Last updated at Wed, 30 Aug 2017 13:39:14 GMT
If you have not read HD Moore's research on serial port servers, DO IT NOW. It gives you a shocking perspective on the reality of things: the security industry has been historically blabbing and making consumers concerned about the most recent, complex, intriguing and fashionable threats and attacks, while IT as a whole keeps failing the same old basic precautions since networks were born. Long story short, the state of the Internet hasn't changed: it's still damn nasty.
The Internet Census 2012, with its immense amount of data, along with HD's private research project, Critical.io, and the security search engine Shodan, allowed us to prove it once again. HD's serial port server research highlights the inherent insecurity of a large amount of network-enabling devices that bridge to the Internet normally isolated systems such as fuel pumps, oil and gas pipelines, power grids, traffic lights and many more odd and scary things.
But what does that have to do with ships?
One of the most curious things we found when reviewing the Internet Census data were systems streaming messages like the one below, publicly, and with no authentication. These messages were often mapped to ports 2001 and 3001; the default TCP access ports for Digi and Lantronix serial port servers.
!AIVDM,1,1,,A,18Lg0o`P017<JGP7i:G5sOvb0H<h,0*2E
These messages are emitted by devices able to collect and interpret communications of a maritime protocol known as AIS: Automatic Identification System. AIS transmitters are generally mounted on vessels, navigation markers and shore stations and they combine a VHF transceiver with a GPS receiver in order to broadcast their position and other information to nearby receivers. This data is then collected and used by other vessels' anti-collision systems, search and rescue aircrafts, as well as maritime security agencies to easily track and identify ships entering national waters.
AIS receivers look something like this:
They can easily be bought on Amazon for a price that ranges between $300 and $2,000, depending on their class and additional capabilities. Sometimes they are already provided with USB or Ethernet sockets in order to push or serve the collected data to an external system. Sometimes they are directly made available on the Internet through a serial port server provided with 3G, mobile or other satellite connections.
Looking through the Internet Census data, we identified more than 360 AIS receivers with around 160 of them still active and responding. These receivers are distributed all over the globe and are constantly logging AIVDM/ AIVDO and similar messages over an open TCP port that varies depending on the vendor of the serial port server or other equipment used.
AIS Messages
AIS supports the following message types:
- Position Report Class A
- Position Report Class A (Assigned schedule)
- Position Report Class A (Response to interrogation)
- Base Station Report
- Static and Voyage Related Data
- Binary Addressed Message
- Binary Acknowledge
- Binary Broadcast Message
- Standard SAR Aircraft Position Report
- UTC and Date Inquiry
- UTC and Date Response
- Addressed Safety Related Message
- Safety Related Acknowledgement
- Safety Related Broadcast Message
- Interrogation
- Assignment Mode Command
- DGNSS Binary Broadcast Message
- Standard Class B CS Position Report
- Extended Class B Equipment Position Report
- Data Link Management
- Aid-to-Navigation Report
- Channel Management
- Group Assignment Command
- Static Data Report
- Single Slot Binary Message,
- Multiple Slot Binary Message With Communications State
- Position Report For Long-Range Applications
Some of the most interesting and popular message types have been bolded. Coordinates of vessels are sent through message type 1, 2, 3 and 18. For example, the AIVDM message showed above is of type 1 and decodes into the following details:
slot_timeout: 6
sync_state: 0
true_heading: 511
sog: 0.10000000149
rot: -731.386474609
nav_status: 8
repeat_indicator: 0
raim: False
id: 1
slot_number: 816
spare: 0
cog: 151.699996948
timestamp: 21
y: 13.5758333206
x: 100.578536987
position_accuracy: 0
rot_over_range: True
mmsi: 567001310
special_manoeuvre: 0
The key parameters for this specific message are:
- ID: represents the type of message.
- MMSI: is a unique number that identifies the boat, in this case belonging to a Thai tanker called BIG SEA 17 presented in the first picture.
- Y: the latitude of the current position of the boat.
- X: the longitude of the current position of the boat.
You are able to constantly track the movements of the given vessel by grouping all incoming messages by their MMSI number.
