(In)security of smart transportation at sea

Similar documents
AIS Training. AIS Technology in Digital Yacht Products Explained. Digital Yacht Ltd TEL

RF Monitoring Service Profile Based on AIS Binary Message

New advanced real time smart Search and Rescue RADAR Transponder (SART)

Record of approved GMDSS radio installation

ATTACHMENT E. How to Conduct a GMDSS Inspection.

VHF Data Exchange System (VDES)

NC Models. CP390i - GPS Chart Plotters. Addendum to Owner s Manual Issue C to update to Software Version (*)

Weatherdock explains: How does real DSC work in an emergency transmitter?

GMDSS modernisation and e-navigation: spectrum needs

Doug Miller Milltech Marine Inc. Milltech Marine 1

RESOLUTION MSC.278(85) (adopted on 1 December 2008) ADOPTION OF THE NEW MANDATORY SHIP REPORTING SYSTEM "OFF THE COAST OF PORTUGAL - COPREP"

Automatic Identification Systems or: How I Learned to Handle Pirates on the High Seas

Universal Shipborne Automatic Identification System (AIS) Transponder

The Future in Marine Radio Communication GMDSS. Department of Transportation United States Coast Guard

OPERATIONS SEAFARER CERTIFICATION GUIDANCE NOTE SA MARITIME QUALIFICATIONS CODE SHORT RANGE CERTIFICATE (SRC)

Tide & Meteorological Data over AIS

Global Maritime Distress and Safety System (GMDSS)

Demonstrator of a Data Processing Centre (DPC) for satellite-based AIS services

ITU 'Young ICT Leaders Forum 2015' Maritime digital communication for e-navigation (WED) Daeho Kim ETRI

L AGENCE NATIONALE DES FREQUENCES (ANFR) From Titanic to satellite from Morse to digital Entry in a new era for the maritime community

FREQUENCIES FOR DISTRESS AND SAFETY, SEARCH AND RESCUE AND EMERGENCIES

1

Fisheries and Marine Resources (Automatic Identification System) Regulations

ANNUAL OF NAVIGATION 19/2012/part 1

Resolution A.1106(29) Adopted on 2 December 2015 (Agenda item 10)

COMMUNICATIONS FOR MARITIME SAFETY AND EFFICIENCY. Francis Zachariae, Secretary-General, IALA

The FA-50 offers accurate information for collision avoidance

ITU Service Publications (maritime) and MARS (Maritime mobile Access and Retrieval System)

Security of Global Navigation Satellite Systems (GNSS) GPS Fundamentals GPS Signal Spoofing Attack Spoofing Detection Techniques

Frank Heymann 1.

Digital broadcasting systems under development within ITU-R of interest for the maritime community

ROUTEING OF SHIPS, SHIP REPORTING AND RELATED MATTERS. Establishment of a Mandatory Ship Reporting System in the

KS-200A/B. ˵à Êé. AIS Class B Transponder KS-200A AIS Receiver KS-200B

Understanding AIS. The technology, the limitations and how to overcome them with Lloyd s List Intelligence

GMDSS RADIO INSTALLATION

The Impact of IT on the. Marine Navigator. Andrew Eccleston. University of Plymouth

Satellite services for maritime security

Automatic identification system VHF data link loading

FURUNO DEEPSEA WORLD Class-A Universal AIS Automatic Identification System. The future today with FURUNO's electronics technology.

INTERNATIONAL STANDARD

The Role of Automatic Identification System (AIS) in Enhancing Vessel Traffic Management By Capt. Ehab Ibrahim Etman

CEPT/ERC/RECOMMENDATION E (Bonn 1994)

i-ais-bs1 AIS Shore Station Installation and User Manual Rev 0.1

Comparison of Collision Avoidance Systems and Applicability to Rail Transport

The FA-30 delivers Real-Time AIS information to navigation systems providing critical collision avoidance information

Addendum 1.4_2. (Addendum to MX420 Operator s Manual)

Radio Log Book. for Canadian Flag Vessels. 1 Master s Signature. Transports Canada. Transport Canada TP 13926E MARINE SAFETY

