AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

2,707 views
2,482 views

Published on

AIS, Automatic Identification System, is a promoted standard and implementation for vessels traffic safety and monitoring. With more than 400,000 installations worldwide, AIS is currently a mandatory installation for commercial vessels and a de-facto equipment for leisure crafts. AIS is largely used in ports worldwide -- Rotterdam alone monitors over 700 AIS-enabled vessels each day, serving 32,000 seagoing and 87,000 inland vessels a year.

Back in October 2013, during HITB KUL, we showed that AIS is hardly broken, both at implementation and protocol level, and it suffers from severe vulnerabilities like spoofing and man-in-the-middle. In this talk, we extend our research by sharing with the audience several novel attacks that we recently discovered, for example how to extensively disable AIS communications or attack the software installed at back-end by port authorities. By doing so, we hope to raise the necessary awareness and lead the involved parties into calling for a more robust and secure AIS.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,707
On SlideShare
0
From Embeds
0
Number of Embeds
308
Actions
Shares
0
Downloads
16
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

  1. 1. AIS Exposed New Vulnerabilities and Attacks Marco Balduzzi & Alessandro Pasta (Kyle Wilhoit) [HITB AMS, 29 May 2014]
  2. 2. Outline ● Balduzzi et al. , October 2013, HITB KUL ++
  3. 3. 3 Automatic Identification System ● AIS, Automatic Identification System ● Tracking system for vessels – Ship-to-ship communication – From/to port authorities (VTS) ● Some applications: – Maritime security (piracy) – Collision avoidance – Search and rescue – Accident investigation – Binary messages, e.g. Weather forecasting
  4. 4. 4 Required Installation ● Since 2002 ● Introduced to supplement existing safety systems, e.g. traditional radars ● Required on: – ANY International ship with gross tonnage of 300+ – ALL passenger ships regardless of size ● Estimated 400,000 installations ● Expected over a million
  5. 5. 5
  6. 6. 6 Data Exchange ● AIS messages are exchanged in two forms: ● Radio-frequency (VHF) – 162 ± 0.25 MHz ● Online AIS Providers
  7. 7. 7 Online Providers ● Collect and visualize vessels information ● Data upstream via: – Mobile Apps, Software – Email – API – Radio-frequency gateways deployed regionally
  8. 8. 8 Example – Port of AMS ● MarineTraffic.com
  9. 9. 9 Example – RF Transponder ● OpenCPN Chart Plotter + AIS Transponder
  10. 10. 10 Identified Threats ● Grouped in two macro categories ● 1. Implementation-specific = Online Providers [Software] VS ● 2. Protocol-specific = AIS Transponders [RF / VHF]
  11. 11. 11 AIS Application Layer ● AIVDM messages, e.g.: – Position reports – Static reports – Management (channel...) – Safety-related (SART) ● NMEA sentences , as GPS !AIVDM,1,1,,B,177KQJ5000G?tO`K>RA1wUbN0TKH,0*5C TAG, FRAG_#, FRAG_ID, N/A, CHANNEL, PAYLOAD, PAD, CRC
  12. 12. 12 AIVDM Encoder
  13. 13. 13 Example ● Ship involved in Military Operations ● MMSI 247 320162 (Italy)
  14. 14. 14 Spoofing – Online Providers ● Ships or Aids-to-Navigation
  15. 15. 15 US to North Korea... What?! ● Wargames (1983) or cyberwar?
  16. 16. 16 Programming a malicious route ● Tool to make a ship follow a path over time ● Programmed with Google Earth's KML/KMZ information
  17. 17. 17 Hijacking (Rouge Gateway)
  18. 18. 18 Example ● “Move” a real ship – Eleanor Gordon
  19. 19. 19 Popping Up in Dallas?
  20. 20. 20 Radio-Frequency (VHF) Threats
  21. 21. 21 AIS Communication over the Air ● Protocol designed in a “hardware-epoch” ● Hacking was difficult and cost expensive ● No authentication, no integrity check ● 2014 ● Craft AIS signals? ● Let's do it via software!
