... researched by security researchers. Therefore, there's a learning curve with the protocols, uses, [and] implementations of AIS. However, once you gain access to the AIVDM sentences, it's in clear text, which makes it somewhat easy to modify. Also, you have to reverse engineer the AIVDM sentences and be able to put them back together in order to correctly perform attacks -- which proved to be somewhat difficult."

The cost of performing the attack is relatively cheap: The necessary equipment can be purchased for between $100 and $300, depending on the attack.

The researchers are working with upstream providers and others on addressing the vulnerabilities, Wilhoit says.

"From the online Web providers, such as Marinetraffic.com, implementing authentication from every vessel submitting sentences would help mitigate the problem fairly quickly," he notes. "However, the fundamental problems with the AIS protocols would require a complete overhaul -- which is difficult because it's implemented worldwide in thousands of devices."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Moderator
11/14/2013 | 7:32:36 PM
re: Researchers Highlight Security Vulnerabilities In Ship-Tracking System
Closing vulnerabilities is part of keeping the fortress secure, especially in today's evolving threat landscape. Sophos offers some great advice here: http://nakedsecurity.sophos.co...

Peter Fretty
Nicca619
50%
50%
Nicca619,
User Rank: Apprentice
11/14/2013 | 5:34:34 AM
re: Researchers Highlight Security Vulnerabilities In Ship-Tracking System
Here are some good thoughts in reply to all the Buzz about AIS Hacking

http://www.portvision.com/news...
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.