The Maritime Industry is Vulnerable to Cyber Attacks

Two weekends ago, Luke and I attended the NYC Maritime Hackathon. We came into the industry completely cold, but after reading a few of the problem statements presented to the hackathon attendees, we realized there's a gaping security hole in the protocol that ships use to communicate with one another. The README from our Github (which is still private, but will probably be open sourced soon) is below.

Problem Statement

Maritime vessels, such as boats, boeys, and lighthouses, report their navigational and operational information using a protocol called AIS. Since 2002, all ships over 300 gross tonnes and all passenger vessels are required to broadcast their navigational data using AIS. As of 2014, there are over 300,000 AIS installations worldwide.

However, this data is unencrypted. There is no authentication process to verify that a navigational message is truly coming from a the ship it claims to be. This makes all maritime vessels vulnerable to three primary types of attacks:

  • Ship spoofing - broadcasting a non-existent ship which a fake name, etc.
  • Meaconing - data is intercepted and rebroadcast with forged data
  • Broadcasting Stopped - transponder can be turned on/off at will

Example Attack Scenarios

  • Spoof origin country to avoid sanctions e.g. Iranian ships claiming to be from Zanzibar to bypass nuclear sanctions
  • Broadcast a fake weather forecast
  • Steer a ship to off course: the AIS protocol includes a special message type for "man overboard" alerts. As an international law, all nearby vessels which receive this alert are required to navigate to the distressed vessel and offer help. Since this system is susceptible to spoofing, it would be very easy to broadcast a forged "man overboard" message and steer a group of ships off course and into enemy territory.

How AIS Works

Today, AIS messages are broadcast over a radio frequency. Third party services, called AIS providers (like ship tracker websites), access this data over this internet.

AIS providers receive this info from Vessel Traffic Services which are aggregated data feeds of ship data, like a maritime version of air traffic control.

Additionally, a ship captain can decide to forward AIS data to a third party provider of his choice.

AIS data is broadcast regularly - a vessel moving above 23 knots sends a AIS message every 3 seconds. A navigational aid, like a lighthouse, sends a message every 3 minutes.

Ships receive unique AIS identifiers called MMSIs, also known as a "call sign." These identifiers are issued by maritime authorities, like the US Coast Guard. The first 3 digits of an MMSI specifies the country - the United States has the prefix 338.

Our Solution

We utilize public key cryptography (PKI) to enable vessels to sign all outgoing AIS with a private key. This ensures that any messages broadcast from a ship can be proved to have actually originated from that ship.

Currently, AIS messages objects include a field (message 25) in which arbitrary metadata may be added. We utilize this field to include an authentication signature (SHA265 hash) with the message.

  • Vessels will maintain a small digital device with a list of trusted certificates. This certificate list can either be streamed via internet or updated manually when the ship enters a port.
  • We will utilize a metadata field in the AIS message format to include a message hash based on a stored private key.

Public Key Server

Many AIS units are already capable of connecting to a web interface for software updates. Stewart (2018) [2] has proposed that the US Coast Guard create a public key server to administer certificates to all vessels in the United States.

Some AIS devices may not be able to connect to a key server. In this case, a NTM (Notice to Mariners) can be used to distribute public keys. The NTM is public bulletin boards where maritimate navigational alerts are posted, so it would make sense to include public keys here as well. The NTM could include public key updates as well. NTMs are distributed according to Coast Guard Districts.

It may make the most sense for governments to operate these key servers themselves, as there are existing secure radio channels which the Coast Guard uses to broadcast information. As a trial, the public key info could be broadcast to a list of only federally maintained MMSIs. [1]

Existing Proposals

The U.S. Coast Guard maintains its own encrypted AIS solution (EAIS) but this product is not available to civilian vessels. Public key cryptography has been proposed by others (USCG, 2014), but has the weakness of requiring coordination among the "trusted" parties in the trusted certificate list.

Criticisms

  • Public key cryptography requiring coordination among the "trusted" parties in the trusted certificate list
  • If AIS messages are not timestamped correctly, they are susceptible to reply attacks. For example, an attacker could duplicate a hash from a previous message and append it to a new fraudulent message. However, if this happens then other fields in the message (latitude, longitude) are likely to be obviously fake.

Glossary

MMSI - maritime mobile service identity

A Maritime Mobile Service Identity (MMSI) is a series of nine digits which are sent in digital form over a radio frequency channel in order to uniquely identify ship stations, ship earth stations, coast stations, coast earth stations, and group calls.

AIS - automatic identification system

AIS an automatic tracking system that uses transponders on ships and is used by vessel traffic services (VTS). When satellites are used to detect AIS signatures, the term Satellite-AIS (S-AIS) is used.

References

[1] Stewart, Alexander, "Analysis Of Possible Authentication Strategies For The Automated Identification System" (2018). Projects in Information Assurance. 51. http://repository.stcloudstate.edu/msia_etds/51

[2] Stewart, Alexander, "Analysis Of Possible Authentication Strategies For The Automated Identification System" (2018). Projects in Information Assurance. 51. http://repository.stcloudstate.edu/msia_etds/51

[3] https://saab.com/globalassets/commercial/security/maritime-traffic-management-and-port-security-new-folder/traffic-management-solutions/stt---r5-supreme/w-ais/r5-secure-w-ais.pdf

[4] https://www.l-3mps.com/maritimesystems/ms-products-auto-id-system.aspx

[5] http://www.furuno.fr/Multimedia/Brochure_FA-170_EAIS_E.pdf

[6] https://epic.org/foia/dhs/uscg/nais/EPIC-15-05-29-USCG-FOIA-20151030-Production-2.pdf

← View all posts