

Ship Tracking Hack Makes Tankers Vanish from View - DiabloD3
http://www.technologyreview.com/news/520421/ship-tracking-hack-makes-tankers-vanish-from-view/

======
ge0rg
With the advent of SDR, such attacks are becoming easier to accomplish and
also come into the focus of IT (security) researches. There is already an OSS
AIS decoder [1], and I suppose it will not be too hard to make an _en_ coder.

Still, we have seen similar attack vectors to GSM (you can DoS a multi-million
city with a dozen of manipulated 20$ phones), but no real attacks.

Transmitting on licensed frequencies without the proper permission is an
offense in most countries, and I suppose you can be liable for the damage,
provided the regulation authorities can triangulate you while you are sending
out.

[1] [http://gnuais.sourceforge.net/](http://gnuais.sourceforge.net/)

------
chmars
Could the same be done in air traffic control?

It's certainly possible with ACARS. What's about information from aircraft
transmitted via ADS-B?

And could CPDLC data sent from air traffic control to aircraft be faked as
well?

I would be very surprised if proper encryption and authentication were in
place for ADS-B and CPDLC …

Some Wikipedia links if you don't know the abbreviations used above:

[https://en.wikipedia.org/wiki/ACARS](https://en.wikipedia.org/wiki/ACARS)
[https://en.wikipedia.org/wiki/ADS-B](https://en.wikipedia.org/wiki/ADS-B)
[https://en.wikipedia.org/wiki/CPDLC](https://en.wikipedia.org/wiki/CPDLC)

------
bcl
AIS was never designed to be secure, the easiest attack being to just jam the
2 frequencies it uses. But the AIS industry has sold itself as a safety and
security device, convincing the government to mandate its carriage on ships in
order to protect against terrorism.

~~~
revelation
It can quite obviously never be "secure" if the basic premise of the system is
that entities self-report their location. You can only hope to make it harder
to submit wrong data.

~~~
unclebucknasty
Securing it internally vs. externally are different goals.

------
Quai
AIS is not used for navigation, or any critical decisions. It's not like it
will override what the bridge sees, or what the radar picks up. ADS-B is a
similar system for aircrafts, and have the same shortcomings.

~~~
clupprich
No entirely true: A lot of information is transmitted via AIS these days. For
example current water depths (St Lawrence Seaway or on the Danube in Europe)
are transmitted and used for navigation on these waterways. You also have the
possibility to place a distress signal with AIS, which would quite likely lead
to a Search and Rescue operation, costing huge amounts of money and taking
away resources from real emergencies.

AIS is directly connected to an ECDIS on a ship's bridge, which is the digital
replacement for maritime paper charts. AIS targets are displayed in these
ECDIS systems and (see above) in some regions of the world the information
shown there is also influenced by AIS data.

Also a lot of ports are using AIS (together with radar) to keep an eye on the
traffic - spamming those systems, which is easily possible, would quite likely
cause severe troubles for larger ports like London or Los Angeles.

I'm honestly surprised that nobody has yet DoS'd a larger port or other
infrastructure.

~~~
nitrogen
_I 'm honestly surprised that nobody has yet DoS'd a larger port or other
infrastructure._

It's probably because most people don't want to do that. Outside of prisons, a
good chunk of human safety relies on the fact that most people would rather
preserve their own safety than take away that of others.

------
unclebucknasty
What we are enabling with software has far outstripped our will and/or ability
to secure it.

