Shippers, traders and researchers monitoring global vessel traffic in the past six months might have seen an imaginary U.S. ferry sail to North Korea, a tugboat go from the Mississippi River to a Dallas lake in two minutes and the path of a fake Italian yacht spelling out PWNED — hacker slang for ‚Äúdefeated.‚Äù
These false signals, orchestrated by Trend Micro Inc., a Tokyo-based Internet security company, were designed to expose vulnerabilities in the mandatory system used to track merchant vessels worldwide. With the network that was built to improve safety at sea unprotected against hackers, phony tracks could lead to collisions and other accidents, according to the International Chamber of Shipping, a trade association representing more than 80 percent of the fleet.
International conventions require all ships to broadcast their identity, status and location to other vessels and coastal authorities. The signals, compiled by websites such as marinetraffic.com and data services including Bloomberg LP, the parent of Bloomberg News, may be used to gauge how many ships are available to load a cargo or predict trade before official figures are released. The system needs security, according to Kyle Wilhoit, a Trend Micro researcher in St. Louis.
‚ÄúThis would be the equivalent of a house being wide open, windows open, everything wide open,‚Äù Wilhoit said by phone Oct. 21. ‚ÄúWe can literally move, create and modify existing boats, as well as boats that don‚Äôt even exist. Some nerd in a basement can do that.‚Äù
Trend Micro wants to help secure the system and is working with U.S. government agencies to bring the matter before the International Maritime Organization, the United Nations agency that oversees shipping, Wilhoit said, declining to be more specific. The IMO can‚Äôt consider the issue until a member state or organization formally presents it for review, spokeswoman Natasha Brown said by phone from London Oct. 21, declining to comment further.
Since 2004, an IMO convention required all ships to carry automatic identification systems, known as AIS. As an international standard, the actual technology isn‚Äôt owned by anyone, much like the Internet. Ships carry transponders that communicate with shore-based antennae and satellites to report their identity, position, speed and status.
AIS isn‚Äôt meant to replace navigation systems such as radar, according to IMO regulations. Data are either transmitted automatically or manually entered by a ship‚Äôs captain. Authorities around the world who use the signals say they‚Äôre generally reliable: A 2011 study by the Lisbon-based European Maritime Safety Agency found that fewer than 3 percent of ships were signaling invalid identification numbers.
A disclaimer on marinetraffic.com says the site isn‚Äôt responsible for the underlying AIS data, which may be inaccurate or incomplete because of radio interference, weather conditions, incorrectly configured devices or negligent data entry by a vessel‚Äôs crew.
The signals are aggregated and made available on websites and through paid services such as IHS Inc.‚Äôs AISLive, which shows updates every three minutes from 70,000 vessels in more than 100 countries. While that‚Äôs useful for analysts, ship owners generally resent AIS because it weakens their ability to win higher rates by bluffing about vessel availability, said¬†Peter Sand, an analyst at the Baltic and International Maritime Council, whose members control 65 percent of the global fleet.
‚ÄòDONT BE NOSEY‚Äô
‚ÄúShip owners would rather be without that,‚Äù Sand said by phone Oct. 24. ‚ÄúWith AIS available to everybody, it has limited negotiating power.‚Äù
Shipping rates have declined since 2008 because owners ordered too many vessels before the global recession. The ClarkSea Index, a measure of industrywide earnings, averaged $9,586 a day this year, tied with 2012 for the lowest since at least 1990, according to data from Clarkson Plc, the world‚Äôs largest shipbroker.
The knowledge that signals are being monitored has sometimes affected the transmissions. Ships transiting Somalia‚Äôs coast often broadcast ‚ÄúARMED GUARDS‚Äù because of speculation that pirates follow the signals to target ships and won‚Äôt attack those with security details. Others misspell or abbreviate their destination, or even display ‚ÄúNONE OF UR BUSINESS‚Äù and ‚ÄúDONT BE NOSEY.‚Äù An Iranian tanker once reported its destination as ‚ÄúNEW YOURK‚Äù (sic), according to data compiled by Bloomberg.
Some of Iran‚Äôs fleet stopped signaling since U.S. and European sanctions started hampering the country‚Äôs oil exports last year, according to the International Energy Agency. Vessels that switch off their AIS equipment will still be seen by radar, IHS said in an e-mailed statement.
The system has no way of verifying who‚Äôs submitting data and whether the signals are plausible, according to the Trend Micro study presented Oct. 16 at the Hack in the Box conference in Kuala Lumpur.
Since shippers and traders monitor the signals to anticipate trade patterns, hackers could theoretically profit from betting on commodity or freight prices and manipulating AIS, said Roy Mason, the founder of tanker tracker Oil Movements, who has been using information from port agents, shipbrokers and AIS signals for 26 years. This would require significant effort because shipping markets are highly variable, he said.
‚ÄúIn order to establish that something real has happened, something significant and out of the ordinary, three to four weeks is what‚Äôs needed,‚Äù Mason said by phone Oct. 24. ‚ÄúOne extra tanker isn‚Äôt news, but 10 is, or 20.‚Äù
Marine trackers know to discount signals that appear untrustworthy, Mason said. If data appear suspect, users should check the ship‚Äôs flag, name and identification numbers, IHS said.
The U.S. Coast Guard hasn‚Äôt received any reports of AIS hacking, spokesman Carlos Diaz said by e-mail.
AIS is vulnerable to hacking because it lacks any form of authentication or encryption, EMSA said in an Oct. 22 e-mailed statement. Updating the protocols is the responsibility of the IMO and the International Telecommunication Union, according to EMSA.
The ITU will consider enhancements to AIS at the World Radiocommunication Conference in 2015, the Geneva-based organization said in an e-mailed statement Oct. 28.
Equipment needed to transmit the false signals cost about 700 euros ($965), Wilhoit said. Trend Micro found ways to stage fake emergencies, such as a man overboard or collision warnings, he said. They didn‚Äôt attack any real vessels.
‚ÄúAIS is now being used at the fringes of what it was intended for,‚Äù John Murray, marine director at the International Chamber of Shipping in London, said by phone Oct. 21. ‚ÄúWhen signals can be spoofed or inaccurate for whatever reason, inevitably this is of concern.‚Äù
To contact the reporter on this story: Isaac Arnsdorf in New York at¬†email@example.com
To contact the editor responsible for this story: Alaric Nightingale firstname.lastname@example.org