Researchers Highlight Security Vulnerabilities In Ship-Tracking System

  /     /     /  
Publicated : 22/11/2024   Category : security


Researchers Highlight Security Vulnerabilities In Ship-Tracking System


At the Hack in the Box conference, a group of researchers will demonstrate how attackers could fool a system meant to help ships avoid collisions



When it works normally, the Automatic Identification System (AIS) used by ships can be a captains best friend, helping him or her avoid collisions on the high seas. Under the control of a hacker however, AIS could become a captains worst enemy.
At the upcoming Hack in the Box Security Conference in Malaysia, a team of security researchers are preparing to demonstrate how an attacker could hijack AIS traffic and perform man-in-the middle attacks that enable them to turn the tracking system into a liability.
AIS is an automatic tracking system intended to help identify and locate vessels electronically to help avoid collisions on the water. AIS transponders on the ships include a GPS receiver and VHF transmitter, which transmits information to other vessels or base stations. AIS is required on many vessels, including international voyage ships weighing 300 tons or more and all passenger ships regardless of size.
According to Trend Micros Kyle Wilhoit, one of the researchers who worked on the project, says the attacks can be broken up into two categories: those that target the AIS Internet providers that collect and distribute AIS information, and those that target flaws in the actual specification of the AIS protocol used by hardware receivers in all of the vessels. Without getting too deep into the vulnerabilities ahead of the presentation, which is slated for Oct. 16, Wilhoit explains that the upstream providers fail to authenticate AIS sentences coming from ships.
I could go out, and I could pretend to be a boat, and they dont even fact-check it, he says. They dont look at, OK ... is this AIS sentence actually a boat? They dont check any of that. So its all accepted as is. Its accepted as true.
According to Wilhoit, these conditions could allow an attacker to tamper with valid AIS data and do everything from modify a ships position to creating a fake vessel with the same details to fool anyone monitoring ships at sea.
The researchers are also prepared to demonstrate how the other set of attacks could be used to perform a variety of malicious actions, including fake man-in-the-water distress beacons -- which would trigger alarms on any vessels using AIS within approximately 50 KM -- as well as fake a CPA (closest point of approach) alert and trigger a collision warning alert.
The complexity of the attack is what I would consider somewhat complex, Wilhoit says. This is because the AIS protocols are typically not ... researched by security researchers. Therefore, theres a learning curve with the protocols, uses, [and] implementations of AIS. However, once you gain access to the AIVDM sentences, its in clear text, which makes it somewhat easy to modify. Also, you have to reverse engineer the AIVDM sentences and be able to put them back together in order to correctly perform attacks -- which proved to be somewhat difficult.
The cost of performing the attack is relatively cheap: The necessary equipment can be purchased for between $100 and $300, depending on the attack.
The researchers are working with upstream providers and others on addressing the vulnerabilities, Wilhoit says.
From the online Web providers, such as Marinetraffic.com, implementing authentication from every vessel submitting sentences would help mitigate the problem fairly quickly, he notes. However, the fundamental problems with the AIS protocols would require a complete overhaul -- which is difficult because its implemented worldwide in thousands of devices.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact Dark Readings editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Highlight Security Vulnerabilities In Ship-Tracking System