By Jessie Caldwell
The proliferation of spoofing techniques has diminished the value of Automatic Identification System (AIS) in the context of maritime law enforcement. The open nature of the system prevents higher levels of data security and verification, meaning spoofed and falsified information will remain difficult to prevent without changing the very foundation of AIS. Given the need for accurate data when dealing with problems like sanctions violations or illegal fishing, using AIS data only muddies the waters and makes successful enforcement more difficult.
AIS uses very high frequency (VHF) transmissions to automatically transmit and receive vessel information.1,2 It was designed as a safety tool to complement radio, visual, and radar navigation for collision avoidance, and the UN Safety of Life at Sea (SOLAS) Convention mandates all ships over 300 tons on international voyages and all passenger ships to maintain a functional AIS, broadcasting at all times.
As AIS usage has increased, so have its applications. Sites like MarineTraffic and AISHub receive data from privately or publicly owned receivers and display it in real time, creating a public resource for maritime domain awareness. This data is used for cargo tracking, environmental research, search and rescue operations, sanctions enforcement, and illegal fishing investigations.3,4 AIS has additionally become an integral element of electronic chart and display information systems (ECDIS).5
What is Spoofing?
The primary threat to AIS data is spoofing. Spoofing is a cybersecurity term, describing efforts by an actor to falsely represent themselves through illegitimate data. All types of data sent by the AIS, identified by C4ADS as dynamic, identifying, and voyage information, can be spoofed.6
These threats are caused by weaknesses in the way the system generates, verifies, and transmits data. Both radio and software-based transmissions are vulnerable, but the distinction is rapidly becoming irrelevant due to software-defined radio. Traditional radio spoofing involves actors manipulating their systems to hide their identity or location while onboard. Trend Micro reported that after “purchasing a 700-euro piece of AIS equipment and connecting it to a computer in the vicinity of a port, the researchers could intercept signals from nearby craft and send out modified versions to make it appear to other AIS users that a vessel was somewhere it was not.”7 The cost of generating these signals is constantly decreasing. With the advent of software-defined radio, or radio that uses software instead of hardware, personal computers can be modified with a thirty-dollar piece of equipment and begin broadcasting.8
Software based spoofing is more versatile than radio-based. Global Fishing Watch describes the difference between software and radio frequency spoofing, “in past (radio frequency) cases, we observed vessels on the water that were broadcasting positions that corresponded to an area other than the true location of the vessel. In these new (software) examples, however, AIS tracks were present where vessels appear not to have been actually broadcasting AIS at all.”9 Many of the software-based spoofing exploits are caught because spoofers make identifiable mistakes. A telltale sign of software created ships are those detected outside the range of any terrestrial data receivers that could reasonably pick up their transmissions.
Bjorn Bergman, a data analyst with Global Fishing Watch, has another way of identifying digital intrusions. WIRED reported “the fake tracks were all shown as coming from shore-based AIS receivers, with none collected by satellites. Given that real AIS signals from civilian ships near the supposed warship tracks were received by satellites overhead, Bergman believes this shows the fake AIS messages were not generated by actual malicious transmissions.”4 The pattern in fake transmissions Bergman has identified is not public and has not been tested by outside sources, but he argues the problem is widespread:
“we don’t know how the false positions get combined with real data from terrestrial AIS antennas, though we can hypothesize that they could be produced by an AIS simulator program…While we initially thought the false data might be entering the data feed from a single terrestrial AIS station, it appears that false AIS positions were reported at a number of different terrestrial stations.”
Because of the lack of verification, it is not immediately clear where or which data is poisoning AIS feeds. This problem will only continue to develop as spoofers become more skilled in masking their activities and creating more realistic falsified data.
Illegal Fishing
The back-and-forth between law enforcement and malicious actors is best demonstrated in illegal, unregulated and unreported fishing. Continuous enforcement at-sea presence is impractical given the sheer size of EEZ’s or restricted fishing zones, so AIS at first appears as an easy solution to tag broadcasting vessels that stray into unauthorized areas and appear to engage in fishing. However, as AIS monitoring became widespread, criminal behavior changed. To stay under the radar, vessels began to “go dark” by turning off their AIS before engaging in illegal activity. Numerous studies show fishing vessels allegedly engaging in this trick in the waters around the Galapagos.11 Therefore, a vessel with a nonfunctional or intermittently broadcasting AIS transmitter, potentially indicates that it is engaging in illegal fishing, warranting further investigation. To obfuscate this, spoofing is the logical alternative. Instead of “going dark”, vessels change their digital identity.
