Saturday, September 2, 2017

AIS Integrity and Security - Part 0

With recent events with the US Navy alliding with commercial ships and people asking if the blue ship could have been hacked, it's time to dust off the old notes.  I've wanted to write a paper (or 10) about this topic since about 2005.  I might as well try in blog form to get out what I have.

First some old material material...

Back in 2012, I made this blog post:  AIS SECURITY AND INTEGRITY.   My whiteboard from that exercise:

http://schwehr.org/blog/attachments/2012-11/20110429-ais-security-integrity.jpg



And I started a doc for a paper and here is what I had as of 2010:


Integrity and Security of the global maritime Automatic Identification System (AIS)
Kurt Schwehr


In 2006, the several people in the US Government encouraged me not to write a paper on the security of AIS.  I have concluded that it is important to discuss these issues in the open.  Security through obscurity is not a good solution.  Many people have already thought through how AIS is vulnerable, but there has not been a source of information to the typical mariner or marine manage that lays out the issues.  AIS is an effective tool for maritime activities, but care needs to be exercised when using or trying to improve the system.  Changes to how AIS is used in real-time or post processed for analysis of water way activities can have unexpected consequences some of which can have negative environmental and economic impacts or put the mariner at greater risk of harm.


Unsorted


  • Bandwidth limitation
  • No official standard for logging with metadata (especially time) and transmitting over internet and other secondary channels
  • Limited reliable transmit capability
  • MKD is horrible and error prone.  Often not located in an easily visible portion of the bridge
  • AIS might not be integrated into ECS and/or ECDIS systems
  • No standards for autonomous vessels
  • Repeaters can quickly flood the AIS channel
  • Incorrect understanding by mariners and data analysis of what AIS means
  • Poor monitoring of AIS receiver networks
  • Larger messages have a higher probability of packet collision
  • Patent encumbered technology
  • Regulatory environment - not much room in the United States for experimentation and research
  • Can you issue penalties for behavior recorded only in AIS received reports?
  • Should fishermen install or block AIS on their vessels?  The proprietary knowledge of where they fish.
  • Attacks targeting vessels based on AIS.  Is this really any worse that without AIS?  e.g. Boston’s north LNG terminal.


Time and Positioning


  • What time does the position translated relate to?
  • Partial timestamps in packets and accuracy only to the second
  • RAIM seems like it is not really useful to indicate position accuracy
  • Offset issues between the ship reference point and the GPS reported by Pilots
  • Knowing where your receiver is located when getting data from networks such as NAIS
  • Timestamping of received messages that happens down stream may get very confusing.
  • GPS errror example from 2009 NOAA review in portsmouth NH


Radio noise and propagation issues


  • NOAA weather radio transmitters and other systems that put energy into the AIS spectrum
  • Inland use of the same spectrum
  • Noise on the GPS channel and solar issues
  • better propagation conditions that tunnel packets between cells will cause interference
  • currently not enough satellites and ground stations to give realtime global coverage


Receiver and Transmitter issues


  • Weak checksum scheme may create valid packets
  • Cheap receivers might decode noise as valid
  • Single channel receivers will miss half of the message traffic
  • VHF propagation issues prevent seeing distance ships most of the time
  • Transmit antenna height and power greatly matter for receive potential
  • For remote receivers, how do you know they are working if you aren’t sure there are transmitters in the area.  E.g. Antarctica (or little bay)


Class A or B units


  • - Turning off the unit (trivial to accomplish) or power failure
  • - Loss of GPS - antenna, urban canyon, multipath, kalman filter problems
  • - Unintentionally mis-configured devices.  Human error, system failure, sensor failure, antenna failure
  • - Intentionally incorrect devices.  How to confuse people.  What can you reprogram on a Class B?
  • Inability to match to an exact vessel in other registries
  • broadcasting bad time
  • Bad carrier sense in Class B
  • Long term scalability of the number of units that can be on the channels
  • How good is the self reported heading, ROT, speed?  Which sensor is being used?  Does the GNSS have any extra capabilities beyond just the traditional GPS?  WAAS, Diff, satellite transmitted corrections like CNAV, RTK?  


