Captain Don Pellecchia & Captain Jack Schaeffer Captain Don ...
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
-
Upload
trend-micro -
Category
Technology
-
view
17.355 -
download
3
description
Transcript of Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
![Page 1: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/1.jpg)
Hey Captain, Where’s Your Ship? Attacking Vessel Tracking Systems for
Fun and Profit
Marco Balduzzi, Kyle Wihoit, Alessandro Pasta(@embyte / IZ2PMO, @lowcalspam, IZ2RPA)
![Page 2: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/2.jpg)
Ingredients
![Page 3: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/3.jpg)
3
Automatic Identification System● Tracking system for ships
– Centralized management for port authorities (VTS)
– Ship-to-ship communication in open-sea
● Used for plot, course, position, and speed● Some Applications:
– Vessel Traffic Services
– Collision Avoidance
– Maritime Security– Aids to Navigation (AtoN)– Search and rescue, Accident investigation– Binary messages, e.g. weather forecasting
![Page 4: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/4.jpg)
4
Automatic Identification System● Introduce to supplement the existing safety
systems, e.g. traditional radars● IMO agreement 2002, widely used since 2006
– Required on any international ship with gross tonnage of 300 or more tons.
– Also required on ALL passenger ships regardless of size
● Estimated 400,000 installations. Expected over a million within 2014.
![Page 5: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/5.jpg)
5
![Page 6: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/6.jpg)
6
Online AIS Services● Collects and
visualizes ships information
● Upstream done via:– Email
– TCP/UDP Socket
– Commercial Software
– Smartphone Apps
– Radio-Frequency Gateways (deployed regionally)
![Page 7: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/7.jpg)
7
MarineTraffic Demo
![Page 8: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/8.jpg)
8
AIS Application Layer● AIVDM Sentences● NMEA Sentences , as GPS
!AIVDM,1,1,,B,177KQJ5000G?tO`K>RA1wUbN0TKH,0*5C
TAG, FRAG_#, FRAG_ID, N/A, CHANNEL, PAYLOAD, PAD, CRC
![Page 9: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/9.jpg)
9
Message 1/18: Position Report
Maritime Mobile Service Identity (MMSI) number: Shared among multiple messages
● Longitude, latitude, navigation status, speed-over-ground (SOG), course-over-ground (COG)
● Sent every 3 to 30 seconds, depending from ship speed
● 168 bits
![Page 10: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/10.jpg)
10
Message 24: Static Report
● Types 24A [160 bits] and 24B [168 bits]● Name, callsign, dimension● Type of ship and cargo type, e.g.
– 35: Engaged in military operations
– 51: Search and rescue
– 55: Law enforcement
– 5X: Carrying dangerous goods (e.g. Nuclear)
![Page 11: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/11.jpg)
11
Few-Others
● Type 8: Binary Broadcast Message– Weather Forecasting
● Type 22: Channel-Management– Reserved for Port Authorities
● Type 14: Safety-Related Broadcast Message– SOS, Man-In-Water
![Page 12: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/12.jpg)
12
Generate Valid AIVDM Sentences
![Page 13: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/13.jpg)
13
AIVDM_Encoder Example
● Example of generation of AIVDM Sentence for ● Ship involved in Military Operations● Named HiTB13
![Page 14: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/14.jpg)
14
Identified Threats● Grouped in two macro families:
– Implementation-specific VS protocol-specific
![Page 15: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/15.jpg)
15
Spoofing Attack● Ships, AtoN, Aircrafts
![Page 16: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/16.jpg)
16
North Korea... What?!
![Page 17: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/17.jpg)
17
And...
![Page 18: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/18.jpg)
18
Autopwning
● Script to make a ship follow a path over time● Programmed with Google Earth's KML/KMZ
information
![Page 19: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/19.jpg)
19
Ship Hijacking via AIS Gateway
![Page 20: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/20.jpg)
20
Eleanor Gordon● Eleanor Gordon...Real ship...
