Shippers, traders and researchers monitoring global vessel traffic in the past six months might have seen an imaginary U.S. ferry sail to North Korea, a tugboat go from the Mississippi River to a Dallas lake in two minutes and the path of a fake Italian yacht spelling out PWNED -- hacker slang for “defeated.”
These false signals, orchestrated by Trend Micro Inc., a Tokyo-based Internet security company, were designed to expose vulnerabilities in the mandatory system used to track merchant vessels worldwide. With the network that was built to improve safety at sea unprotected against hackers, phony tracks could lead to collisions and other accidents, according to the International Chamber of Shipping, a trade association representing more than 80 percent of the fleet.
International conventions require all ships to broadcast their identity, status and location to other vessels and coastal authorities. The signals, compiled by websites such as marinetraffic.com and data services including Bloomberg LP, the parent of Bloomberg News, may be used to gauge how many ships are available to load a cargo or predict trade before official figures are released. The system needs security, according to Kyle Wilhoit, a Trend Micro researcher in St. Louis.
“This would be the equivalent of a house being wide open, windows open, everything wide open,” Wilhoit said by phone Oct. 21. “We can literally move, create and modify existing boats, as well as boats that don’t even exist. Some nerd in a basement can do that.”
Trend Micro wants to help secure the system and is working with U.S. government agencies to bring the matter before the International Maritime Organization, the United Nations agency that oversees shipping, Wilhoit said, declining to be more specific. The IMO can’t consider the issue until a member state or organization formally presents it for review, spokeswoman Natasha Brown said by phone from London Oct. 21, declining to comment further.
Since 2004, an IMO convention required all ships to carry automatic identification systems, known as AIS. As an international standard, the actual technology isn’t owned by anyone, much like the Internet. Ships carry transponders that communicate with shore-based antennae and satellites to report their identity, position, speed and status.
AIS isn’t meant to replace navigation systems such as radar, according to IMO regulations. Data are either transmitted automatically or manually entered by a ship’s captain. Authorities around the world who use the signals say they’re generally reliable: A 2011 study by the Lisbon-based European Maritime Safety Agency found that fewer than 3 percent of ships were signaling invalid identification numbers.
A disclaimer on marinetraffic.com says the site isn’t responsible for the underlying AIS data, which may be inaccurate or incomplete because of radio interference, weather conditions, incorrectly configured devices or negligent data entry by a vessel’s crew.
The signals are aggregated and made available on websites and through paid services such as IHS Inc. (IHS)’s AISLive, which shows updates every three minutes from 70,000 vessels in more than 100 countries. While that’s useful for analysts, ship owners generally resent AIS because it weakens their ability to win higher rates by bluffing about vessel availability, said Peter Sand, an analyst at the Baltic and International Maritime Council, whose members control 65 percent of the global fleet.
‘DONT BE NOSEY’
“Ship owners would rather be without that,” Sand said by phone Oct. 24. “With AIS available to everybody, it has limited negotiating power.”
Shipping rates have declined since 2008 because owners ordered too many vessels before the global recession. The ClarkSea Index, a measure of industrywide earnings, averaged $9,586 a day this year, tied with 2012 for the lowest since at least 1990, according to data from Clarkson Plc (CKN), the world’s largest shipbroker.
The knowledge that signals are being monitored has sometimes affected the transmissions. Ships transiting Somalia’s coast often broadcast “ARMED GUARDS” because of speculation that pirates follow the signals to target ships and won’t attack those with security details. Others misspell or abbreviate their destination, or even display “NONE OF UR BUSINESS” and “DONT BE NOSEY.” An Iranian tanker once reported its destination as “NEW YOURK” (sic), according to data compiled by Bloomberg.
Some of Iran’s fleet stopped signaling since U.S. and European sanctions started hampering the country’s oil exports last year, according to the International Energy Agency. Vessels that switch off their AIS equipment will still be seen by radar, IHS said in an e-mailed statement.
The system has no way of verifying who’s submitting data and whether the signals are plausible, according to the Trend Micro study presented Oct. 16 at the Hack in the Box conference in Kuala Lumpur.
Since shippers and traders monitor the signals to anticipate trade patterns, hackers could theoretically profit from betting on commodity or freight prices and manipulating AIS, said Roy Mason, the founder of tanker tracker Oil Movements, who has been using information from port agents, shipbrokers and AIS signals for 26 years. This would require significant effort because shipping markets are highly variable, he said.
“In order to establish that something real has happened, something significant and out of the ordinary, three to four weeks is what’s needed,” Mason said by phone Oct. 24. “One extra tanker isn’t news, but 10 is, or 20.”
Marine trackers know to discount signals that appear untrustworthy, Mason said. If data appear suspect, users should check the ship’s flag, name and identification numbers, IHS said.
The U.S. Coast Guard hasn’t received any reports of AIS hacking, spokesman Carlos Diaz said by e-mail.
AIS is vulnerable to hacking because it lacks any form of authentication or encryption, EMSA said in an Oct. 22 e-mailed statement. Updating the protocols is the responsibility of the IMO and the International Telecommunication Union, according to EMSA.
The ITU will consider enhancements to AIS at the World Radiocommunication Conference in 2015, the Geneva-based organization said in an e-mailed statement Oct. 28. The agenda does not include security, which is the IMO’s responsibility, the ITU said in an e-mail today.
Equipment needed to transmit the false signals cost about 700 euros ($965), Wilhoit said. Trend Micro found ways to stage fake emergencies, such as a man overboard or collision warnings, he said. They didn’t attack any real vessels.
“AIS is now being used at the fringes of what it was intended for,” John Murray, marine director at the International Chamber of Shipping in London, said by phone Oct. 21. “When signals can be spoofed or inaccurate for whatever reason, inevitably this is of concern.”
To contact the editor responsible for this story: Alaric Nightingale at firstname.lastname@example.org