 Kessler again. Let me share my screen here and I'm going to start to go again just in case I'm going to share the whole screen. I never know where I'm going to end up. Let me go there. I'm not showing here again. Oh well of course it is. Okay so well first of all welcome to this session. I'd like to talk about global navigation satellite systems and automatic ID systems moving. A lot of this has been in the news certainly for a couple years. I mean none of this that I'm going to talk about well most of it is not branded but I want to talk a little bit about GPS spoofing and then evolve that into AIS spoofing as well. So an integrated nav system on a boat and I've been fortunate enough to be able to walk through some really big boats although I spend most of my time on pretty small boats. The key issue that I want to say and this is not going to come as a surprise to any of you is that GPS plays a big role in the situational awareness for a boat. On their chart display, on their chart radar then just knowing where they are relative to other things. Of course AIS is huge in understanding not only just seeing that there's a target out there but knowing something about the target which is information that radar of course won't won't give you can't give you. And then AIS itself of course and everything in the integrated nav system pulling together all of your chart downloads, your chart updates by the way these are hacking vectors, all of the sensors on a boat so that you can be producing your own messages giving situational awareness. Anyway the whole point is that GPS and AIS are highly intertwinkled. Now again I'm going to assume that most of you are familiar with at least part of this but just in case there are four major global navigation satellite systems. There's Beidao in China, Galileo's the European Union, Glonass in Russia and of course RGPS. There are a couple regional systems. India has something called NABIC, Japan has something called QZSS. All of these systems use medium earth orbit satellites and they're they're only using different constellations. And you know as this chart is trying to show or at least give you an idea you can see that the four GNSS satellites are different altitudes from the earth and then of course their orbital circumference as well. The periods range for the different satellite networks from you know 11 to 14 hours for one cycle but one of the keys is also look how far away they are. I mean you're talking 12 to 15,000 miles. Now the only comment I want to make about that this sort of obvious but I'll make it later is the signal strength that is coming from a satellite 15,000 miles away is not terribly strong once it gets to the earth. That would be an important part when we think about jamming. So when we talk about GNSS systems we always talk about the space segment, control segment and the user segment. The space segment is of course the satellites themselves. The user segment is the user equipment so here we've got you know but this happens to be a GPS antenna but any GNSS system would work. So I've got a GNSS antenna connected by GNSS receiver and display the GNSS information might be now connected to other devices in the integrated nav system and we'll talk about that. And then we've got the control segment and the control segment of course this is stuff that we as users don't really have much to do with but here's where you have the master control stations. You have a variety of ground antennas, a whole bunch of monitoring and tracking stations but this is what is managed by well currently if its GPS is managed by US Space Force. So what this slide is talking about is this and if you played around with GPS and particularly with any GPS app that tells you how many satellites you're seeing and all those kind of things the GPS constellation for example requires only 24 satellites to be operational. We have 30. The extra six are basically backup in case one of the other ones fails. For you to get a fix you need to be able to see at least four of them. So global nav systems all work by using triliteration. So I have my receiver and I can figure out how far am I from three of the satellite and if I can figure out how far and at what angle I am from the three satellites I can triliterate that's probably not really a word. I can triangulate my position based on that. So it's basically passive rate funding and so here's the next point that I just made earlier. These signals are being sent down at 50 watts. They are mistual hardly measurable when they hit the earth. This is why GPS jamming is very simple to accomplish. All I need is a signal on the right frequency. It's even a few watts and I can blast out the GPS signal. It's also trivial to detect when GPS jamming is being used. So if you want to do surreptitious GPS jamming you have a slightly harder problem and well that's not why I'm here but in any case GPS transmits in the ultra high frequency band. GPS in particular and actually GLONOS as well use the L band and all of the satellites are sharing the same frequency. They're doing it with co-division multiple access. We'll talk about CDMA in just a second. And the way in which you can differentiate the different satellite transmissions is because each satellite is assigned what's called a pseudo random noise sequence. It's just a pseudo random set of zeros and ones. Each satellite has its own PRN code. We know what the PRN codes are so when you're receiving a signal you can detect the PRN code and you know what satellite is communicating to you. Now as a side note of history I would like to point out that CDMA actually is an old idea. It was invented in the early 1940s by a musician named George Anfield and the actress Hedy Lamar. Hedy Lamar was responsible for a bunch of interesting inventions but they developed this for the Navy because you may or may not know if you read some early World War II history US Navy torpedoes mostly missed their target and even a large number of them that hit the target didn't explode. In