![Page 21: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/21.jpg)
21
Eleanor Gordon Popping Up in Dallas?
![Page 22: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/22.jpg)
22
Landing Lake
![Page 23: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/23.jpg)
23
Replay Attack
![Page 24: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/24.jpg)
24
![Page 25: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/25.jpg)
25
AIS Communication over the Air● No authentication, no integrity check● Protocol designed in a “hardware-epoch”● Hacking: Difficult and cost expensive
● Fake AIS Signals?● Let's do it via software!
![Page 26: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/26.jpg)
26
SDR: Software Defined Radio● Paradigm switch from Hardware to Software
● Reduced costs, Reduced complexity, Increased flexibility
● Many application, e.g. Radio/TV receiver, 20 USD
● Accessible by many, bad guys included!
![Page 27: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/27.jpg)
27
GnuRadio and USRP Synergy
Universal Software Radio Peripheral
![Page 28: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/28.jpg)
28
AIS Transmitter
● GnuRadio flowchart for transmitting AIS message on the air
● 4 main components / blocks● IDE → Python script
![Page 29: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/29.jpg)
29
AIS Frame Builder● Implements the AIS Stack (C code) ● Builds the Frame to be modulated
![Page 30: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/30.jpg)
30
![Page 31: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/31.jpg)
31
Equipment
Universal Software Radio Peripheral AIS Transceiver
![Page 32: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/32.jpg)
32
Outdoor experiments
MOXXON Directional Antenna
Standard VHF Transceiver (Radio)
![Page 33: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/33.jpg)
33
Attack 1: Man-in-water Spoofing● Fake a "man-in-the-water" distress beacon at
any location● Similar to Avalanche Safety Beacons● <live demo>
![Page 34: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/34.jpg)
34
Attack 2: Frequency Hopping [1/2]● Disable AIS transponders
– Up to 5 weeks
● Switch to non-default frequency● Stored in flash memory● Specify a desired targeted region
– Geographically remote region applies as well
● E.g. Pirates can render a ship invisible in Somalia
![Page 35: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/35.jpg)
35
Attack 2: Frequency Hopping [2/2]
![Page 36: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/36.jpg)
36
Attack 3: CPA Alerting [1/2]● Fake a CPA alert (Closest Point of Approach)
and trigger a collision warning alert.
![Page 37: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/37.jpg)
37
Attack 3: CPA Alerting [2/2]
![Page 38: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/38.jpg)
38
Attack 4: Weather Forecasting
![Page 39: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/39.jpg)
39
Real-World Experiment● Generate a valid over-the-air AIS message● Target: AIS proxy● Demo
![Page 40: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/40.jpg)
40
Responsible Disclosure● Our experiments are conducted without interfering
with existing systems– Messages with safety-implications tested only in remote
lab environment
● We reached out the appropriate providers and authorities within time
● Online providers:– MarineTraffic, AisHub, VesselFinder, ShipFinder
● Standard bodies:– ITU-R: 11 September 2013– IALA, IMO, US Coast Guards: No answer yet
![Page 41: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/41.jpg)
41
Countermeasures● Authentication
– Ensure the transmitter is the owner
● Integrity Monitoring– Tamper checking of AIS message
● Time Check– Avoid replay attack
● Validity Check on Data Context– E.g., Geographical information
![Page 42: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/42.jpg)
42
Take Home
● AIS is widely used – Mandatory installation● AIS is a major technology in marine safety● AIS is broken at implementation-level● AIS is broken at protocol-level
● We hope that our work will help in raising the issue and enhancing the existing situation!
![Page 43: Captain, Where Is Your Ship – Compromising Vessel Tracking Systems](https://reader034.fdocuments.net/reader034/viewer/2022052122/546c3396af795985298b4f10/html5/thumbnails/43.jpg)
43
Questions?
● Thanks! FTR, Germano (IW2DCK), ITU-R