Cybersecurity in Practice (Part III): PWNED Maritime Systems

By: Cheng Lai Ki

Internet based Maritime Traffic Map detailing the positions of types of vessels off the coast of the United Kingdom
Internet based Maritime Traffic Map detailing the positions of types of vessels off the coast of the United Kingdom

Russian cybersecurity firm Kaspersky suggested in a May 2015 report that the current cybersecurity capabilities of the maritime industry make it ‘easy meat for cyber criminals’. Commercially, the maritime industry remains a critical component of national development, supporting state expansion, national economic growth, and international trade. The sector has steadily modernized alongside the emergence of new technologies. Now we are seeing larger commercial vessels (i.e. Quantum of the Seas) and more advanced warships (i.e. USS Zumwalt DDG 1000) cruising into the great blue. Nowadays, all maritime platforms critically depend on functional navigational systems to ensure their maneuvers are both safe and legal. However, just how safe are maritime navigational systems to cyberattacks?

Automated Identification Systems

Historically with maritime navigation, mankind has utilized instruments like the sextants and naval chars to calculate distances between two objects/points. This depended critically on the navigational abilities of the naval officer and is still taught today to midshipmen – naval officer cadets. However, these navigational elements have been progressively replaced by electronic platforms such as Radar (Radio Detection and Ranging) and space-based systems (i.e. GPS; GLONASS).

All categorical platforms utilize the Automated Identification System (AIS) to coordinate all maritime maneuvers and other operations dependent on navigational data. On a technical level, the AIS is a broadcast system that acts like a transponder (on the VHF Maritime Band) that is able to handle large amounts of data through a Self-Organizing Time Division Multiple Access (SOTDMA) technology to meet the demands of larger vessels and busy ports.[1] Modern AIS operates on High-Level Data Link Control that utilizes bit-orientated synchronous data-link layer protocols from different modulation techniques of ‘AM, FM, Phase-Modulation, QAM, Trellis-Code’.[2]

Within naval domains, there are other popular systems such as the Maritime Safety and Security Information System (MSSIS), a non-classified data-sharing system for the exchange of maritime information and currently used by over 75 nations. However, the AIS is still the mainstream data resource available to everyone ‘carrying an AIS transponder and is within range to receive the AIS signal’.

You have been PWNED

In 2014, senior threat researchers Marco Balduzzi and Kyle Wilhoit from the cybersecurity company TrendMicro built their own AIS transponder, connected to a laptop and subsequently manipulated various components within the intercepted AIS data.[3] Through manipulating the intercepted AIS data-stream, they were able to fool critical safety mechanisms (i.e. collision detection) and alter digital identifiers on online/internet AIS databases. Perhaps more terrifying, the researchers were able to effectively intercept, access and manipulate the navigational data and (albeit jokingly) generated a ‘fictional [but] generic ship spelling “PWNED” in the Mediterranean Sea’.[4]

While their tomfoolery of writing ‘PWNED’ in the middle of the Mediterranean may be amusing to some, there are significantly greater and more catastrophic ramifications associated with a compromised navigational system that could lead to loss of life – or even war.

TrendMicro Researches manipulated AIS data and created a fictional vessel was created to spell ‘PWNED’, a computer nomenclature to indicate an adversary has been beaten.
TrendMicro Researches manipulated AIS data and created a fictional vessel was created to spell ‘PWNED’, a computer nomenclature to indicate an adversary has been beaten.

Let us contextualize TrendMicro’s discoveries through this internet-based AIS manipulation.

First, the researchers revealed that accurate locations (and even the existence) of vessels can be falsified. To a malicious actor (i.e. a maritime smuggler or pirate), malicious actors could disguise their vessels with this digital camouflage to evade authorities or ambush unsuspecting targets. The amount of information embedded within AIS data (vessel classification, size, type, movement characteristics and location) provides malicious actors more or less all the intelligence required for an effective kinetic attack.