  22. 22. 22 SDR – Software Defined Radio ● Many applications, e.g. Radio / TV receivers, 20 USD ● Radio amateurs, SDR transmitters ● Reduced costs ● Reduced complexity ● Increased flexibility ● Accessible by many, pirates included!
  23. 23. 23 Our Testing Lab
  24. 24. 24 AIS Transmitter ● Built & implemented a software-based AIS transmitter ● GnuRadio, http://gnuradio.org/ ● Custom block: AIS Frame Builder [Ref, HITB KUL 2013]
  25. 25. 25 RF Spoofing ● Radio-frequency (VHF) version of spoofing ● Setup : [Attacker] – [Victim] ● Amplifier : 20+ km (modified radio)
  26. 26. 26 Victim's Console
  27. 27. 27 Injecting into legit AIS gateways
  28. 28. 28 Man-in-water Spoofing ● Fake a "man-in-the-water" distress beacon ● Trigger SART (S.O.S.) alerts ● Visually and acoustically ● Lure a victim vessel into navigating to a hostile and attacker-controller sea space ● Mandatory by legislation
  29. 29. 29 Man-in-water Spoofing
  30. 30. 30 Frequency Hopping (DoS++) ● Disable AIS transponders ● Switch to non-default frequency (RX and TX) ● Single or multiple target(s) ● Program a desired targeted region – Geographically remote region applies as well ● For example: Pirates can render a ship “invisible” upon entering Somalia
  31. 31. 31 Frequency Hopping (DoS++)
  32. 32. 32 CPA Alerting ● Fake a CPA alert, Closest Point of Approach ● Trigger a collision warning alert ● Possibly alter course
  33. 33. 33 CPA Alerting
  34. 34. 34 Malicious Weather Forecasting
  35. 35. 35 Slot Starvation (DoS++) ● Impersonate port authority ● Base station spoofing ● Book TDMA slots
  36. 36. 36 Slot Starvation (DoS++) ● Base Station Spoofing
  37. 37. 37 Slot Starvation (DoS++) ● Victim's Console
  38. 38. 38 Timing Attack (DoS++) ● Instruct an AIS transponder to delay its transmission in time ● Default broadcast time: – Static reports = 6 min – Dynamic reports = 0.5 to 3 min (depending on speed) ● Attack code: –
  39. 39. 39 Hardware Panic! (DoS) ● Flood the device... Noise on Channel + GPS
  40. 40. 40 Back to the r00ts ● AIS = Attack Vector ● AIVDM messages are exchanged and processed at application layer by back-end software – In VTS server installations ● Binary message, special type used for – Crew members, Number of passengers – Environment information ● Malicious payloads, e.g. BOF, SQLi, …
  41. 41. 41 Back to the r00ts ● SQL Error in back-end processing
  42. 42. 42 Attacking D-GPS ● Differential Global Positioning System (D-GPS) ● Used by port authorities to increase the precision of traditional GPS (meters → centimeters) ● Attack = Spoof D-GPS beacons to force ships into calculating a wrong “GPS position”! ● Message 17: GNSS broadcast binary message
  43. 43. 43 Attacking D-GPS ● Similar to “UT Austin Researchers Spoof Superyacht at Sea” – Monday, 29 July 2013
  44. 44. 44 Responsible Disclosure ● Experiments conducted without interfering with existing systems – Messages with safety-implications tested only in lab environment (wired connections) ● We reached out the appropriate providers and authorities within time – MarineTraffic, AisHub, VesselFinder, ShipFinder – ITU-R, IALA, IMO, US Coast Guards
  45. 45. 45 Proposed countermeasures ● Authentication – Ensure the transmitter is the owner (spoofing) ● Time Check – Avoid replay attack ● Integrity Monitoring – Tamper checking of AIS message (hijacking) ● Validity Check on Data Context – E.g., Geographical information
  46. 46. 46 Take Home ● AIS is widely used – Mandatory installation ● AIS is a major technology in marine safety ● AIS is broken at implementation-level ● AIS is broken at protocol-level ● We hope that our work will help in raising the issue and enhancing the existing situation!
  47. 47. 47 Thanks! ● Dr. Marco Balduzzi – @embyte ● Alessandro Pasta – @aka_pastus
  48. 48. 48 Bonus ;-) ● Real-World Experiment ● Simulate the operational conditions of an attacker at sea ● Coverage experiment ● Target: AIS Gateway Installation ● No time for demo video. Visit me offline

×