Hey Captain, Where’s Your Ship?
Attacking Vessel Tracking Systems for
Fun and Profit
Marco Balduzzi, Kyle Wihoit, Alessand...
Ingredients
Automatic Identification System
●

Tracking system for ships
–

Centralized management for port authorities (VTS)

–

Ship...
Automatic Identification System
●

●

Introduce to supplement the existing safety
systems, e.g. traditional radars
IMO agr...
5
Online AIS Services
●

●

Collects and
visualizes ships
information
Upstream done via:
–

Email

–

TCP/UDP Socket

–

Com...
MarineTraffic Demo

7
AIS Application Layer
●

AIVDM Sentences

●

NMEA Sentences , as GPS
!AIVDM,1,1,,B,177KQJ5000G?tO`K>RA1wUbN0TKH,0*5C
TAG, ...
Message 1/18: Position Report
Maritime Mobile Service Identity (MMSI)
number: Shared among multiple messages
●

●

●

Long...
Message 24: Static Report
●

Types 24A [160 bits] and 24B [168 bits]

●

Name, callsign, dimension

●

Type of ship and ca...
Few-Others
●

Type 8: Binary Broadcast Message
–

●

Type 22: Channel-Management
–

●

Weather Forecasting
Reserved for Po...
Generate Valid AIVDM Sentences

12
AIVDM_Encoder Example
●

Example of generation of AIVDM Sentence for

●

Ship involved in Military Operations

●

Named Hi...
Identified Threats
●

Grouped in two macro families:
–

Implementation-specific VS protocol-specific

14
Spoofing Attack
●

Ships, AtoN, Aircrafts

15
North Korea... What?!

16
And...

17
Autopwning
●
●

Script to make a ship follow a path over time
Programmed with Google Earth's KML/KMZ
information

18
Ship Hijacking via AIS Gateway

19
Eleanor Gordon
●

Eleanor Gordon...Real ship...

20
Eleanor Gordon Popping Up in
Dallas?

21
Landing Lake

22
Replay Attack

23
24
AIS Communication over the Air
●

No authentication, no integrity check

●

Protocol designed in a “hardware-epoch”

●

Ha...
SDR: Software Defined Radio
●

Paradigm switch from Hardware to Software

●

Reduced costs, Reduced complexity, Increased ...
GnuRadio and USRP Synergy

Universal Software Radio Peripheral

27
AIS Transmitter

●

GnuRadio flowchart
message on the air

for

●

AIS

4 main components / blocks

●

transmitting

IDE →...
AIS Frame Builder
●

Implements the AIS Stack (C code)

●

Builds the Frame to be modulated

29
30
Equipment

Universal Software Radio Peripheral

AIS Transceiver

31
Outdoor experiments

Standard VHF Transceiver (Radio)
MOXXON Directional Antenna
32
Attack 1: Man-in-water Spoofing
●

Fake a "man-in-the-water" distress beacon at
any location

●

Similar to Avalanche Safe...
Attack 2: Frequency Hopping [1/2]
●

Disable AIS transponders
–

Up to 5 weeks

●

Switch to non-default frequency

●

Sto...
Attack 2: Frequency Hopping [2/2]

35
Attack 3: CPA Alerting [1/2]
●

Fake a CPA alert (Closest Point of Approach)
and trigger a collision warning alert.

36
Attack 3: CPA Alerting [2/2]

37
Attack 4: Weather Forecasting

38
Real-World Experiment
●

Generate a valid over-the-air AIS message

●

Target: AIS proxy

●

Demo

39
Responsible Disclosure
●

Our experiments are conducted without interfering
with existing systems
–

●

●

We reached out ...
Countermeasures
●

Authentication
–

●

Integrity Monitoring
–

●

Tamper checking of AIS message

Time Check
–

●

Ensure...
Take Home
●

AIS is widely used – Mandatory installation

●

AIS is a major technology in marine safety

●

AIS is broken ...
Questions?

