- CRFS – Spectrum Monitoring and Geolocation - https://www.crfs.com -

AIS Spoofing Detection with TDOA

What is AIS?

The AIS (Automatic Identification System) is designed to allow ships, boats and other maritime vessels to provide information about their identity, position and heading to other vessels and base stations. It works by broadcasting information using RF signals that can be detected by other users with AIS equipment. This data is transmitted over the maritime channels 87B (161.975 MHz) and 88B (162.025 MHz), both of which are in the VHF frequency band. VHF transmission range is typically determined by line-of-sight constraints, so for practical purposes it will usually be around 20 miles. However, satellites are increasingly being used to bypass this restriction, and allow broadcast over a much wider area. As all vessels with AIS transmit on these two frequencies, some form of organization is needed to prevent multiple messages from being broadcast simultaneously and causing mutual interference. This is done by means of STDMA (Self-Organized Time Division Multiple Access) links. STDMA works with ‘frames’ of one minute in length, which are divided up into 2250 individual time slots. Each vessel is then allocated one or more of these slots to send its AIS messages, ensuring there is no overlap.

What is it used for?

AIS was originally implemented for collision avoidance purposes. Knowing the location of craft in the surrounding area allowed a vessel’s captain to steer clear of them. With AIS now a requirement for ships with a gross tonnage over 300, and for all passenger ships, the range of uses for it has greatly expanded, including

  • Traffic monitoring to ensure sufficient capacity is available in congested shipping lanes
  • Anti-smuggling units tracking the movements of suspect vessels
  • Search and rescue operations utilizing AIS transmissions to locate ships in distress
  • Accident investigators reconstructing the moments leading up to a collision or sinking
  • Aid-to-navigation information to plot safe routes through potential hazards

Live feeds of AIS information, such as this, are available from a number of online sources 

What information does it provide?

The information transmitted using AIS consists of two main categories: identification (information about the vessel itself) and navigation (information about where and how the vessel is traveling). The former includes the vessel’s MMSI and IMO numbers, its name and call sign, the ship type, its dimensions and draft, and the type and location of its GPS system. The latter includes its position, heading, speed and course over ground, bearing, rate of turn, destination and ETA at destination. It can also be used to transmit short, free-format messages about potential safety issues.

What security vulnerabilities does it have?

As AIS is a self-reporting system, it relies upon users to accurately report the characteristics of their own vessels. Balduzzi et al. identified a series of ways in which AIS can be exploited by malicious actors for a variety of purposes. These include:

Ship spoofing – where an AIS message is broadcast giving details of a non-existent ship, including its identity, location and cargo type. Scenarios where this could be used include spoofing a ship of one nation into the territorial waters of a hostile nation, leading that nation to take countermeasures. Alternatively, multiple versions of the details of a real ship can be broadcast, placing it in many different locations simultaneously to obscure its true location, as in this example of illegal fishing.

Aid-to-navigation spoofing – where details of a fake aid-to-navigation, such as a buoy warning of hidden shoals, are broadcast in order to force a ship to change its course. This might be done to force a vessel into a region where it can be hijacked.

Collision spoofing – As described above, collision avoidance is one of the primary uses of AIS. By providing spoofed details of a vessel on a collision course, an attacker can force the captain of a ship to change course to avoid the anticipated collision. This could, for example, be used to steer the ship into a real collision with rocks.

AIS-SART spoofing – We have also previously noted that search and rescue is another of the primary uses of AIS. This attack works by generating a spoofed SART (search and rescue transponder) signal, which gives details of a vessel or person in distress. Ships in receipt of a SART signal are legally obliged to assist with any rescue operation, so SART spoofing can be used (most likely by pirates) to lure vessels to a location where they can be attacked.

Weather forecast spoofing – AIS can be used to relay information about prevailing weather conditions between marine craft. A fake forecast, particularly one that predicts fine conditions when a storm is incoming, could be used to lead vessels into difficulties.

AIS hijacking – It is also possible to override signals being sent by vessels, by broadcasting a higher-power signal at the same time and frequency. The attacker can then change some details of the original message, for example to suggest that the vessel has a nuclear cargo in an area where such cargoes are illegal.

How Can TDOA Help?

The majority of these spoofing techniques (including ship, aid-to-navigation, collision, hijacking and in some circumstances SART) rely on broadcasting fake location details. To distinguish between real and spoofed signals, we need a way to directly determine the location of the transmission. We can then compare this with the location given by the AIS message, and, if there is a significant discrepancy, then we know that spoofing is being carried out. This is where CRFS comes in. Using a network of RFeye Nodes (deployed onshore or onboard ships), transmissions can be geolocated by time difference of arrival (TDOA). Once the source of the transmission has been determined, the relevant authorities can be dispatched to track down those responsible for the spoofing attacks.

Want to Know More?

Get in touch with us here at CRFS, and one of our team members will be happy to help. If you would like to find out more about how TDOA works, then download our white paper.