AIS Fraught with Vulnerabilities
by Corey D. Ranslem (article originally appeared in The Triton newspaper: (https://www.the-triton.com/2020/01/secure-at-sea-ais-fraught-with-vulnerabilities/ )
AIS, or automatic identification system, has been around for about 20 years. The International Maritime Organization required the first AIS systems back in 2002 on certain types of vessels in critical areas of the world as an update to the SOLAS (Safety of Life at Sea Convention). The early requirements stated that all tankers and passenger vessels equal to or greater than 150 gross tons would be required to carry AIS, as well as all other ships of 300 gross tons or greater on international voyages, and 500 gross tons or greater on domestic voyages.
There are additional restrictions that have been put in place over the years by various countries. The U.S. requires AIS on all vessels of 65 feet or greater. Initially, fishing vessels and passenger vessels carrying less than 150 passengers were exempt, but that changed when full AIS went into effect back in 2016. There aren’t many vessels today, including large yachts, that don’t have AIS on board.
The AIS signals are unencrypted VHF-based radio signals that provide some basic vessel information, including vessel name, position, course and speed. This information is used by port authorities and shoreside VTS (vessel traffic systems) for identifying vessels. This information is also integrated into a vessel’s ECDIS (electronic charting display information system) or navigation and radar to provide information on the other vessels around for better identification and collision avoidance.
AIS is a great system that has enhanced collision avoidance and helped to improve vessel operations. However, there are numerous security vulnerabilities within the system. First, there are several vulnerabilities within the AIS system itself. It is very easy to intercept and change AIS information coming from vessels to shoreside facilities. It is also easy to “hack” into a vessel’s AIS and change its internal information. None of the information within the AIS system is encrypted, so it is very easy to change a vessel’s name, position, course and speed to just about anything and any location.
The underlying issue with the AIS system is that there is no authentication within the system and no integrity check of any of the data. It is also very easy to build an AIS system to intercept and transmit erroneous data.
Maritime security experts believed that pirates used AIS tracking to target certain vessels back in the early days of piracy, circa 2008. Now pirates, along with other nefarious actors, use AIS as a standard practice to carry out malicious activities. Many security experts recommend AIS transceivers be switched off while transiting high-risk areas. However, that is not always possible because of flag or coastal country regulations.
When you do some basic internet research, you can find several university and other research projects and studies conducted on the vulnerabilities of AIS, and how to carry out those various attacks. Even someone with basic computer knowledge could cause major issues with vessels and shoreside systems. Attackers could trigger false collision alarms or render the collision alarms useless in an actual collision situation. They can also change information to/from VTS and port authorities, causing issues with vessel arrivals and departures, as well as with collision avoidance. A hacker could theoretically render a VTS system useless and close a traffic area or port.
There are some global issues currently within the AIS system that need to be addressed on a political level that we won’t get into here. However, there are some basic measures that can be taken to ensure you are seeing and receiving the correct information. Double-check the output of your AIS to ensure the correct information is flowing from your system. Second, double check the information coming for other vessels that corresponds with the vessel’s radar or visual position in relation to your vessels. It doesn’t hurt to also ensure VTS and port authorities are seeing your correct information when navigating in restricted channels.