If you're interested, you can find a detailed documentation on all these messages and their formats here.
Playing Poseidon
The metaphorical connection in literature between hackers and pirates suddenly becomes surreal and funny.
In a short period of 12 hours we were able to collect almost 2 GB of data logged by dozens of receivers worldwide. We counted millions of AIS messages and out of those, we were able to track more than 34,000 unique vessels and observed many more that were not providing an identifier. We expect that with a fresh global scan and an extended monitoring, this number would grow drastically.
In the following map you can see all the open AIS receivers we identified represented by green dots and the last available position of unique vessels represented by red dots:
You probably noticed two tracks around the Equator line: we believe that those might be default coordinates of GPS receivers of vessels that were not able to establish an accurate position.
Let's zoom into Europe to get a better idea on the numbers here:
Every ship generally sends a position message every 1-3 minutes in order to notify its current position. When isolating such messages by their MMSI number, we can fundamentally track the movements of every single vessel you found represented in the previous map, for instance:
Due to the availability of open AIS receivers distributed pretty much all over the globe, we would probably be able to isolate and continuously track any given vessel provided with an MSSI number. Considering that a lot of military, law enforcement, cargos and passenger ships do broadcast their positions, we feel that this is a security risk.
AIS transmitters also send other types of messages at regular intervals. For example message types 5 and 25, respectively for vessels of class A and B, are sent every 6 minutes or so and they provide details on the type of vessel sending the message. In the following map you can see green dots, representing military vessels, and blue dots, representing law enforcement ones:
In the case the vessels do not send their name, the mapping of MMSI numbers and ship names and details are largely available on the Internet. As a matter of fact, this is one of the law enforcement boats represented by a marker in the map above:
(Photo taken from ShipSpotting)
Not all the vessels we identified actually broadcasted these types of message, but for the ones that did, following is a ranking of the most popular vessel types we observed:
- Fishing: 1252
- Pleasure Craft: 1064
- Sailing: 790
- Cargo: 420
- Unknown: 200
- Passenger: 166
- Tug: 146
- Pilot Vessel: 97
- Towing: 60
- Dredging or underwater ops: 60
- Port Tender: 58
- Search and Rescue vessel: 53
- Tanker: 29
- Local Vessel: 29
- Law Enforcement: 29
- Military ops: 27
- Anti-pollution equipment: 22
- Diving ops: 20
- High speed craft (HSC): 12
- Wing in ground (WIG): 9
- Medical Transport: 1
In the same messages the vessels can also specify the vendor of the AIS equipment they're using. Following are the ten most popular:
- COMAR: 336
- COMNAV: 285
- SIMRAD: 235
- GARMIN: 213
- TRUEHDG: 195
- AMC: 174
- DYACHT: 121
- RAY: 113
- WESTMAR: 96
- PRONAV: 86
Sea Messaging
AIS also provides a way for vessels to send broadcast or direct safety messages, mostly with types 12 and 14. These messages are originally intended to communicate information regarding critical maneuvers, safety issues and rescue requests. During the time we run our monitoring, we observed hundreds of messages. Some of them were used to establish communications and testing the AIS transceivers:
- CAPT REPORT MARDEP ON VHF CH 12 NOW
- PLEASE CONFIRM YOUR ETA.
- TEST OF AIS MESSGE. HOW DO U READ ME?
- TEST TEST. PLEASE REPLY UPON RECEIPT. THANK YO
Other messages notify particular movements or maneuvers:
- CRANE VESSEL HERMOD TOWED BY TUG HUS
- APPROACHING DELAWARE BAY SMA FOR ENDANGERED RIGH
- YOU`RE IN THE DELAWARE BAY SMA
- DO YOU KNOW YOU HAVE TO STAY OUT OF 6M
Some others actually were critical safety messages:
- VISIBILITY OF LESS THAN 1 NAUTICAL MILES IS REPORTED
- SHIP LOSE ANCHOR,CAUTION ADVISED
- SHIP ENTERED TO RESTRICTED AREA
- ATTENTION VSL TO CLOSE ALTI N ISLE LIGHT
RISK OF COLLISION WITH BUOY NO.35 IN KA OBSTRUCTION: BECAUSE OF TSUNAMI
It was nice to observe some good old sailor neighbourliness too:
- GOOD AFTERNOON HAVE A NICE STAY
- MOINMOIN GREETINGS TO YOUR CPT
Along with normal vessels, there are shore and floating stations that broadcast AIS messages of type 21 that contain aid-to-navigation (AtoN) details for nearby vessels.
