Over the weekend a tugboat chugged along the mighty Mississippi River, heading for the Gulf, when, in a flash, it disappeared completely. Moments later it reappeared, popping into existence a few hundred miles away on a small lake in Texas.
At least, that's what it would've appeared to do for anyone watching the ship's unusual journey on the popular vessel tracking website MarineTraffic.com. In reality, the ship didn't go anywhere and presumably had no idea it was the star of a demonstration put on by cyber security researchers meant to reveal vulnerabilities in online portals for a worldwide vessel tracking system.
The researchers, part of Trend Micro's Forward Looking Threat team along with an independent researcher, said they've figured out how to "spoof" information going from a ship's Automatic Identification System (AIS) to the online tracking services -- meaning on a whim they can change not only the vessel's location on the website's map, but it's size, type, origin or even the cargo it's listed as carrying. The team said they can take an oil tanker sitting in the New York Harbor and drop it off the coast of North Korea or create a luxury yacht out of thin air, all just with their laptops.
The AIS is a safety feature, described by the U.S. Coast Guard as "foremost a navigational tool for collision avoidance," that is a mandatory for all ships carrying passengers and any cargo vessels over a certain size, according to the International Maritime Organization. It allows others ships, port officials and governments to track hundreds of vessels at the same time.
Privately owned websites, such as MarineTraffic.com and similar sites, also take the data and distribute it publicly on live maps for their own "informational purposes" -- keeping up with billions of traffic records for business owners, suppliers and maritime trade academics.
While a neat trick for the thousands of people worldwide that check the online vessel trackers, the researchers said hacking those private websites would likely not disrupt actual port operations which rely on their own AIS tracking systems. To do that, the researchers discovered they just had to attack the AIS directly by being close to a particular port.
According to Trend Micro's Marco Balduzzi, he recently was able to sit within a few miles of a port he did not identify and manipulate a VHF radio frequency to make his own fake AIS signals and have them appear as if they are coming from the port or other ships. Balduzzi claimed that if he wanted, he could potentially convince other ships' AIS trackers they were on a collision course with a fictional vessel, make a lighthouse pop up out of nowhere or trick the system into basically shutting itself down completely.
Radars, voice communications and other redundant safety systems at ports could stave off disaster, but Balduzzi said to him it's still "scary."
"This kind of protocol was designed at a time when it was not easy to create such [spoofing] software. Nowadays, it's possible," said Balduzzi, who worked on the AIS project with fellow Trend Micro cyber security expert Kyle Wilhoit and independent researcher Alessandro Pasta.
Demitris Memos, Managing Director of MarineTraffic.com, told ABC News this is not a new problem and it would not be difficult to spoof AIS signals, as the AIS hardware itself can be purchased for just a few hundred dollars.
"This is not encrypted, this is open," he said. "Anyone with a device can broadcast their position and then they're a vessel."