●

Thanks! FTR, Germano (IW2DCK), ITU-R
43
Upcoming SlideShare
Loading in...5
×

Captain, Where Is Your Ship – Compromising Vessel Tracking Systems

19,504

Published on

A talk given by Kyle Wilhoit and Marco Balduzzi from Trend Micro's Forward Looking Threat Research team, along with independent researcher Alessandro Pasta.

Abstract:
In recent years, automated identification systems (AISes) have been introduced to enhance vessels tracking and provide extra safety to marine traffic, on top of conventional radar installations. AIS, which is currently a mandatory installation for all passenger ships and ships over 300 metric tonnes, works by acquiring GPS coordinates and exchanging vessel’s position, course and information with nearby ships, offshore installation, i.e. harbors and traffic controls, and Internet tracking and visualizing providers.
With an estimated number of 400,000 installation, AIS is currently the best system for collision avoidance, maritime security, aids to navigation and accident investigations.
Given its primary importance in marine traffic safety, we conducted a comprehensive security evaluation of AIS, by tackling it from both a software and a hardware, radio frequency perspective.

In this talk, we share with you our finding, i.e how we have been able to hijack and perform man-in-the-middle attacks on existing vessels, take over AIS communications, tamper with the major online tracking providers and eventually fake our own yacht!.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
19,504
On Slideshare
0
From Embeds
0
Number of Embeds
73
Actions
Shares
0
Downloads
42
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Captain, Where Is Your Ship – Compromising Vessel Tracking Systems