These could for example come from buoys:
- B17 METEOCEAN BUOY N 1
- BUOY NO7 FL 3 10S G
Lighthouses:
- TARKA BAY LIGTHOUSE
Specific geographical locations:
- CAPE POINT
- ROBBEN ISLAND
As well as generic messages probably shared by other vessels to inform about particular discoveries during their journey:
- DANGER POINT
- HOOD POINT
- GREAT FISH POINT
Availability of AIS data
On the Internet you can find websites that provide vessel tracking data based either on asking people to volunteer the information from their AIS receivers or deploying some themselves. However, we observed AIS receivers that are blatantly open on the Internet, many belonging to private organizations and institutions and unlikely feeding data to public trackers. In 2004, the International Maritime Organization condemned the publication on the Internet of AIS data as a risk to the security of vessels:
In relation to the issue of freely available automatic identification system (AIS)-generated ship data on the world-wide web, the MSC agreed that the publication on the world-wide web or elsewhere of AIS data transmitted by ships could be detrimental to the safety and security of ships and port facilities and was undermining the efforts of the Organization and its Member States to enhance the safety of navigation and security in the international maritime transport sector.
We agree that the availability of global AIS data in such an unsecured manner is a potential danger, both for the safety of the vessels being tracked as well for the operators of the public AIS receivers.
Conclusions
In this blog post we presented yet another example of a reckless use and configuration of Internet-enabled devices. Without proper authentication and basic security practices in place any sort of asset is at risk: servers, critical infrastructures, industrial systems, as well as global GPS tracking and communication systems in this case. AIS receivers can represent an additional critical entry point to the networks of their operators. A quick fingerprint shows that many of the systems identified have open telnet shells, web interfaces, and VNC servers, and many of these are connected to old and vulnerable versions of Windows. The use of mobile connections makes it difficult to attribute the owners of such sensors, but several of them resolve to domains belonging to IT companies, maritime organizations, cost guards and research groups.
As the map below shows, it may be possible to identify the owner of a receiver using its geographic location alone:
In the worst case scenario, if the system is also equipped with a transmitter, an attacker could for example potentially gain access and broadcast crafted AIVDM messages to the proximity and eventually cause troubles and damages to the vessels receiving them. This option is purely hypothetical and would need to be verified with hands on the equipment.
All in all, the seas are still not safe from pirates, of the digital era .
Update
We've received some questions and comments regarding this research and its value, so I'm hoping I can help clarify some points.
Firstly I want to be clear that we are not criticizing the use or the existence of AIS, which being a broadcast protocol, is clearly not providing any expectations of security or privacy in the proximity of the vessels. We expressed concern for the public availability of global AIS data on the Internet, which is not the same thing.
This brings me to my next point. We don't claim access to exclusive data; as stated, there are several existing services online that provide GPS location of vessels. To our knowledge though, none actually provide access to all other AIS message types that are also logged by those receivers.
We found looking at this data fun and interesting, but the security risks identified mostly revolve around the devices, not the data itself, which has been presented as pure curiosity. As mentioned in the post, a large number of AIS receivers appear largely insecure, which leaves doors open for several attack scenarios, such as disrupting the receivers to affect rescue operations or, if provided with a transmitter, craft AIVDM messages to cause havoc or impersonate existing vessels. My apologies if the frame of the blog post didn't deliver this message more clearly.
Lastly, I want to express our appreciation to the maritime experts that reached out to us asking for clarifications and providing feedback as well.
This is a Rapid7 Labs research brought to you by Claudio Guarnieri, Mark Schloesser and HD Moore. Thanks to the whole Amsterdam office for volunteering computing power .