Plausibility analysis of navigation related AIS parameter based on time series

CML. Marine AIS. Product Information Pack. (Automatic Identification System) Home CMX910 CMX7032/42. Resources. Slide 1. June 2009

NMEA 2000 Parameter Group Numbers and Description as of August 2007 NMEA 2000 DB Ver

General Information Manual Edition 1.14

LRIT spectrum, cybersecurity and other ITU related activities

D1.15 Draft Chapter 4 (e-navigation) for the 2018 Edition of the IALA NAVGUIDE

JCG GMDSS Symposium NAVDAT : Navigational Data

Technical Details and Guidelines for VDES Implementation

INTERNATIONAL STANDARD

Automatic Identification System And Its Integration On The Great Lakes And St. Lawrence Seaway

Maritime Geo-Fence Letter Report

Detailed explanations, concerning the fields to be notified (SHIP STATIONS)

DEVELOPMENT OF A DEFINITION FOR MSPS AND CONSIDERATION FOR THE HARMONIZATION OF THE FORMAT AND STRUCTURE OF MSPS

NMEA2000- Par PGN. Mandatory Request, Command, or Acknowledge Group Function Receive/Transmit PGN's

ESSnet pilot AIS data. Anke Consten, Eleni Bisioti and Olav Grøndal (23 February 2017, Sofia)

TECHNICAL COMMITTEE 80: MARITIME NAVIGATION AND RADIOCOMMUNICATION EQUIPMENT AND SYSTEMS INTERNATIONAL ELECTROTECHNICAL COMMISSION

GMISS IALA and Maritime Information Sharing

Digital Selective Calling (DSC) Radios

Emergency Marine Communications

Table of Contents. Quick Start Guide. Important Notes! Nautilus GPS Components. Operation. Region Programming & MMSI. Nautilus GPS App.

DSC WATCH - Coast stations participating in MF, HF and VHF watch-keeping using digital selective calling techniques

ARTICLE 32 Operational procedures for distress communications in the global maritime distress and safety system (GMDSS) (WRC-07) Section I _ General

RECOMMENDATION ITU-R M.825-3*, **

GUIDANCE FOR THE PRESENTATION AND DISPLAY OF AIS APPLICATION-SPECIFIC MESSAGES INFORMATION

GUIDELINES ON ANNUAL TESTING OF THE AUTOMATIC IDENTIFICATION SYSTEM (AIS)

Future Generation of AIS Considers Integration of AIS and VDE. TEXAS V Workshop Canadian Embassy, Washington DC 7-8 November 2012

SMARTER THAN YOUR AVERAGE SENSOR: AIS SENSOR THAT INTELLIGENTLY RE-TRANSMITS MEANINGFUL INFORMATION DERIVED FROM RAW AIS DATA IN NETWORK LIMITED AREAS

INTERNATIONAL STANDARD

Bill Kautz U.S. Coast Guard Telecommunications Manager IALA e NAV Committee AIS/COMMS WG Vice Chair

HarborGuard-Pro. Integrated Maritime Security & Surveillance System

«INTRARADAR» Port of Corfu

This circular summarizes the various important aspects of the LRIT system with a view to enabling companies to ensure compliance in a timely manner.

Using AIS to identify and investigate ferry accidents

Table of Contents. Quick start guide. Important! Get to know Nautilus GPS. Operation MMSI. Test sequence. Maintenance. Battery Information

RULES FOR THE CONSTRUCTION AND CLASSIFICATION OF MOBILE OFFSHORE DRILLING UNITS TITLE MOBILE OFFSHORE DRILLING UNITS NAUTIC AND ELECTRONICS CHAPTERS

International Journal of Advance Engineering and Research Development DESIGN OF SHIP ROUTE TRACKING AND ALERT SYSTEM BY USING SATELLITE PHONE