  1. 1. Hey Captain, Where’s Your Ship? Attacking Vessel Tracking Systems for Fun and Profit Marco Balduzzi, Kyle Wihoit, Alessandro Pasta (@embyte / IZ2PMO, @lowcalspam, IZ2RPA)
  2. 2. Ingredients
  3. 3. Automatic Identification System ● Tracking system for ships – Centralized management for port authorities (VTS) – Ship-to-ship communication in open-sea ● Used for plot, course, position, and speed ● Some Applications: – Vessel Traffic Services – Collision Avoidance – Maritime Security – Aids to Navigation (AtoN) – Search and rescue, Accident investigation – Binary messages, e.g. weather forecasting 3
  4. 4. Automatic Identification System ● ● Introduce to supplement the existing safety systems, e.g. traditional radars IMO agreement 2002, widely used since 2006 – – ● Required on any international ship with gross tonnage of 300 or more tons. Also required on ALL passenger ships regardless of size Estimated 400,000 installations. Expected over a million within 2014. 4
  5. 5. 5
  6. 6. Online AIS Services ● ● Collects and visualizes ships information Upstream done via: – Email – TCP/UDP Socket – Commercial Software – Smartphone Apps – Radio-Frequency Gateways (deployed regionally) 6
  7. 7. MarineTraffic Demo 7
  8. 8. AIS Application Layer ● AIVDM Sentences ● NMEA Sentences , as GPS !AIVDM,1,1,,B,177KQJ5000G?tO`K>RA1wUbN0TKH,0*5C TAG, FRAG_#, FRAG_ID, N/A, CHANNEL, PAYLOAD, PAD, CRC 8
  9. 9. Message 1/18: Position Report Maritime Mobile Service Identity (MMSI) number: Shared among multiple messages ● ● ● Longitude, latitude, navigation status, speedover-ground (SOG), course-over-ground (COG) Sent every 3 to 30 seconds, depending from ship speed 168 bits 9
  10. 10. Message 24: Static Report ● Types 24A [160 bits] and 24B [168 bits] ● Name, callsign, dimension ● Type of ship and cargo type, e.g. – 35: Engaged in military operations – 51: Search and rescue – 55: Law enforcement – 5X: Carrying dangerous goods (e.g. Nuclear) 10
  11. 11. Few-Others ● Type 8: Binary Broadcast Message – ● Type 22: Channel-Management – ● Weather Forecasting Reserved for Port Authorities Type 14: Safety-Related Broadcast Message – SOS, Man-In-Water 11
  12. 12. Generate Valid AIVDM Sentences 12
  13. 13. AIVDM_Encoder Example ● Example of generation of AIVDM Sentence for ● Ship involved in Military Operations ● Named HiTB13 13
  14. 14. Identified Threats ● Grouped in two macro families: – Implementation-specific VS protocol-specific 14
  15. 15. Spoofing Attack ● Ships, AtoN, Aircrafts 15
  16. 16. North Korea... What?! 16
  17. 17. And... 17
  18. 18. Autopwning ● ● Script to make a ship follow a path over time Programmed with Google Earth's KML/KMZ information 18
  19. 19. Ship Hijacking via AIS Gateway 19
  20. 20. Eleanor Gordon ● Eleanor Gordon...Real ship... 20
  21. 21. Eleanor Gordon Popping Up in Dallas? 21
  22. 22. Landing Lake 22
  23. 23. Replay Attack 23
  24. 24. 24
  25. 25. AIS Communication over the Air ● No authentication, no integrity check ● Protocol designed in a “hardware-epoch” ● Hacking: Difficult and cost expensive ● Fake AIS Signals? ● Let's do it via software! 25
  26. 26. SDR: Software Defined Radio ● Paradigm switch from Hardware to Software ● Reduced costs, Reduced complexity, Increased flexibility ● Many application, e.g. Radio/TV receiver, 20 USD ● Accessible by many, bad guys included! 26
  27. 27. GnuRadio and USRP Synergy Universal Software Radio Peripheral 27
  28. 28. AIS Transmitter ● GnuRadio flowchart message on the air for ● AIS 4 main components / blocks ● transmitting IDE → Python script 28
  29. 29. AIS Frame Builder ● Implements the AIS Stack (C code) ● Builds the Frame to be modulated 29
  30. 30. 30
  31. 31. Equipment Universal Software Radio Peripheral AIS Transceiver 31
  32. 32. Outdoor experiments Standard VHF Transceiver (Radio) MOXXON Directional Antenna 32
  33. 33. Attack 1: Man-in-water Spoofing ● Fake a "man-in-the-water" distress beacon at any location ● Similar to Avalanche Safety Beacons ● <live demo> 33
  34. 34. Attack 2: Frequency Hopping [1/2] ● Disable AIS transponders – Up to 5 weeks ● Switch to non-default frequency ● Stored in flash memory ● Specify a desired targeted region – ● Geographically remote region applies as well E.g. Pirates can render a ship invisible in Somalia 34
  35. 35. Attack 2: Frequency Hopping [2/2] 35
  36. 36. Attack 3: CPA Alerting [1/2] ● Fake a CPA alert (Closest Point of Approach) and trigger a collision warning alert. 36
  37. 37. Attack 3: CPA Alerting [2/2] 37
  38. 38. Attack 4: Weather Forecasting 38
  39. 39. Real-World Experiment ● Generate a valid over-the-air AIS message ● Target: AIS proxy ● Demo 39
  40. 40. Responsible Disclosure ● Our experiments are conducted without interfering with existing systems – ● ● We reached out the appropriate providers and authorities within time Online providers: – ● Messages with safety-implications tested only in remote lab environment MarineTraffic, AisHub, VesselFinder, ShipFinder Standard bodies: – ITU-R: 11 September 2013 – IALA, IMO, US Coast Guards: No answer yet 40
  41. 41. Countermeasures ● Authentication – ● Integrity Monitoring – ● Tamper checking of AIS message Time Check – ● Ensure the transmitter is the owner Avoid replay attack Validity Check on Data Context – E.g., Geographical information 41
  42. 42. Take Home ● AIS is widely used – Mandatory installation ● AIS is a major technology in marine safety ● AIS is broken at implementation-level ● AIS is broken at protocol-level ● We hope that our work will help in raising the issue and enhancing the existing situation! 42
  43. 43. Questions? ● Thanks! FTR, Germano (IW2DCK), ITU-R 43
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×