Second, the researchers also managed to manipulate systems that critically depend on accurate AIS data. A tampered or comprised collision warning system could have costly ramifications and cause significant loss of lives if triggered on a large vessel (i.e. Luxury Cruise Liners). In addition, shore-based platforms also depend on AIS data to manage maritime safety through a AIS compatible Global Maritime Distress and Safety System (GMDSS). If a vessel’s AIS transponder has been masked or spoofed by attackers, the exploitation could be used as a distraction. Easily deployed for follow-on attacks or stretching the search and respond resources of authorities.

Third, is how would the attackers get in? While not all attackers are going to build and use their own AIS transponder, this does not limit their possible attack vectors. They (malicious actors) could easily use various cyber espionage tactics (i.e. JavaScript Injection) to infect staff networks to monitor or manipulate computer activity. Once in the system, attackers could hijack the transponder of their targeted vessel as a proxy.

However, all attack vectors target the most recognised vulnerability within the entire cybersecurity sector, the human element.

What Now?

At the 2016 IP Expo Europe, Eugene Kaspersky (CEO of Kaspersky) and Rik Ferguson (Head of Global Research at TrendMicro) both highlighted two key points at a panel discussion. Kaspersky, a giant within the industry has stated our increasing need to ensure the cybersecurity of our command and control networks within National Critical Infrastructures (NCI); a point he has been preaching long before his engagement with StuxNet in the early 2000s. In addition, Ferguson highlighted that a pan-industry (and sector) need to return to basics; that despite their sophistication, most attacks are fundamentally targeting and exploiting basic security flaws within our systems. The lack of cybersecurity awareness of employees, limited penetration testing, and weak information security systems is what ultimately undermines even the most sophisticated of cybersecurity developments.

The maritime industry is essentially a collection of multiple co-dependent and densely interlinked programmable computer networks. As more of these services join the internet community for reasons of convenience and accessibility, it significantly increases their exposure to malicious actors. As Kaspersky mentioned, we need to pay more attention as to how secure our command and control are. These systems are the foundational building blocks that ensure our industries and services operates smoothly, safely and most importantly, securely. To ships traveling on the high-seas, navigational systems are essential to prevent tragedies and ship detentions that could have dire consequences on the commercial maritime sector.


About the Author:

Cheng is a graduate from the MA Intelligence and International Security program at King’s College London, his Master’s thesis examined the characteristics and trends defining China’s emerging cybersecurity and cyberwarfare capabilities. He was a finalist at the 2016 Cyber 9/12 Student Challenge in Geneva, contributed to other security journals such as IHSJane’s Intelligence Review and was a Former Managing Editor (Blog) at Strife.


Notes:

[1] For a more detailed analysis of the SOTDMA, see: Gaugel, T. & Hartenstein, H., ‘In-Depth Analysis and Evaluation of Self-Organizing TDMA’, IEEE Vehicular Conference, (2013), [Online], Available from: https://pdfs.semanticscholar.org/c927/b0ad1cf0b02a0e2ef259cec938d4e3552702.pdf (Accessed October 1 2016).

[2] Slide 5, Vienna University of Technology, https://www.ict.tuwien.ac.at/lva/384.081/infobase/L03-HDLC_v4-4.pdf, (Accessed October 12 2016)

[3] Access Balduzzi’s presentation slide deck from the Blackhat conference Asia (2014) for more information: https://www.blackhat.com/docs/asia-14/materials/Balduzzi/Asia-14-Balduzzi-AIS-Exposed-Understanding-Vulnerabilities-And-Attacks.pdf

[4] Balduzzi, M., Wilhoit, K., ‘Vulnerabilities discovered in Global Vessel Tracking Systems’, Trend Micro [Online], (15 Oct 2013).

Image 1 source: http://www.marinetraffic.com/en/ais/home/centerx:-0/centery:51/zoom:8

Image 2 source: http://go.portvision.com/hs-fs/hub/240131/file-354089208-jpg/images/pwned-ais-hacking-resized-600.jpg 

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this

Copyright © 2018 Strife Blog. All Rights Reserved.

Designed by Kris Chan