Emerging Digital Radio Services

GPSMAP 700 series owner s manual

CONSIDERATION OF THE OUTCOME OF WRC-12 AND PREPARATION OF INITIAL ADVICE ON A DRAFT IMO POSITION ON WRC-2015 AGENDA ITEMS

e-navigation Underway International February 2016 Kilyong Kim(GMT Co., Ltd.) Co-author : Seojeong Lee(Korea Maritime and Ocean University)

American Marine Training Center, LLC AMTC (2682)

COMMUNICATION SYSTEMS FOR SAFETY AND SECURITY OF SHIPS

THE COMPLETE GUIDE TO. Automatic Identification System

VHF SHORT RANGE CERTIFICATE COURSE

INVENTORY FOR HARMONISED INLAND AIS APPLICATION SPECIFIC MESSAGES IN EUROPE

Integration of AIS functionalities

WRITTEN TEST Certificate for the operation of maritime VHF radio systems (SRC)

VDES: Next Generation AIS in the Review & Modernization of the GMDSS

It is an Interconnected World. Except in the Maritime Domain In 2008 Satellite AIS (S-AIS) Changed All that!

GUIDELINES ON THE DESIGN AND USE OF PORTABLE PILOT UNITS INTERNATIONAL MARITIME PILOTS ASSOCIATION

Communication & Safety at Sea

for collision avoidance

INTERNATIONAL STANDARD

Transcription:

Application Security: internet, mobile ed oltre (In)security of smart transportation at sea Dr. Marco Balduzzi Venezia, 3 ottobre 2014 (In)security of smart transportation at sea - DR. MARCO BALDUZZI 3.10.2014 - Venezia - ISACA VENICE Chapter

(In)security of smart transportation at sea The Automated Identification System (AIS) (In)security of smart transportation at sea - DR. MARCO BALDUZZI 3.10.2014 - Venezia - ISACA VENICE Chapter

Application Security: internet, mobile ed oltre Organizzatori Sponsor e sostenitori di ISACA VENICE Chapter Con il patrocinio di (In)security of smart transportation at sea - DR. MARCO BALDUZZI 3.10.2014 - Venezia - ISACA VENICE Chapter

Dr. Marco Balduzzi Old-school hacker Free-software aficionado @embyte Ph.D. in system security M.Sc. computer engineering Senior research scientist in Trend Micro Living on the edge: between academic and industrial research (In)security of smart transportation at sea - DR. MARCO BALDUZZI 3.10.2014 - Venezia - ISACA VENICE Chapter

ABSTRACT This talk is not about SQLi or XSS Threats in unconventional systems and technologies AIS as primary example of smart transportation (In)security of smart transportation at sea - DR. MARCO BALDUZZI 3.10.2014 - Venezia - ISACA VENICE Chapter

Automatic Identification System AIS, Automatic Identification System Tracking system for vessels Ship-to-ship communication From/to port authorities (VTS) Some applications: Maritime security (piracy) Collision avoidance Search and rescue Accident investigation Binary messages, e.g. Weather forecasting

Required Installation Since 2002 Introduced to supplement existing safety systems, e.g. traditional radars Required on: ANY International ship with gross tonnage of 300+ ALL passenger ships regardless of size Estimated 400,000 installations Expected over a million

Data Exchange AIS messages are exchanged in two forms: Radio-frequency (VHF) 162 ± 0.25 MHz Online AIS Providers

Online Providers Collect and visualize vessels information Data upstream via: Mobile Apps, Software Email API Radio-frequency gateways deployed regionally

Identified Threats Grouped in two macro categories 1. Implementation-specific = Online Providers [Software] VS 2. Protocol-specific = AIS Transponders [RF / VHF]

AIS Application Layer AIVDM messages, e.g.: Position reports Static reports Management (channel...) Safety-related (SART) NMEA sentences, as GPS!AIVDM,1,1,,B,177KQJ5000G?tO`K>RA1wUbN0TKH,0*5C TAG, FRAG_#, FRAG_ID, N/A, CHANNEL, PAYLOAD, PAD, CRC

AIVDM Encoder

Example Ship involved in Military Operations MMSI 247 320162 (Italy)

Spoofing Online Providers Ships or Aids-to-Navigation

US to North Korea... What?! Wargames (1983) or cyberwar?

