Shippers, traders and researchers monitoring global vessel traffic in the past six months might have seen an imaginary U.S. ferry sail to North Korea, a tugboat go from the Mississippi River to a Dallas lake in two minutes and the path of a fake Italian yacht spelling out PWNED — hacker slang for “defeated.”
These false signals, orchestrated by Trend Micro Inc., a Tokyo-based Internet security company, were designed to expose vulnerabilities in the mandatory system used to track merchant vessels worldwide. With the network that was built to improve safety at sea unprotected against hackers, phony tracks could lead to collisions and other accidents, according to the International Chamber of Shipping, a trade association representing more than 80 percent of the fleet.
International conventions require all ships to broadcast their identity, status and location to other vessels and coastal authorities. The signals, compiled by websites such as marinetraffic.com and data services including Bloomberg LP, the parent of Bloomberg News, may be used to gauge how many ships are available to load a cargo or predict trade before official figures are released. The system needs security, according to Kyle Wilhoit, a Trend Micro researcher in St. Louis.
“This would be the equivalent of a house being wide open, windows open, everything wide open,” Wilhoit said by phone Oct. 21. “We can literally move, create and modify existing boats, as well as boats that don’t even exist. Some nerd in a basement can do that.” Formal Review
Trend Micro wants to help secure the system and is working with U.S. government agencies to bring the matter before the International Maritime Organization, the United Nations agency that oversees shipping, Wilhoit said, declining to be more specific. The IMO can’t consider the issue until a member state or organization formally presents it for review, spokeswoman Natasha Brown said by phone from London Oct. 21, declining to comment further.
Since 2004, an IMO convention required all ships to carry automatic identification systems, known as AIS. As an international standard, the actual technology isn’t owned by anyone, much like the Internet. Ships carry transponders that communicate with shore-based antennae and satellites to report their identity, position, speed and status. Radio Interference
AIS isn’t meant to replace navigation systems such as radar, according to IMO regulations. Data are either transmitted automatically or manually entered by a ship’s captain. Authorities around the world who use the signals say they’re generally reliable : A 2011 study by the Lisbon-based European Maritime Safety Agency found that fewer than 3 percent of ships were signaling invalid identification numbers.
A disclaimer on marinetraffic.com says the site isn’t responsible for the underlying AIS data, which may be inaccurate or incomplete because of radio interference, weather conditions, incorrectly configured devices or negligent data entry by a vessel’s crew.
The signals are aggregated and made available on websites and through paid services such as IHS Inc.’s AISLive, which shows updates every three minutes from 70,000 vessels in more than 100 countries. While that’s useful for analysts, ship owners generally resent AIS because it weakens their ability to win higher rates by bluffing about vessel availability, said Peter Sand, an analyst at the Baltic and International Maritime Council, whose members control 65 percent of the global fleet.