any case they offered this up for free to the Navy. The Navy did not take them up on it for a couple of decades but in any case today we see CDMA used in Bluetooth mobile phones and GPS. Anyway I said before that for us to get a position we need four satellites so one of the problems with global nav systems is that all of the satellites have on board a cesium clock. Your GPS receiver does not so there is some clock bias so if you really try to laterate with just three satellites which is really all you need you're going to have an error of about a mile by reducing or eliminating the clock bias which is why you need the fourth satellite to to be able to correct that drift you can get your your error down to about three feet which is why we get some very very precise measurements with GPS. So I mentioned GPS was now managed by US Space Force it started as a Navy and Air Force project in the late 60s it was managed by the Air Force until the US Space Force took it over I believe last year. The first satellite wasn't launched until 78 we didn't have operational GPS in the civilian community until sometime in the 90s and originally civilian GPS was degraded and it was degraded in accuracy compared to military because what they would do is they would introduce timing errors so remember back here I said if you don't correct your timing bias you can have some big errors well that's exactly what they did. In 2000 which still would have been the Clinton administration there was an executive order that basically said this so-called selective availability is no longer going to be in civilian GPS and even though the military wanted it the president said no but there are basically today still two services there's the standard positioning service and there's precise positioning service for military. SPS is for civilians we still have pretty good granularity but selective availability could make the SPS service degrade but since we have no selective availability anymore the SPS and PPS pretty much are you know are equal in terms of service. The difference between the two today is that PPS is encrypted and SPS is not so we'll come back to that later on. Anyway I already mentioned with GPS we've got 31 satellites we need 24 we get 95 up time and each of the satellites has an orbital period of like 11 hours and 59 minutes so we get about two orbits per day. Now a GPS transmission and this I'm really just giving you for a little bit of you know interest. A GPS satellite is transmitting what's called a navigation message a navigation message has as it says here 37 and a half thousand bits we're transmitting at 50 bits per second it takes about 12 and a half minutes for the entire message to hit the ground receiver. Now in the message we have the date and time GPS date and time we have information about this particular transmitting satellite namely its status and health and all that kind of stuff as well as what's called ephemeral information so the position and velocity of the satellite because if I'm going to measure my distance from me to the satellite I need to know exactly where the satellite is oh by the way and how fast it's moving because that's going to impact how quickly I'm seeing the signal a little error but it's in there and then there's something called the almanac. The almanac has gross ephemeral data for all of the GPS satellites. Now the usefulness for that is this when you flip on your GPS receiver it takes a couple seconds to figure out where you are well that's because it took a couple seconds to find and interpret the data from the first satellite but as it sees the almanac it can figure out where all the other at least visible satellites are going to be and it's getting enough information from enough satellites that it can quickly find other satellites to ping off of. This is also why sometimes you'll get a satellite fix that'll show you someplace and a couple seconds later all of a sudden it changes because again you were sort of getting a gross idea of where you were but there may have been some error and then as it you know gets all of the communication to all the satellites it gets in a slightly better position. Just for FYI GLONOS does a similar thing their messages are only 7500 bits also at 50 bits per second they carry pretty much the same kind of information. The data for the sending satellite is you know very specific and then it has what it calls non-immediate data basically that's the almanac for everything else. I've already mentioned the L-band so you're a techie group so I'll say a couple of techie things to you. If I am a satellite it's transmitting I'm going to be transmitting on whatever carrier frequency I have so the L1 band I actually didn't include the frequencies I'm not sure why but the L1 band is whatever frequency it is so what I'm going to do is I'm going to modulate my transmission on that carrier frequency by combining the nav message and exclusively orring it with my prn code. Now since the prn code is unique to a satellite I can extract the prn code because the format for the nav message I know that so now it's merely a matter of like I said I can extract the prn information. Now I already mentioned before that there were the two services there was the standard service unencrypted for civilians and the precision service for military that was encrypted. Well one satellite is sending both signals at the same time and what they do is they send the precise position service the encrypted military service 90 degrees out of phase with the civilian service so again all of that is happening on the same channel and there's some additional things you need for the pps this precision code that I mentioned here it just provides some better interference protection and spoofing resistance I mean it's very very hard to spoof on military gps because you have to spoof an encrypted message and that is unlikely that you're going to do that anyway there's also the l2 band it was originally designed for military use only and encrypted applications