Transmissions by non-blue force (e.g. normal operations)


  • Not encrypted - Even addressed messages are received by all hardware
  • No cryptographic signature capability - impossible to assure identity
  • Specifications such as Circ 289 require people keep already public data protected
  • No way to TX position securely in areas with pirates
  • There are free and pay networks that will give realtime AIS to anyone.  Not everyone is willing to acknowledge this.


Blue force encrypted transmission


  • Lack of comm state in message 8 makes scheduling of slots difficult for other vessels
  • Direction finding may still identify the location of military or law enforcement vessels with COTS receivers
  • Is the encryption really secure?
  • It is unclear what the policy for switching between silent, secure, and normal modes
  • Is the encryption really secure?
  • The DAC/FI is not always the same and may infact be random


SAR and other aircraft


  • Broadcasting at altitude can span many cells and cause wide spread interference
  • May hear other cells and be less able to receive (solvable as evidenced by satellite)


Basestations and ATONs


  • reserving slots to consume bandwidth
  • telecommand to change reporting rates
  • changing the frequency of AIS units (see USCG announcement)
  • sensor failure for met hydro might go undetected or predicted not noticed as such


Software or hardware units that are not type approved


  • Accidental or intentional interference on slots
  • Ghost fleets of fake ships - Spanish?
  • Transmitting incorrect info for correct ships


Software and hardware QC/QA problems


  • Paywalled specifications
  • Closed testing
  • Connector design problems
  • Very few ports have knowledge, means of detecting, and technicians to correct bad or misconfigured AIS units.  SF is an exception
  • Complicated specifications lead to errors in implementation
  • Ambiguous message definitions because of the lack of use of a formal language to define messages.
  • Lack of evolution in some specifications have led vendors to innovate on their own with incompatible and/or undocumented changes  (e.g. Ohmex)
  • Units are inconsistent in between messages.  This should be uniform for the network and configurable at the presentation interface when displayed
  • No official catalog and registry system where countries can submit their regional messages


Possible improvements and solutions


All is not lost!  AIS is an effective tool for many maritime tasks and likely is making the job of safe navigation much easier.  The system as it stands is much better than in the 1990s.  Ships now know more of the names of ships around them so that when they call on VHF, they know who to address, they can get better directional information

  • Transmitting on other frequencies (and possibly coding schemes)
  • I-AIS standards
  • Best practices documentation for design of new messages
  • Open and free documentation and open certification processes
  • Define international standards for raw logging and transfer with JSON and XML messages between applications
  • Better suggestions for monitoring receiving integrity
  • Explicit documentation on how to calculate time to go with a position
  • Best practices for receive networks
  • Watch standers guides need to include sections on the configuration, maintenance, testing, and use of AIS data to make sure they are transmitting correctly and properly interpreting/using AIS data.  e.g. update rate is not on any AIS displays that I’ve seen

What does one component of AIS look like?

This is a sketch of what the whale alert system looks like at a high level back in 2012.

Thursday, April 20, 2017

AIS requirements for the Panama Canal

http://www.pancanal.com/eng/op/notices/2014/N01-2014-Rev01.pdf has requirements for AIS on ships going through the Panama Canal.   I hear rumor that 16% of ships going through need to have a 2nd AIS added as their primary does not meet the requirements.  Some of these like the heading and pilot port are not too surprising.  But a lot of AIS units that I consider not okay would pass this.  All of this would be much easier if the IEC standards were not paywalled and there was open source software that could used to test AIS units.




And this cyber attack stuff is a load of crap.  Systems on ships are designed so stupidly, it hurts.  Why are people still using full windows machines for ship board operations?  Clickbait follows...


