Should ship data be open to the public?

AIS data is part of the geo-positioning web that tracks vessels and keeps them safe from collision, but the data is publically available. Rapid7 security researcher Claudio Guarnieri discusses the company's recent study looking into this information security issue.

As useful as AIS is for the industry and shipowners, the security credentials of the technology have been a source of controversy

Automatic identification systems (AIS) have become an integral part of the maritime geo-positioning landscape as a supplement to marine radar.

As another layer of information to help minimise the risk of collisions, especially when vessels are out of range of shore-based location systems, these unassuming devices have become increasingly ubiquitous in the shipping industry, and indeed compulsory in many cases.

"Receivers expose publicly on the Internet every AIS message they collect, with no authentication."

As useful as AIS is for the industry and shipowners, the security credentials of the technology have been a source of controversy for a while.

AIS data is easy to pick up using a commonly available AIS receiver - the information, which includes positioning and short operational messages, is uploaded to the Internet with absolutely no authorisation. This streaming data can be collected from AIS receivers themselves, or through dedicated websites.

For many, the wide availability of this information is an uneasy prospect, with the implications leading some organisations to label it a security threat. The latest organisation to call attention to the issue is IT security firm Rapid7, which published the results of an informal study looking into AIS data availability in April 2013. In 12 hours, the company was able to gather 2GB of data logged by AIS receivers around the world, including millions of messages and the tracking of 34,000 vessel locations and headings.

We talked to Rapid7 security researcher Claudio Guarnieri, who led the research, to find out more about AIS data availability and any potential implications for the shipping industry.

Chris Lo: Could you summarise the potential AIS security concerns you found?

Claudio Guarnieri: The blog post on AIS was intended as an expansion of a larger research that we conducted on serial port servers: devices that make computer systems connected to the Internet when they don't originally have the capability or the intention to be so.

"I certainly did not expect to see hundreds of AIS receivers just publicly streaming everything."

Those generally do not include ships' onboard AIS transceivers, which shouldn't be Internet-enabled, but rather receivers placed on mainland by public and private organisations.

Those receivers expose publicly on the Internet every AIS message they collect, with no authentication whatsoever. The problem that we wanted to address doesn't really rely on AIS itself, but on the public availability of AIS devices on the Internet when they originally shouldn't be. Access to the data they collect is an additional concern that was not our main interest and that I leave to others to evaluate.

For example, an attacker could gain access to the AIS receiver and use that as a trampoline to obtain further access in the operator's network. An attacker could also perform a DDoS attack against the AIS receiver; in this way the device would not be able to collect and serve the messages from vessels in the proximity and fundamentally "blind" whoever is operating the receiver, which in the case of a port authority or coast guard could be a critical issue.

CL: During your research, were you surprised by how much data was easily available online?

CG: I was aware that there are websites online that provide geopositioning of ships, which is already quite impressive.

I certainly did not expect to see hundreds of AIS receivers just publicly streaming everything they were collecting, not only geopositions but also safety requests and all other types of AIS message.

CL: It seems fairly easy to get information on ship locations and other data using an AIS receiver, but what are the real-world threats that could be caused by this vulnerability?

CG: It is indeed very easy to get ship locations using AIS data. It is already really easy through the use of dedicated websites, and when not enough, collecting data from the non-volunteering AIS receivers we exposed could give additional visibility.

I'm not informed enough to make a statement on whether real-world piracy might be a realistic threat, although it could be a possibility that I wouldn't exclude.

One of the few real threats that I could see with the current implementation of AIS, is that anyone could fundamentally spoof and craft fake AIS messages to transmit to nearby vessels and receivers.

In that scenario, someone could potentially fake the presence of ships in critical geographical positions, causing havoc and perhaps forcing vessels to make risky manoeuvres. However, the use of radars and sonar in combination with AIS should prevent that.

CL: Aside from ship locations, what other information can be accessed from AIS, and could this data also be potentially misused?

CG: AIS supports a lot of different messages, including safety messages, manoeuvre notifications and so on. These messages often include not only the geographical position, but also the identifier, the name, the type and the state of the ship.

How this information can be misused is out of the scope of my expertise, as it could be anything left to the imagination, knowing so many details of so many vessels of different nature all around the globe.

CL: AIS insecurity has been flagged as a problem before, by the International Maritime Organisation - why do you think the shipping industry has been slow to react?

CG: I believe the International Maritime Organisation condemned the availability of AIS data on the Internet, which is something I agree on and that I see as an unnecessary risk.

While documenting myself online I observed some controversy with people divided in supporting and condemning the availability of this data.

I don't entirely understand the use of public global mapping of vessels, but as it is already largely available, the public seems to largely accept it despite the scepticism from the authorities.

CL: Could easy access to AIS data make it easier for hackers to attack critical marine systems?

CG: Out of the context of the larger research we were conducting on serial port servers it might have appeared the opposite, but our main concern was actually the availability and the security state of Internet-enabled AIS devices, rather than of the data itself.

The large majority of mainland AIS receivers that we identified run very old versions of Microsoft Windows and services that could be a very easy entry point for a motivated attacker looking to obtain extended access to the operator of such devices.

CL: What would be the best ways to make AIS data more secure?

CG: If talking about the actual implementation of the protocol, an identification and authentication mechanism would be helpful to prevent possible spoofing of messages.

"Anyone could craft fake AIS messages to transmit to nearby vessels and receivers."

However this is not up to the consumers and it's unlikely to ever change since AIS is such a long-established and largely used system; it would be unrealistic to force all vessels to comply to a new standard at this point.

In terms of global availability of the data, AIS operates through waves meaning that only ships and mainland receivers in the proximity can receive messages from the sender.

The problem is that people started using it beyond its original intent, by collecting and streaming or otherwise making available AIS data on the Internet. That might be a mistake, or at least something that the maritime community should make a final decision on.

CL: Do you think major industries like the maritime sector need to take online security and data protection more seriously?

CG: Everybody needs to take security more seriously, including the maritime sector of course. Preventing these devices from being unnecessarily exposed on the Internet and maintaining a decent state of security would already be a great step forward.

However, history tells us that security is only taken into consideration only after the worst already happened, so until this sector becomes - hopefully it won't - a consistent target of computer attacks, I wouldn't expect anything to change radically.

Follow Chris Lo on Google+

Related content

A world afloat: why seaborne trade will double before 2030

The maritime industry may be currently going through its biggest crisis for decades, but looking ahead to 2030 the future for shipping and seaborne trade looks much more promising.

Cold, hard facts - how melting Arctic ice will open shipping opportunities

Changing Arctic Sea ice conditions will open new shipping routes through the North Polar region and enable extended summer navigability for current open-water routes by mid-century, most notably between the East Coast of the US and Asia.