it's now being opened up for civilian use they're also starting to use an l5 band which is now going to be a third channel for civilian use on gps I don't think I need to tell you why gps is important obviously we need it for ships all sorts of things on ships we need it for aids navigation we need it for ports we need it for vessel traffic management so like I said I'm not going to beat you up too much on the importance of gps I will observe however that when we talk about gps spoofing gps jamming and all that kind of stuff one of the things that doesn't get talked about in my view enough is the importance of gps to timing there are a lot of devices on earth that get their timing from gps satellites for example all digital telecommunications networks including north american mobile phones and digital telecom carriers are basically working off of the same clock power grids knee timing some of the network time protocol servers on the internet anyway the point is that if I can disrupt timing signals coming from gps then that also you know is another attack vector on the entire gnss system even though I might be getting what I believe are accurate records of where I am I can still be screwing up the timing the the second bullet item actually has a lot here a one nanosecond timing error can cause a one foot positioning error now as a mere aside to this many of you may may know who grace murray hopper was grace murray hopper when she was still on active duty as an admiral in the late 1970s I had the joy to see one of her talks I got to drive her around vermont for a day that was really cool she would always go to her lectures and say you know back in the day well she didn't use that expression but back in the 50s programmers were always trying to save nanoseconds one day I went to one of the engineers and I said what is a nanosecond and he looked at me then he pulled out a piece of wire he cut off 11.8 inches and handed me the wire and says that's how far light travels in a nanosecond so she would go to all of her lectures carrying around a whole crap load of nanoseconds and she'd hand out you know pieces of wire to people in any case I remember that lecture from you know 40 years ago I think it was only 40 years ago in any case but but but that tells a lot a nanosecond puts me off by a foot if I can cause there to be you know a hundred nanosecond error or or or a microsecond error we can cause people to be you know way far off from where they want to be in any case GPS jamming has been around for a while we started to hear about this publicly really probably about four or five years ago there was one really famous case where well the Newark airport was testing its automatic landing system they had a plane coming in on automatic landing and and and and they lost their GPS signal so it happened because there was a truck driver who was taking a break didn't want his bosses to know where he was so he bought a GPS jammer so that his truck wouldn't broadcast the GPS signal anyway they eventually found him but the fact is GPS jamming is relatively easy to do it is totally illegal but you can still buy GPS jammers and in any case the advice from Coast Guard you know the the trust but verify if you don't have your GPS data know how to read your chart use your binoculars all that kind of stuff but really what I want to talk about is GPS spoofing the first real public story about GPS spoofing came out also about six years ago a group from the University of Texas at Austin spoofed the GPS signals on a yacht called the White Rose of Drox in the Mediterranean Sea and I'm going to show you a one and a half minute video but basically what happened was using totally caught's equipment they built themselves a GPS transmitter they put the attacker on the boat the boat crew knew that something was going to happen they just didn't know what and the attacker slowly started sending increasingly powerful GPS signals until it overwhelmed the boat's GPS receiver and then they drove the boat off course and then the crew dutifully put the boat back on course which of course drove it off course so with that teaser let me give you a one minute and 37 second video I'll try to make my volume loud enough so that you can hear it southern coast of Italy in June 2013 a 65 meter super yacht and her crew were part of an unprecedented experiment led by the University of Texas at Austin that successfully coerced the vessel off course using a custom-made GPS spoofing device 30 miles from land the crew's sense of the ship's location is based entirely on civil GPS signals broadcast from orbiting satellites a student serving as the attacker commands the spoofing device to transmit faint counterfeit signals towards the ship's antennas the attacker increases the power of the spoofing signals until they are stronger than the satellite signals gaining control of the ship's navigation system the takeover is stealthy no alarms are triggered once in control the attacker initiates a three-degree change to the ship's course the ship's navigation system reports that the vessel is drifting slowly to the left the false location is represented here by the ghost ship the crew applies a course correction to bring the ghost ship back onto the intended path in reality the ship is now on the attacker's course so pretty cool huh um so armed with that um I'm going to show you some other case studies but I'm really not going to tell you every case study that I know about but what I'm trying to do is show you the escalation in GPS spoofing that's that's occurred over the years so in the University of Texas case what they did is they spoofed one vessel to go off course in 2017 there was a mass GPS spoofing event in the Black Sea and what happened was this was reported by the master of a vessel called the atria and atria was um parked off the coast of russia and all of a sudden his gps and ais told him that he was in the middle of an airport now and and oh by the way his closest point of alarm um notification on his