Monday, April 3, 2017

End of my USCG NAIS Feed

Last month, I finally called an end to my USCG NAIS feed.  The server running AISUser was running an ancient version of CentOS whose is end-of-life for security patches is this month. I had not been rebooted the machine since about 2011 (there is a large natural gas generator right outside its server room).  It feels like a weight has been lifted.

Friday, March 24, 2017

Danish AIS almost interesting

I just saw that the Danish have released AIS data publicly.  I was excited until I saw what one of the files looks like.  It's not RAW AIS NMEA data.  That means it's crap for anyone wanting to do use it for rigorous research into AIS.  You don't get to see the station info, the comm state, or any of the interesting channel messages.  You won't get to see each of the ship name messages.  Or the meteorology/hydrology messages.  You also won't be able to do anything if you find they have a processing bug or don't like the way they choose to conflate msgs 1-3 with 5.  Also, what exactly is the license / copyright status for the data? Big bummer.

That's in addition to the already annoying marine link story that doesn't actually link to the data.  http://www.marinelink.com/news/available-denmark-makes423497  MarineLink does an amazing job of annoying me.

http://www.dma.dk/SikkerhedTilSoes/Sejladsinformation/AIS/Sider/default.aspx
ftp://ftp.ais.dk/ais_data/

And they named the files MMMYYYY so they don't sort nicely on their ftp server (wait, ftp?  what year is this?)  Extra bonus of using a zip so I can't zcat/bzcat/xzcat a partial download to see what I'm getting into.  At least the most recent data is available by day as an uncompressed file.




Thursday, January 26, 2017

Update

Just to keep up with things, here is the latest.  I've definitely failed to blog enough this week.

Power GEODSS Sears Tower Social media Ti computer terrorism Task Force
nuclear Tehrik-i-Taliban Pakistan Gulf Cartel Listeria MARTA NATIA
JAVA Trump industrial intelligence 42

4c a7 9b 81 b9 3a ae 99 b1 40 a6 1f 08 c9 4e 43
41 2f 7a 4b ac 8a 5f 70 f9 60 a1 3e 79 dc da 1f
fb 97 19 72 6f 20 81 15 a5 04 c0 52 45 ae 86 7b
60 e6 71 6e ad 32 70 81 5b 30 8c 24 5f 83 d2 78
5b 32 f0 8f 1b 1a 16 3b f7 02 fc 87 df 02 0d ac
d0 32 c2 b0 d7 f2 08 1f 0d 87 06 9b 68 18 be e0
51 dd f3 38 a5 34 90 cd 64 8f ea f2 57 2b ba f1
ba 1e ff 22 9f 72 f0 3d b7 f2 82 52 f6 be 56 ea
70 24 62 b0 f4 bc b0 c0 89 34 62 2b 9d 12 44 09
f3 2b 5b 3c 04 e1 e8 bc 34 02 90 31 a4 92 89 38
2e 1d 82 c4 de fe 0c ca 81 b5 73 2c f7 70 db 35
96 c1 34 01 76 26 24 6b c6 df 64 29 74 90 ab bd
a1 5d 5a b6 5d 34 58 09 d2 3a 76 d5 93 d8 3c 67
a7 38 fd ef f0 f1 24 49 b7 76 94 9d fa 0e fe 75
02 f4 38 ef a1 36 0c 7e eb ac 7b a6 26 b6 24 11

88 24 2a c2 2c bc eb fb 1f eb 2e 06 99 28 7f 42

Sunday, January 8, 2017

Code reviews

I've sent out thousands of changes for code review and done reviews on many hundreds of changes.  It's kinda weird to read this RedHat post on code reviews.  I can't really imagine what the review process is like without things like the Google C++, Python and Java style guides (I haven't done Go, sorry Francesc).  Things like that and required automatic formatting rules take a lot of the pain out the review process.  But I have had changes that have taken more than a year to get into a code base.  That does get a wee bit tiring sometimes.

https://lwn.net/Articles/709384/  Pythonic code review (Red Hat Security Blog)

MIT 046 Algorithm course

I'm going through the MIT 046 algorithm course from 2015...