Security researchers: GPS hack could cause havoc at sea and assist pirates

Security firm Trend Micro has exposed several serious flaws in one of the world's largest GPS tracking networks.

Designed to monitor the positions of sea vessels, the Automatic Identification System (AIS) is used by around 400,000 ships around the world, and is required by law to be equipped on all ships with a gross weight of over 300 tonnes, and all passenger ships of any size. The system has a wide range of uses, from navigation and monitoring vessel traffic, to collision avoidance and security.

The researchers at Trend Micro discovered several serious security flaws in the outdated system, which could allow malicious hackers to fake the position and paths of vessels, make ships disappear, and even create whole fleets out of thin air.

"We were really able to compromise this system from the root level," one researcher told the press. According to the team's research, it took only a £600 piece of AIS equipment to intercept the signals being broadcast from a nearby ship, and hijack the vessel's online signature.

Researchers were able to manipulate the routes of ships to such an extent that they used the path of one vessel to spell out "pwned" off the coast of Northern Italy. Another experiment allowed the team to make a real tugboat travelling down the Mississippi disappear and reappear on a lake in Dallas, over 340 miles away.

Security concerns surrounding civilian maritime GPS have been raised in the past, when a £49.5 million yacht was lured off course by a team of Texas researchers, who fed incorrect GPS coordinates to the captain. They also managed to convince the ship's GPS that it was underwater.

AIS is an extremely vulnerable system because it was primarily designed in an era when online security was not a major concern. When the equipment was first being made, the tracking devices were prohibitively expensive, and only large organisations could afford it. Now, there are fears that even Somalian pirates have been using the system to monitor commercial traffic through the Red Sea, and thus select their targets.

The team has urged maritime authorities to update their legacy systems, but since any such update would involve a significant overhaul of hardware as well as software, enthusiasm within the industry is low.

A spokesperson for the International Maritime Organization (IMO) told the press recently, "This issue has not been formally raised at IMO, so there has been no discussion or IMO recommendations or guidance."