ais devices were going crazy because he was now also being told by his ais equipment that you're less than 100 meters from 19 other ships now the captain is no fool he goes out to his bridge looks around and says yeah I'm in the water and there's no other ships in sight but here um is showing where he was that's the ship's position on the bottom and up above is showing the gps coordinates of where well his gps device was telling him where he was again in the middle of an airport now one of the interesting things that's worth noting on this is on this gps uh display over on the right you can see it's identifying um all these satellites and they're all coming in with the same power um which is unusual because you've got six gps satellites they're not all the same distance from you all the power shouldn't be the same um in any case um in 2018 we start to get a report constant um gps issues in the eastern med and some in the red sea this continues into 2019 throughout the med people are finding gps issues gps is going out um um ships are finding themselves being told they're in entirely different locations and so last year um about a year and a quarter ago um a place called the center for advanced defense studies put out a report called above us only stars it is really really an interesting report and it basically talks about how russia has been manipulating gnss signals for at least the last four years um and they show a bunch of examples of vessels um thinking that they're docked in the water and yet actually being or they're the gps telling them that they're at an airport um usually it's a nearby airport um and it's it's been a real interesting um it's a very very interesting read because particularly now if you read some of the more current literature they're talking about well it's not just russia china is doing the same thing north korea is doing the same thing and you know obviously um spoofing is a problem four years ago spoofing was something that a nation state could pull off increasingly gnss spoofing technology is becoming the such that a terrorist group can use this uh criminal gangs can use this low operators can use this so i mean this this is a big issue right now for you know well all the obvious reasons so one one case study that that's worth mentioning some of you may know about this this was about a year ago um the uh the tanker stena impero that's a british ship was seized uh by the iranians now the suspicion was that the iranians seized stena impero because the brits had seized an iranian vessel in gibraltar for violating some of the european union sanctions but in any case when they went back and they looked at the ais data they saw well here was the path of stena impero and it's going through the straight of hormone is staying right down the middle where ships are supposed to stay and then all of a sudden it turns north and starts to go into iranian waters where it was seized for violating their waters and there has been a lot of um a lot of talk and a lot of ink spread about the fact that they believe that this was a gps spoof that caused the ship to go off course but more interestingly is what happened or at least started to be reported last year in the port of shanghai so all of the spoofing so far has been directed either at a single vessel or at a group of vessels placing them all in the same place so what happened in the port of shanghai and it's really interesting to read this we have this vessel manukai and he's going up the river um and he's checking his ectis and the ais is reporting that there's a ship at a berth that's in the channel making seven knots then all of a sudden it disappeared and then all of a sudden it was back at the dock then it was now underway at a variety of different speeds then it disappeared and this pattern continued over and over now again the master of the vessel is no fool goes out to the bridge looks at his binoculars and says yeah that other vessel has never left the dock um and so when some analysis was done of the spoofing events that had been going on in the port of shanghai what they found was that multiple vessels had been spoofed simultaneously to be in multiple locations one vessel was in multiple locations but but all of the different ships were different locations and that was actually really hard to pull off and then when they looked at the collection and intensity they found that as it says here this crop circle they found um that the most um reported spoofed location came out in these circles and it hasn't been just shanghai um earlier or late last year we started to hear about circle spoofing in iran this is tehran where some ships out at the harbor were all finding themselves downtown tehran um and in one of the most interesting things that was recently reported was a whole bunch of circle spoofing in the area of point rays um near san francisco and up the west coast of california and you'll notice we have all these different um circle spoofs here and what's really interesting about this is in all the previous circle spoofing that that the boats having their gps spoofed in shanghai were at least in shanghai the west coast spoofing happened over a whole bunch of dates but the ships were actually in a whole different hemisphere and yet their gps was putting them off the coast of california um off the west coast of canada up near alaska um really really interesting stuff um i say interesting in an intellectual way um and an academic way um it's actually you know horrifyingly bad if you're on that vessel now you can spoof gps without actually having a gps device um so again eric raymond um has a really cool site where if you go to it i'm going to try to get over there um and this page called enemy revealed talks about you know all the different um nmea messages that you can associate with um with with gps so i'm going to leave that there for now but in any case the point is you know you can get to all these things at the bottom there i have an example of a gps message um the the gp says