Ship trackers 'vulnerable to hacking', experts warn

Screenshot of AIS monitoring page The researchers were able to spoof the route of boats

Related Stories

A system used globally to track marine activity is highly vulnerable to hacking, security experts have warned.

Weaknesses in outdated systems could allow attackers to make ships disappear from tracking systems - or even make it look like a large fleet was incoming.

Researchers at Trend Micro said their findings showed the danger of using legacy systems designed when security was not an issue.

But one vessel-tracking specialist said spoof attempts could be easily spotted.

Lloyd's List Intelligence's Ian Trowbridge said that in addition to the vulnerable technology - known as the Automatic Identification System (AIS) - other measures could be used to identify marine activity.

"The spoofing would immediately be identified by [Lloyd's List Intelligence] as a warp vessel," he said, "providing unexplained position reports outside of the vessel's speed/distance capability and thus subject to further investigation and validation."

'No checking'

The AIS system is used to track the whereabouts of ships travelling across the world's oceans.

For ships over a certain size, having AIS fitted is mandatory under international maritime law.

Small leisure boats and fishing vessels - for which it is optional - can purchase a transponder for as low as £600, making AIS significantly cheaper than alternative location systems.

Start Quote

It has long been thought that the pirates are basically using AIS as a shopping list”

End Quote Rik Ferguson Trend Micro

It is designed to transmit data about a ship's position, as well as other relevant information, so that movements can be seen by other boats as well as relevant authorities on shore.

One other use is to alert nearby ships when a man or woman is overboard - an alert that can easily be spoofed, says Trend Micro's Rik Ferguson.

"It boils down to the fact that the protocol was never designed with security in mind," he told the BBC.

"There's no validity checking of what's being put up there."

Using equipment bought for 700 euros (£600), the researchers were able to intercept signals and make vessels appear on the tracking system, even though they did not exist.

In one example, the team was able to make it look as if a ship's route had spelled out the word "pwned" - hacker slang for "owned".

Somali pirates

The information broadcast by AIS is public - but when the system was first put in use, in the early 1990s, the technology required to receive the information was prohibitively expensive for those not directly involved in the industry.

But now, a typical internet connection can be used to see the locations of boats, as well as an indicator of what type of cargo they may be carrying.

There has been speculation that Somali pirates have been making use of the system.

"It has long been thought that the pirates are basically using AIS as a shopping list," Mr Ferguson said, "seeing what's coming into local waters, and what cargo it may have."

However, Lloyd's List Intelligence noted that captains are permitted to disable AIS if they feel their crew could be endangered by it.

Follow Dave Lee on Twitter @DaveLeeBBC

More on This Story

Related Stories

More Technology stories

RSS

Features & Analysis

  • Man holding lipWitch hunt

    The country where a blasphemy charge is a death sentence


  • Espresso cupNews quiz

    Which city serves the strongest cup of coffee?


  • Irvine WelshDeaf ears

    Five famous Scots who can't vote in the Scottish referendum


  • Electric chairReturn of 'the chair'

    Five people talk about their roles in Tennessee's execution debate


BBC Future

(Harold Edgerton Archive, MIT)

The man who froze the world

The father of high-speed photography Read more...

Programmes

  • A cargo shipThe Travel Show Watch

    It is not cheap or glamorous - so why are people choosing to travel by cargo ship?

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.