A vessel’s AIS signature has become a increasingly relevant to law enforcement case package development, helping to identify vessels engaged in illicit activities, and tracking them through time and space. A vessel’s digital identity is primarily made up of the information transmitted by AIS. Some elements are self-reported and can be purposefully entered incorrectly to disguise illicit activity. The most important piece of identifying information is the Maritime Mobile Service Identity (MMSI) number, a unique nine-digit number assigned to a vessel. It is supposed to remain unchanged save for during reflagging.6 There are security measures built into the hardware to prevent tampering and digital identity fraud. In some cases, the MMSI can only be changed after entering a passcode. These passcodes, while ostensibly only known by manufacturers and authorized technicians, can be found online, allowing sailors to reprogram and change their MMSI independently.
Vessel owners can also purchase multiple AIS transponders and use them to generate new ship identities with a “clean” MMSI number to confuse authorities. C4ADS refers to these two processes as MMSI tampering, occurring “when a vessel transmits the MMSI number of another vessel or an entirely fraudulent one in order to obfuscate its identity and activities. In effect, MMSI tampering creates new digital identities that severely impair the ability of maritime authorities and other vessels to identify a vessel and monitor its movements.”6 As such, spoofers can now generate an entirely false vessel history or steal a clean vessel’s data.
Sanctions Enforcement
North Korea is well known for spoofing the identities of their vessels to make it more difficult to timely identify which ships are violating sanctions.10 The 2019 case of the Tae Yang, a North Korean-flagged vessel, demonstrates this. The ship began broadcasting its location with the MMSI number of another vessel, the Mongolian-flagged Krysper Singa, while visiting North Korea. The real Krysper Singa was around Singapore. By stealing the Krysper Singa’s digital identity the Tae Yang made it appear that the other vessel was violating sanctions and kept its own MMSI number clean. This appeared on commercial databases as a “teleporting” ship since both vessels were broadcasting the same number the ship would appear first around Singapore, then suddenly seem to teleport to North Korean waters, then back. Royal United Services Institute (RUSI) as part of its Project Sandstone series discovered that commercial AIS tracking systems automatically clean and correct data, instead of highlighting anomalies. In this case they “inadvertently and incorrectly (linked) the real Krysper Singa to sanctions violations committed by the Tae Yang.”9 A careful review of satellite imagery was required to correctly identify the Tae Yang as the ship engaging in ship-to-ship transfers (STS) to violate sanctions. Another North Korean vessel, the KUM RUNG 5, cycled “through around 30 different identifiers, including names, Maritime Mobile Service Identity (MMSI) numbers, callsigns, and even IMO numbers, which are meant to be unique to just one vessel throughout its lifetime. This includes the use of at least four names in 2020 alone. Because the identifiers are programmed onboard the vessel, confirming the authenticity of the broadcast is not possible without other means of verification.”12 The Tae Yang didn’t hide the presence of a vessel at their location, but by switching their identification, made it more difficult to determine the real culprit.
This problem extends beyond the vessel actively engaging in identity theft . Innocent third parties like the Krysper Singa are affected. Even if mariners correctly program their MMSI and other information, malicious actors can intercept and change the data from a terrestrial receiver as it is transmitted to online maritime tracking sites.
Many tracking providers use the same data sources so a faked ship will appear on multiple maritime traffic sites.4 The malicious actor can therefore be on the other side of the globe from the targeted vessel, widening their reach, and achieve results similar to VHF spoofing. Hackers can intercept data packets and change a ship’s identity by changing their MMSI number, name, IMO number, and altering coordinates or headings. They can even “move” a vessel to an entirely new location.
For example, at a 2013 hacking conference, two researchers moved a real vessel, the Eleanor Gordon, that was at the time located in the Mississippi River, to appear on a lake in Dallas.13 The false positions or identities generated by this type of threat are less likely to threaten vessels directly, as they rely on their onboard AIS and other methods of navigation, but they directly impact the other uses of AIS. Maritime law enforcement cannot rely on the publicly available aggregate data where these fake digital signals appear. Sanctions monitoring, fisheries enforcement, marine traffic analysis, and environmental research all rely on this data and spoofing leaves is meaningfully compromised.
Conclusion
Under the present framework and technologies, it is extremely challenging to eliminate AIS spoofing. The system itself was not designed to pass along verified data – it was meant to be open and easy to transmit employ as a safety tool. It lacks inherent virus or malware protection, encryption, or data verification tools.14 Encryption is a potential method,15 however, as Ken Munro writes on Pen Test Partners blog,
“if nearby vessels don’t have the ability to decrypt the data, the safety benefit of AIS is lost…Finally, even if all transceivers featured and used encryption, a rogue user could simply purchase a legitimate transceiver from which to transmit tampered data.”3
Part of AIS as currently designed is that all ships can access it for safety. Attempts to limit bad actors from transmitting run the risk of preventing legitimate vessels from using AIS.