that the talker the device that you're communicating with is a gps device the gll is a particular type of message this is the geographic position message and then you can see all the other information um that's here i've got my my latitude uh 29 degrees 11.585 minutes north here's my longitude um here's the the utc time when this fix was taken this thing here is a checksum um this message is a gps fix it's slightly just has slightly more information but the point is it's pretty easy to download code that can generate these messages for you um in fact it's easy enough um oh hang on i'm not sure what just broke there okay well this appears to still be there and get back to hopefully you're all still seeing the powerpoint um anyway um you can create these messages relatively simple uh relatively simply and then there's all sorts of ways you can use something like a software defined radio to poke this stuff out on the l1 frequency um which i happen to give you here um and and again a ton of open source tools available to do this now there are a number of ways in which spoofing can be mitigated um because i don't want to leave you with the impression that oh gps is going to hell now um first of all and this is starting to be built into a lot of receivers is you can detect the signal distortion at the instant when the bogus signal overpowers the legitimate message it turns out there are some blips if the spoofer doesn't do this right the other thing is when you're getting gps signals from x number of satellites they're coming from x directions most spoofing comes in from a single direction um even if it comes in from multiple directions you can see that all of a sudden i have a new signal and it's not coming from where i'm expecting it to have been coming from the other thing is the spoofed signals won't have the encrypted military signal on it so one thing that people are starting to do is they're starting to correlate the encrypted signal to be sure that it is an authentic encrypted signal now my receiver can't interpret the military signal but at least i can tell if it's legit um and then of course um more and more gnss receivers on the big boats are monitoring multiple constellations so i think that gps isn't working i can switch over to you know glonos now it turns out there's a report that just came out that said that you too pilots currently um are reportedly using watches that have all four constellations and the ray marine ga150 unit i just mentioned because i found it as an example um has built-in gps glonos receiver so you know it's it's using both constellations now i really wanted to talk about ais so um that gets me here but ais doesn't work without gps although there are ways that i can spoof ais and i don't even have to worry about gps so um i've already mentioned ais is or you we've already talked about automatic id system is a situational awareness system for ships um it provides a way that ships can identify who they are in some cases what their cargo is what type of vessel they are their position speed heading destination all that kind of stuff it also means that maritime authorities contract the vessels that are coming within their areas of responsibility ports contract vessels coming into their port etc etc now there are rules about who is required to carry ais and this this page is trying to give you some idea of those you can get the idea that ais is required on big vessels which probably doesn't come as a surprise to anybody there is a warship exemption which i'm not going to worry too much about but in any case the point is big ships and or ships with a lot of passengers all need to be broadcasting their ais information so here is just an example of an ectis display that you might see on a boat and you know again you've got all your targets here at least all the targets that are broadcasting um and you can click on them and they're going to show you whatever information they're going to show you um i i use a program called open cpn um if you're in my last talk you saw that there i'm going to actually get rid of this right now because i don't care um but right now i'm getting information um off the area of Daytona beach so for example right here i have a vessel oh the hoe detroit that is a new one for me anyway um another ship from norway and so right now i'm getting the fact that okay it's uh its destination is Jacksonville which of course is north of us by about 90 miles from where they are yeah probably about 100 or so miles from where they are um and their eta is to get there tomorrow morning at 0700 uh utc um here's their speed their course their heading they're going in a straight line um and here's the size of the vessel so this is no small vessel um over here i've got another vessel as well the charles a that one's new at least i haven't seen it recently you know same kind of thing here we have a tug um and it's actually towing a stern we get that a lot uh we have uh seagoing barges up here so getting a tug towing something not unusual this one's going to new york don't know where it came from um and it says it's going to get there in june 19th yeah okay so all the information that you see on ais may not be 100 accurate because i don't think they're going to take another year to get where they're going um but in any case you take what you can get here we're actually seeing it report its rate of turn um it's turning at least five degrees w 30 seconds to the port um so this can be useful information as well in any case i told you that so um i can tell you some other stuff that i'm going to show you here so in any case the ais communication protocol largely uses something called self organizing time division multiple access which is a little bit of a mouthful but basically you're broadcasting in what you consider to be your time slot and you make reservations for other time slots every vessel that can hear you hears your time slot reservations um usually you're only talking to other vessels that were that are within about um a 10 