(NEW YORK) — Over the weekend a tugboat chugged along the mighty Mississippi River, heading for the Gulf, when, in a flash, it disappeared completely. Moments later it reappeared, popping into existence a few hundred miles away on a small lake in Texas.
At least, that’s what it would’ve appeared to do for anyone watching the ship’s unusual journey on the popular vessel tracking website MarineTraffic.com. In reality, the ship didn’t go anywhere and presumably had no idea it was the star of a demonstration put on by cyber security researchers meant to reveal vulnerabilities in online portals for a worldwide vessel tracking system.
The researchers, part of Trend Micro’s Forward Looking Threat team along with an independent researcher, said they’ve figured out how to “spoof” information going from a ship’s Automatic Identification System (AIS) to the online tracking services — meaning on a whim they can change not only the vessel’s location on the website’s map, but its size, type, origin or even the cargo it’s listed as carrying. The team said they can take an oil tanker sitting in the New York Harbor and drop it off the coast of North Korea or create a luxury yacht out of thin air, all just with their laptops.
The AIS is a safety feature, described by the U.S. Coast Guard as “foremost a navigational tool for collision avoidance,” that is a mandatory for all ships carrying passengers and any cargo vessels over a certain size, according to the International Maritime Organization. It allows other ships, port officials and governments to track hundreds of vessels at the same time.
Privately owned websites, such as MarineTraffic.com and similar sites, also take the data and distribute it publicly on live maps for their own “informational purposes” — keeping up with billions of traffic records for business owners, suppliers and maritime trade academics.
While a neat trick for the thousands of people worldwide that check the online vessel trackers, the researchers said hacking those private websites would likely not disrupt actual port operations which rely on their own AIS tracking systems. To do that, the researchers discovered they just had to attack the AIS directly by being close to a particular port.
According to Trend Micro’s Marco Balduzzi, he recently was able to sit within a few miles of a port he did not identify and manipulate a VHF radio frequency to make his own fake AIS signals and have them appear as if they are coming from the port or other ships. Balduzzi claimed that if he wanted, he could potentially convince other ships’ AIS trackers they were on a collision course with a fictional vessel, make a lighthouse pop up out of nowhere or trick the system into basically shutting itself down completely.
Radars, voice communications and other redundant safety systems at ports could stave off disaster, but Balduzzi said to him it’s still “scary.”
“This kind of protocol was designed at a time when it was not easy to create such [spoofing] software. Nowadays, it’s possible,” said Balduzzi, who worked on the AIS project with fellow Trend Micro cyber security expert Kyle Wilhoit and independent researcher Alessandro Pasta.
Demitris Memos, managing director of MarineTraffic.com, told ABC News this is not a new problem and it would not be difficult to spoof AIS signals, as the AIS hardware itself can be purchased for just a few hundred dollars.
“This is not encrypted, this is open,” he said. “Anyone with a device can broadcast their position and then they’re a vessel.”
Wilhoit said he was concerned how insecure the AIS system was, as marine commerce had grown more dependent on it, and feared that making the system less vulnerable would require new hardware installed on hundreds of ships.
A spokesperson for the IMO, which dictates international maritime regulations, declined to comment on the researchers’ claims about impersonating the AIS system directly, but noted that years ago it brought up concerns about the wisdom of private websites like MarineTraffic.com publishing AIS information online for all to see — and now apparently for hackers like Wilhoit and company to exploit.
Memos said that since the AIS information is transmitted on public channels, it doesn’t make any sense to criticize websites that just put that information together for the public. He said websites like his also are useful to company owners who want to keep tabs on their fleet and, to some extent, family members of the ships’ crews who want to know where their loved ones are at any given time.
Memos said MarineTraffic.com does run some protocols in the background to check for irregular ship movements that could detect artificial manipulation, a step towards defending against cyber attacks like the one that did Trend Micro’s disappearing act with the tugboat this weekend.
The U.S. Coast Guard’s Navigation Center, which is the government agency charged with tracking ships in U.S. waters, did not respond to a request for comment on this report Tuesday. ABC News received an automatic reply to an email stating that “due to the Federal Government shutdown, some inquiries may take longer than others for resolution.”
Wilhoit, Balduzzi and Pasta plan to present their findings at the cyber security conference Hack in the Box in Kuala Lumpur, Malaysia, Wednesday.
Copyright 2013 ABC News Radio
Alanna Petroff, CNN
Samira Said and Catherine E. Shoichet, CNN
Tara Bench, KSL.com