Electronic Weapons: Who Spoofs Who


July 25, 2021: In mid-2021 there were more incidents involving manipulation of shipboard location devices, which no one is taking credit for. This time it was in the Black Sea, where NATO warships from several countries had assembled for joint training exercises with Ukrainian naval forces. Ukraine is not yet a NATO member but would like to be and joint training like this makes it easier to get in, especially when Russia violently opposes it.

The Black Sea location signal manipulation involved the AIS (Automated Identification System) ship tracker transponders on three destroyers (British, Dutch and American) docked in the Ukrainian port of Odessa. One day, the AIS transponders on the British and Dutch destroyers suddenly switched from showing where they actually were (Odessa) to a location at sea near the Russian naval base on the nearby Crimean Peninsula. Then, just as suddenly, AIS showed the two destroyers back where everyone nearby could see them, tied up at a dock in Odessa. A week later the same thing happened to the U.S. destroyer docked in Odessa. No one will take credit for the AIS signal manipulation, which is known as spoofing. This involves using EW (Electronic Warfare) equipment designed to jam or modify AIS signals that are transmitted to a space satellite that shares that location signal with all AIS users as well as anyone via several websites that carry such information. Russia and China took the lead in developing ways to spoof AIS signals and Iran was the first country to widely use AIS signal manipulation on a wide scale to support smuggling activities.

Russia apparently took the lead in developing EW jammers capable of inserting false location signals in AIS or GPS data sent worldwide via orbiting satellites. Russia was discovered using this regularly to hide the true location of senior officials and military units on land. You don’t have to be an intel agency to notice GPS location data suddenly moving many, even hundreds, of kilometers. Intel agencies, and some commercial or non-profit organizations do monitor these signals regularly and on a large scale to detect where and when spoofing takes place. What most nations do not share is their techniques for spoofing and resisting spoofing. Which brings us back to the recent Black Sea incident; who spoofed who and how. The NATO ships could have been testing new equipment to simply send false location data via AIS (technically illegal) or new Russia techniques to spoof the AIS on an individual ship docked in a port crowded with AIS equipped ships. It’s a mystery that will eventually be solved and made public.

AIS was originally developed as a local (non-satellite communications) system that made it easier for ships at sea to detect each other, especially at night or in bad weather. This local AIS was rapidly adopted by most large commercial vessels in the 1990s. AIS is essentially an automatic radio beacon (transponder) that, when it receives a signal from a nearby AIS equipped ship, responds with the ship's identity, course, and speed. This is meant to enable AIS ships to avoid collisions. The original non-satellite comms AIS only had a range of 20-35 kilometers but by 2006 space satellites were developed that could track AIS transmissions worldwide. Commercial ships have become very dependent on AIS, which greatly reduced collisions, and crew anxiety, at sea. After 2000 international agreements mandated ships larger than 300 tons, and all passenger ships, carry and use AIS at all times.

All warships were also equipped with AIS as a safety measure when operating near ports or commercial shipping lanes. Until 2017 it had been U.S. Navy policy to have some ships turn off their AIS transmissions and just receive those transmissions. This policy was changed in 2017 after several collisions or near-misses between navy ships travelling in bad weather or at night in areas where there was heavy commercial traffic. Navy bridge crews were supposed to be especially alert in situations like this but often were not experienced enough to handle the situation where their AIS presence was known to nearby ships that had their AIS in send/receive mode.

During wartime navy ships would have AIS turned off but a decade ago Russia and China, followed by NATO nations experimented with ways to manipulate AIS signals and detect when others were doing so. While AIS made it practical to track all high seas commercial traffic, it was also exploited by smugglers and pirates. Some ships traveled (in violation of international law) with AIS and other trackers turned off. Usually, only criminals turned these devices off, and this was often discovered when navies spotted one of these silent (AIS not broadcasting) ships at sea. It didn’t take long for some intelligence agencies, especially those with ocean surveillance space satellites and lots of ships and subs at sea, to exploit the “silent AIS” ploy to create better ways to track smugglers by noting when some ships turn off their trackers and then turn them on again as they are about to enter a port or some other area where AIS use is mandatory and enforceable. Some nations, like Iran and North Korea, have tankers and cargo ships that are frequently found “running dark.” Naturally, intelligence agencies developed methods to take advantage of this and a growing number of smugglers, usually North Korean, are detected and tracked because of AIS manipulation. Iran had an easier time concealing arms smuggling because they could use smaller ships. Actually, for getting arms to Shia rebels in Yemen Iran used a lot of small ships that are not required to use AIS. These could be, and were, tracked by satellite but it was more difficult.

Before AIS came along most large ships carried (and some still carry) INMARSAT, which enables shipping companies to keep track of their vessels, no matter where they are on the planet. INMARSAT became available in the 1980s and uses a system of satellites which transmit AIS-like signals to anywhere on the oceans. It only costs a few cents to send an INMARSAT signal similar to an SMS text message to one of your ships, and a few cents more to receive a reply. The trackers and satellite-based navigation systems in general soon proved invaluable by preventing collisions or running into reefs, rocks, or (in bad weather) coastline.

Back in 2012, Iran was caught hacking AIS signals. Iran was sending false AIS signals to assist its smuggling operations. After 2012 security researchers found even more ways to hack AIS and called for changes in the AIS software to make it more difficult to spoof. Iran keeps working on new spoofing methods and has the technical people and tools to do so.

All ships now use GPS coordinates to record location and constantly report that back to the home office. GPS is standard with AIS equipment that uses satellite links to send its signal worldwide. Iran exploited this by having two of its ships trade INMARSAT IDs while they were near each other, leaving the U.S., or anyone else checking INMARSAT data, unable to track ships that have been switched. Well, for a while at least. Once the intel people caught onto this scam, they developed ways to counter it. This is very much a matter of move and counter-move when it comes to exploiting or creating AIS vulnerabilities.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close