If spoofing is impossible to stop, the best option in the short term is to continue to improve detection capabilities. Machine learning and other big data tools have begun automating detecting certain patterns in AIS data that suggest activities like fishing or STS transfers and identifying vessels from vessel registry databases.7 Global Fishing Watch has developed an algorithm for identifying ghost ships and other researchers are developing similar programs to catch “teleporting” or identity switching vessels.11 This would limit the benefits to spoofing for illicit actors, as they would no longer be able to conceal and confuse their identity as successfully.
In the long term another system could be developed to directly address the deficiencies of AIS. Navigators can use other methods to augment AIS and prevent collisions while at sea. On shore, AIS was not designed for law enforcement. There is no way of verifying data to a high enough standard while keeping the system true to its roots as a safety tool. In the balancing act of openness and security, AIS was designed to be as open and easy to access as possible. Trying to force it to be more secure lessens its applicability as a universal safety tool.
Jessie Caldwell is a recent graduate of the George Washington University’s Elliott School of International Affairs. She holds a Masters in International Affairs, focusing on transnational security issues.
These views are expressed in a personal capacity and do not necessarily reflect the official view of any government agency.
References
1. NAVCEN. “AIS FREQUENTLY ASKED QUESTIONS.” AIS Frequently Asked Questions, U.S. Coast Guard, 17 Feb. 2022, https://www.navcen.uscg.gov/?pageName=AISFAQ. 2
2. NAVCEN. “HOW AIS WORKS.” How Ais Works, U.S. Coast Guard, 8 Sept. 2016, https://www.navcen.uscg.gov/?pageName=AISworks.
3. Munro, Ken. “Hacking AIS.” Pen Test Partners RSS, 18 Sept. 2018, https://www.pentestpartners.com/security-blog/hacking-ais/.
4. Harris, Mark. “Phantom Warships Are Courting Chaos in Conflict Zones.” Wired, Conde Nast, 29 July 2021, https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/.
5. Fisk, Samantha. “Gloves off as Criminals Move from AIS Spoofing to AIS Hacking -.” Fathom World – Shipping and Maritime Industry News, 16 Sept. 2019, https://fathom.world/gloves-off-as-criminals-move-from-ais-spoofing-to-ais-hacking/.
6. Boling, Andrew, et al. “Unmasked: Vessel Identity Laundering and North Korea’s Maritime Sanctions Evasion.” C4ADS, 2021, https://c4ads.org/unmasked.
7. Simonite, Tom. “Ship Tracking Hack Makes Tankers Vanish from View.” MIT Technology Review, 18 October 2013, https://www.technologyreview.com/2013/10/18/82918/ship-tracking-hack-makes-tankers-vanish-from-view/.
8. Balduzzi, Marco. “AIS Exposed Understanding Vulnerabilities & Attacks 2.0.” Blackhat.com, Black Hat Asia, 2014, https://www.blackhat.com/docs/asia-14/materials/Balduzzi/Asia-14-Balduzzi-AIS-Exposed-Understanding-Vulnerabilities-And-Attacks.pdf.
9. “Guidance to Address Illicit Shipping and Sanctions Evasion Practices.” U.S. Department of the Treasury, 14 May 2020, https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information/north-korea-sanctions.
10. Trainer, Cameron, and Izewicz, Paulina. “Unauthorized Flags: A Threat to the Global Maritime Regime.” Center for International Maritime Security, 20 July, 2020, https://cimsec.org/unauthorized-flags-a-threat-to-the-global-maritime-regime/.
11. “Fisheries intelligence report reveals vessel behaviors associated with spoofing activity.” Global Fishing Watch, Global Fishing Watch, 17 October 2023, https://globalfishingwatch.org/press-release/fisheries-intelligence-report-reveals-vessel-behaviors-associated-with-spoofing-activity/
12. Storm, Darlene. “Hack in the Box: Researchers Attack Ship Tracking Systems for Fun and Profit.” Computerworld, Computerworld, 21 Oct. 2013, https://www.computerworld.com/article/2475227/hack-in-the-box–researchers-attack-ship-tracking-systems-for-fun-and-profit.html.
13. Bergman, Bjorn. “Systematic Data Analysis Reveals False Vessel Tracks.” Global Fishing Watch, Global Fishing Watch, 29 July 2021, https://globalfishingwatch.org/data/analysis-reveals-false-vessel-tracks/.
14. Bateman, Tom. “Fake Ships, Real Conflict: How Misinformation Came to the High Seas.” Euronews, 28 June 2021, https://www.euronews.com/next/2021/06/28/hms-defender-ais-spoofing-is-opening-up-a-new-front-in-the-war-on-reality.
15. Katsilieris, Fotios, et al. “Detection of Malicious AIS Position Spoofing by Exploiting Radar Information.” IEEE Xplore, 12 July 2013, https://ieeexplore.ieee.org/document/6641132.
Featured Image: A containership steaming during sunset. (Photo via Wikimedia Commons)