Programming a malicious route Tool to make a ship follow a path over time Programmed with Google Earth's KML/KMZ information

Hijacking (Rouge Gateway)

Example Move a real ship Eleanor Gordon

Popping Up in Dallas?

Radio-Frequency (VHF) Threats

AIS Communication over the Air Protocol designed in a hardware-epoch Hacking was difficult and cost expensive No authentication, no integrity check 2014 Craft AIS signals? Let's do it via software!

SDR Software Defined Radio Many applications, e.g. Radio / TV receivers, 20 USD Radio amateurs, SDR transmitters Reduced costs Reduced complexity Increased flexibility Accessible by many, pirates included!

Our Testing Lab

AIS Transmitter Built & implemented a software-based AIS transmitter GnuRadio, http://gnuradio.org/ Custom block: AIS Frame Builder [Ref, HITB KUL 2013]

RF Spoofing Radio-frequency (VHF) version of spoofing Setup : [Attacker] [Victim] Amplifier : 20+ km (modified radio)

Victim's Console

Injecting into legit AIS gateways

Man-in-water Spoofing Fake a "man-in-the-water" distress beacon Trigger SART (S.O.S.) alerts Visually and acoustically Lure a victim vessel into navigating to a hostile and attacker-controller sea space Mandatory by legislation

Man-in-water Spoofing

Frequency Hopping (DoS++) Disable AIS transponders Switch to non-default frequency (RX and TX) Single or multiple target(s) Program a desired targeted region Geographically remote region applies as well For example: Pirates can render a ship invisible upon entering Somalia

Frequency Hopping (DoS++)

CPA Alerting Fake a CPA alert, Closest Point of Approach Trigger a collision warning alert Possibly alter course

Malicious Weather Forecasting

Slot Starvation (DoS++) Impersonate port authority Base station spoofing Book TDMA slots

Slot Starvation (DoS++) Base Station Spoofing

Slot Starvation (DoS++) Victim's Console

Timing Attack (DoS++) Instruct an AIS transponder to delay its transmission in time Default broadcast time: Static reports = 6 min Dynamic reports = 0.5 to 3 min (depending on speed) Attack code:

Back to the r00ts AIS = Attack Vector AIVDM messages are exchanged and processed at application layer by back-end software In VTS server installations Binary message, special type used for Crew members, Number of passengers Environment information Malicious payloads, e.g. BOF, SQLi,

Back to the r00ts SQL Error in back-end processing

Attacking D-GPS Differential Global Positioning System (D-GPS) Attack = Spoof D-GPS beacons to force ships into calculating a wrong GPS position! Used by port authorities to increase the precision of traditional GPS (meters centimeters) Message 17: GNSS broadcast binary message Similar to UT Austin Researchers Spoof Superyacht at Sea Monday, 29 July 2013

Responsible Disclosure Experiments conducted without interfering with existing systems Messages with safety-implications tested only in lab environment (wired connections) We reached out the appropriate providers and authorities within time MarineTraffic, AisHub, VesselFinder, ShipFinder ITU-R, IALA, IMO, US Coast Guards

Proposed countermeasures Anomaly Detection Detect suspicious activities like unexpected changes in vessels route or static information. Correlate satellite information to find incongruities Not the final solution Authentication on protocol Use of digital certificates issued by official national maritime authorities X.509 PKI Full discussion on paper (ACSAC 2014)

Take Home AIS is widely used Mandatory installation AIS is a major technology in marine safety AIS is broken at implementation-level AIS is broken at protocol-level We hope that our work will help in raising the issue and enhancing the existing situation!

Domande? (In)security of smart transportation at sea - DR. MARCO BALDUZZI 3.10.2014 - Venezia - ISACA VENICE Chapter

Grazie per l attenzione! Dr. Marco Balduzzi marco_balduzzi <@> trendmicro.com (In)security of smart transportation at sea - DR. MARCO BALDUZZI 3.10.2014 - Venezia - ISACA VENICE Chapter

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback