Information Warfare: The Mysterious Maritime Mass Spoofer


August 23, 2021: Over the last few years there have been increasing incidents of tampering with AIS (Automated Identification System) ship tracker transponders. After 2000 a series of international agreements treaties mandated that all ships larger than 300 tons, and all passenger ships, must carry and use AIS at all times. This has saved lives by preventing collisions and other navigation mishaps. Now there is a growing problem with commercial and military ships having their AIS data deliberately tampered with. A player in this game of AIS deception was recently discovered but no one knows who it is or why they are generating hundreds of false AIS signals each year. Most of these falsifications involve NATO warships, including two surfaced submarines. The most likely culprit is Russia, because the Russians have pioneered developing methods of faking satellite-based location systems and hacking the signals going to or coming from these GPS-type navigation services. AIS is different in that the signals are not encrypted and relatively easy to spoof (fake). Not all AIS signals are transmitted to satellites. For AIS users close to a major port, there are local ground-based receivers to gather AIS data and provide port authorities and offshore ships with a real-time picture of what ships are nearby, who they are and their current movements. Like all faked AIS signals the incidents of fraud can be detected via time-stamped commercial satellite photos and cell-phone photos and videos. AIS researchers found an easier way to discover the faked AIS data by examining the detailed AIS data logs. These provide a lot more information that most AIS users never use. By comparing the log detail data with the confirmed cases of AIS spoofing it was obvious that the fake signals were generated by an AIS software simulator that sent fake AIS positions from ground-based AIM receivers which in turn made that available to anyone, including several websites that provide current AIS positions of ships. This data is also used by navies and coast guards to note which commercial and military ships are operating close to their territorial waters, as in everything 22 kilometers from the coast. This has caused incidents where Russia has threatened to fire on intruding foreign warships that won’t respond to radio warnings. These hostile warships were not yet within visual or radar range and when visual confirmation was sought the intruders could never be found because they were actually in a port or at sea hundreds of kilometers from their fake AIS position.

AIS was originally developed as a local (non-satellite communications) system that made it easier for ships at sea to detect each other, especially at night or in bad weather. This local AIS was rapidly adopted by most large commercial vessels in the 1990s. AIS is essentially an automatic radio beacon (transponder) that, when it receives a signal from a nearby AIS equipped ship, responds with its own identity, course, and speed. This is meant to enable AIS equipped ships to avoid collisions with each other or natural obstacles. The original non-satellite AIS only had a range of 20-35 kilometers but by 2006 space satellites were developed that could receive and distribute AIS transmissions worldwide, especially on the high seas, out of range of the land based AIS data collection and distribution equipment Commercial ships have become very dependent on AIS, which greatly reduced collisions and crew anxiety while on the open ocean.

No one will take credit for the recent AIS signal manipulation, but it is known who possesses EW (Electronic Warfare) equipment designed to jam or modify AIS signals that are transmitted to a space satellite. Russia and China took the lead in developing ways to spoof AIS signals and Iran was the first country to widely use AIS signal manipulation on a wide scale to support smuggling activities.

Russia was discovered using this spoofing regularly to hide the true location of senior officials and military units on land. You don’t have to be an intel agency to notice GPS location data suddenly moving many, even hundreds, of kilometers. Intel agencies, and some commercial or non-profit organizations do monitor these signals regularly and on a large scale to detect where and when spoofing takes place. What most nations do not share is their techniques for spoofing and resisting spoofing.

All warships are equipped with AIS as a safety measure when operating near ports or commercial shipping lanes. Until 2017 it had been U.S. Navy policy to have some ships turn off their AIS transmissions and just receive those transmissions. This policy was changed in 2017 after several collisions or near-misses between navy ships travelling in bad weather or at night in areas where there was heavy commercial traffic. Navy bridge crews were supposed to be especially alert in situations like this but often were not experienced enough to handle the situation where their AIS presence was known to nearby ships that had their AIS in send/receive mode.

During wartime navy ships would have AIS turned off but a decade ago Russia and China, followed by NATO nations, experimented with ways to manipulate AIS signals and detect when others were doing so. While AIS made it practical to track all high seas commercial traffic, it was also exploited by smugglers and pirates. Some ships traveled, in violation of international law, with AIS and other trackers turned off. Usually, only criminals turned these devices off, and this was often discovered when navies spotted one of these silent (AIS not broadcasting) ships at sea. It didn’t take long for some intelligence agencies, especially those with ocean surveillance space satellites and lots of ships and subs at sea, to exploit the “silent AIS” ploy to create better ways to track smugglers by noting when some ships turn off their trackers and then turn them on again as they are about to enter a port or some other area where AIS use is mandatory and enforceable. Some nations, like Iran and North Korea, have tankers and cargo ships that are frequently found “running dark.” Naturally, intelligence agencies developed methods to take advantage of this and a growing number of smugglers, usually North Korean, are detected and tracked because of AIS manipulation. Iran had an easier time concealing arms smuggling because they could use smaller ships. Actually, for getting arms to Shia rebels in Yemen, Iran used a lot of small ships that are not required to use AIS. These could be, and were, tracked by satellite but it was more difficult.

Before AIS came along most large ships carried (and some still carry) INMARSAT, which enables shipping companies to keep track of their vessels, no matter where they are on the planet. INMARSAT became available in the 1980s and uses a system of satellites which transmit AIS-like signals to anywhere on the oceans. It only costs a few cents to send an INMARSAT signal similar to an SMS text message to one of your ships, and a few cents more to receive a reply. The trackers and satellite-based navigation systems in general soon proved invaluable by preventing collisions or running into reefs, rocks, or (in bad weather) coastlines.

All ships now use GPS coordinates to record location and constantly report that back to the home office. GPS is standard with AIS equipment that uses satellite links to send its signal worldwide. Iran exploited this by having two of its ships trade INMARSAT IDs while they were near each other, leaving the U.S., or anyone else checking INMARSAT data, unable to track ships that have been switched. Well, for a while at least. Once the intel people caught onto this scam, they developed ways to counter it. This is very much a matter of move and counter-move when it comes to exploiting or creating AIS vulnerabilities.

There have been proposals to add a unique identifier code to AIS users, which would make it more difficult but not impossible to spoof AIM data. Encryption is another, more expensive and difficult to implement option. If nothing else the growing spoofing and hacking of AIS signals may lead to international agreements on AIS use to make the signals more difficult to hack.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close