According to the International Maritime Organization (IMO), the United Nations agency responsible for the safety and security of shipping, the installation of AIS is required on all ships of 300 gross tonnage or more that are engaged on international voyages and for all passenger ships regardless of size.
The IMO did not immediately respond to a request for comment about the AIS attacks revealed Thursday at Hack in the Box.
According to Balduzzi and Pasta, AIS providers and maritime authorities generally acknowledged in the past that the lack of authentication and integrity checking in AIS is a problem, but said that captains are instructed to correlate information from multiple systems and not rely on AIS data alone.
"To me, if you have a system that's supposed to enhance the previous systems, but is not secure and can report wrong information, then it's useless," Balduzzi said.
Completely fixing the problem would require redesigning the communication protocol to build in security, and then upgrading or replacing the AIS hardware installed on ships, in ports and ground stations. However, that's not feasible in the short term, the researchers said. Using specialized software to detect anomalies in the AIS data can be a temporary solution, but won't protect against all possible attacks like the denial-of-service ones, they said.
Sign up for Computerworld eNewsletters.