+ All Categories
Home > Technology > AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

Date post: 18-Nov-2014
Category:
Upload: trend-micro
View: 2,341 times
Download: 1 times
Share this document with a friend
Description:
AIS, Automatic Identification System, is a promoted standard and implementation for vessels traffic safety and monitoring. With more than 400,000 installations worldwide, AIS is currently a mandatory installation for commercial vessels and a de-facto equipment for leisure crafts. AIS is largely used in ports worldwide -- Rotterdam alone monitors over 700 AIS-enabled vessels each day, serving 32,000 seagoing and 87,000 inland vessels a year. Back in October 2013, during HITB KUL, we showed that AIS is hardly broken, both at implementation and protocol level, and it suffers from severe vulnerabilities like spoofing and man-in-the-middle. In this talk, we extend our research by sharing with the audience several novel attacks that we recently discovered, for example how to extensively disable AIS communications or attack the software installed at back-end by port authorities. By doing so, we hope to raise the necessary awareness and lead the involved parties into calling for a more robust and secure AIS.
48
AIS Exposed New Vulnerabilities and Attacks Marco Balduzzi & Alessandro Pasta (Kyle Wilhoit) [HITB AMS, 29 May 2014]
Transcript
Page 1: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

AIS ExposedNew Vulnerabilities and Attacks

Marco Balduzzi & Alessandro Pasta(Kyle Wilhoit)

[HITB AMS, 29 May 2014]

Page 2: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

Outline

● Balduzzi et al. , October 2013, HITB KUL ++

Page 3: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

3

Automatic Identification System

● AIS, Automatic Identification System● Tracking system for vessels

– Ship-to-ship communication– From/to port authorities (VTS)

● Some applications:– Maritime security (piracy)– Collision avoidance

– Search and rescue– Accident investigation

– Binary messages, e.g. Weather forecasting

Page 4: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

4

Required Installation

● Since 2002● Introduced to supplement existing safety

systems, e.g. traditional radars● Required on:

– ANY International ship with gross tonnage of 300+

– ALL passenger ships regardless of size

● Estimated 400,000 installations ● Expected over a million

Page 5: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

5

Page 6: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

6

Data Exchange

● AIS messages are exchanged in two forms:● Radio-frequency (VHF) – 162 ± 0.25 MHz

● Online AIS Providers

Page 7: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

7

Online Providers

● Collect and visualize vessels information

● Data upstream via:– Mobile Apps,

Software

– Email

– API

– Radio-frequency gateways deployed regionally

Page 8: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

8

Example – Port of AMS

● MarineTraffic.com

Page 9: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

9

Example – RF Transponder

● OpenCPN Chart Plotter + AIS Transponder

Page 10: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

10

Identified Threats

● Grouped in two macro categories

● 1. Implementation-specific = Online Providers

[Software]

VS

● 2. Protocol-specific = AIS Transponders

[RF / VHF]

Page 11: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

11

AIS Application Layer

● AIVDM messages, e.g.:– Position reports

– Static reports

– Management (channel...)

– Safety-related (SART)

● NMEA sentences , as GPS!AIVDM,1,1,,B,177KQJ5000G?tO`K>RA1wUbN0TKH,0*5C

TAG, FRAG_#, FRAG_ID, N/A, CHANNEL, PAYLOAD, PAD, CRC

Page 12: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

12

AIVDM Encoder

Page 13: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

13

Example

● Ship involved in Military Operations● MMSI 247 320162 (Italy)

Page 14: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

14

Spoofing – Online Providers

● Ships or Aids-to-Navigation

Page 15: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

15

US to North Korea... What?!

● Wargames (1983) or cyberwar?

Page 16: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

16

Programming a malicious route

● Tool to make a ship follow a path over time● Programmed with Google Earth's KML/KMZ

information

Page 17: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

17

Hijacking (Rouge Gateway)

Page 18: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

18

Example

● “Move” a real ship – Eleanor Gordon

Page 19: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

19

Popping Up in Dallas?

Page 20: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

20

Radio-Frequency (VHF) Threats

Page 21: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

21

AIS Communication over the Air

● Protocol designed in a “hardware-epoch”● Hacking was difficult and cost expensive● No authentication, no integrity check

● 2014● Craft AIS signals?● Let's do it via software!

Page 22: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

22

SDR – Software Defined Radio

● Many applications, e.g. Radio / TV receivers, 20 USD

● Radio amateurs, SDR transmitters

● Reduced costs● Reduced complexity● Increased flexibility

● Accessible by many, pirates included!

Page 23: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

23

Our Testing Lab

Page 24: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

24

AIS Transmitter● Built & implemented a software-based AIS transmitter● GnuRadio, http://gnuradio.org/

● Custom block: AIS Frame Builder [Ref, HITB KUL 2013]

Page 25: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

25

RF Spoofing

● Radio-frequency (VHF) version of spoofing ● Setup : [Attacker] – [Victim]● Amplifier : 20+ km (modified radio)

Page 26: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

26

Victim's Console

Page 27: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

27

Injecting into legit AIS gateways

Page 28: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

28

Man-in-water Spoofing

● Fake a "man-in-the-water" distress beacon ● Trigger SART (S.O.S.) alerts● Visually and acoustically● Lure a victim vessel into navigating to a hostile

and attacker-controller sea space● Mandatory by legislation

Page 29: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

29

Man-in-water Spoofing

Page 30: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

30

Frequency Hopping (DoS++)

● Disable AIS transponders● Switch to non-default frequency (RX and TX)● Single or multiple target(s)

● Program a desired targeted region– Geographically remote region applies as well

● For example: Pirates can render a ship “invisible” upon entering Somalia

Page 31: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

31

Frequency Hopping (DoS++)

Page 32: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

32

CPA Alerting

● Fake a CPA alert, Closest Point of Approach● Trigger a collision warning alert● Possibly alter course

Page 33: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

33

CPA Alerting

Page 34: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

34

Malicious Weather Forecasting

Page 35: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

35

Slot Starvation (DoS++)

● Impersonate port authority ● Base station spoofing● Book TDMA slots

Page 36: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

36

Slot Starvation (DoS++)

● Base Station Spoofing

Page 37: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

37

Slot Starvation (DoS++)

● Victim's Console

Page 38: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

38

Timing Attack (DoS++)

● Instruct an AIS transponder to delay its transmission in time

● Default broadcast time:– Static reports = 6 min

– Dynamic reports = 0.5 to 3 min (depending on speed)

● Attack code:–

Page 39: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

39

Hardware Panic! (DoS)

● Flood the device... Noise on Channel + GPS

Page 40: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

40

Back to the r00ts

● AIS = Attack Vector● AIVDM messages are exchanged and

processed at application layer by back-end software– In VTS server installations

● Binary message, special type used for– Crew members, Number of passengers

– Environment information

● Malicious payloads, e.g. BOF, SQLi, …

Page 41: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

41

Back to the r00ts

● SQL Error in back-end processing

Page 42: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

42

Attacking D-GPS

● Differential Global Positioning System (D-GPS)● Used by port authorities to increase the precision

of traditional GPS (meters → centimeters)

● Attack = Spoof D-GPS beacons to force ships into calculating a wrong “GPS position”!

● Message 17: GNSS broadcast binary message

Page 43: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

43

Attacking D-GPS

● Similar to “UT Austin Researchers Spoof Superyacht at Sea” – Monday, 29 July 2013

Page 44: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

44

Responsible Disclosure

● Experiments conducted without interfering with existing systems– Messages with safety-implications tested only in

lab environment (wired connections)

● We reached out the appropriate providers and authorities within time– MarineTraffic, AisHub, VesselFinder, ShipFinder

– ITU-R, IALA, IMO, US Coast Guards

Page 45: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

45

Proposed countermeasures

● Authentication– Ensure the transmitter is the owner (spoofing)

● Time Check– Avoid replay attack

● Integrity Monitoring– Tamper checking of AIS message (hijacking)

● Validity Check on Data Context– E.g., Geographical information

Page 46: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

46

Take Home

● AIS is widely used – Mandatory installation● AIS is a major technology in marine safety● AIS is broken at implementation-level● AIS is broken at protocol-level

● We hope that our work will help in raising the issue and enhancing the existing situation!

Page 47: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

47

Thanks!

● Dr. Marco Balduzzi – @embyte● Alessandro Pasta – @aka_pastus

Page 48: AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)

48

Bonus ;-)

● Real-World Experiment● Simulate the operational conditions of an

attacker at sea● Coverage experiment● Target: AIS Gateway Installation

● No time for demo video. Visit me offline


Recommended