or 15 mile range um i mentioned here on the page that there's a bunch of protocols from the national maritime electronics association zero one eight three is the most common one that we're going to see over the year um it this this protocol has been around since about 1986 and then the a 2000 has been around for about 20 years and the one net protocol is brand new and um i thought i had some additional information on that but i don't write here um in any case if you want to know more about ais you can also read um these it you are recommendations and you can download those online now the folks at trend micro um a team led by a fellow named marco balduzzi um actually is published stuff and and he's spoken probably at def cons or black hats um about issues with ais and he's been talking about this for you know seven years um but there are four main vulnerabilities with the ais protocol that are important that i want to address one of them is lack of message integrity and the lack of message integrity being that when you get a message you don't actually know that that was the message that was sent by the other person so it is theoretically possible although very difficult and i would argue maybe even unnecessary but it is theoretically possible that some ship will transmit a message and another vessel could overwrite a portion of the message um but in any case there's no way to prove um that the message you receive is the message that was transmitted there's also no timing integrity so when you receive a message you're receiving it obviously in real time you don't actually know when the message was sent there is no authentication meaning that when you get a um a message purporting to come from a particular vessel you have no way of knowing that it really came from that vessel and there's also no um no validity check namely if a vessel says i am located at the following latin long there's no way to prove that they're really at the latin long now if we compromise ais communications i can do all sorts of you know weird things i can create fake that now other ships are going to respond to i can trigger false s os's um search and rescue messages collision alerts closest point of approach alerts bogus weather information that might cause you to deviate when you don't have to deviate um why would i want to do that well i'm a pirate i can only make it 30 miles offshore you're 50 miles offshore if i can somehow get you to deviate 20 miles closer to the coast you're now within my range so reasons such as that so anyway so when you get the the the presentation you'll see i mentioned some you know i mentioned these again with a a few more verbs um but again um there's other things you can do by the way you can create vessels that aren't real ghost vessels um you can also do something called a frequency hopping attack um you can actually launch a denial of service attack on other vessels and basically either usurp all of the frequency or you can cause them to just transmit in areas where nobody else is listening um this is also a picture that was a little bit inspired by the balduzi group just showing all the different vessels and their communication of ais messages and ways in which you can um or or or attack vectors that that are possible there are a lot of lines here in green the green are rf based threats so there's a lot of ways that if you can get yourself on the radio network which is not hard to do you can send out bogus information that is going to impact vessel traffic management vessels at sea and then of course there's other ways of doing it with just straight out software now ais is used to transmit information um not only to the vessels in the local area but there are a lot of services that gather this information aggregated and then post it online and so i i just want to observe um that the international maritime organization recognized 15 years ago that this information leakage potentially impacts safety at sea um i think they were right 15 years ago i think today um that that horse has left the barn um so it's something that we need to deal with i don't think it's something that we can stop doing but as an example this is uh marine traffic dot com it's one of many aggregator sites and you can start to get an idea right here of you know all these vessels that are floating around the world right now there's something on the order of 75 000 merchant cargo ships um going around the world at any given point in time they're all required to be broadcasting with ais um this is the white rose of drox you may remember white rose was the um vessel that the university of texas at austin people used on the date where i actually did this they were in monaco um oh by the way um there's a picture of the boat um here's fine ship um i i took this screenshot you know about well it's a little over two probably about two and a half years ago um atria happened to be in barcelona um you can do real-time tracking of vessels these are vessels that are off of um titusville and port canaveral and so not only am i getting the vessel and information about the vessel but i can see the track of the vessel where it had been coming from this is from vessel finder now i talked in my last talk and so i'll merely just mention it again um it's easy enough to build your own ais receiver um there's a variety of tools to help you do that um i use the raspberry pie and daisy hat um and bring in information that way um and then what you can do is you can display this information using any number of open source software um i happen to use open cpn it is probably one of the more commonly used but there's other software that can display this as well but really where i want to go is this um this is what an an ais message looks like this is a particular type of ais message that is being transmitted from another vessel and i'm going to break this down just real quickly for you um so the exclamation point at the beginning says this is an nmea 0183 message that has special encapsulation the ai says this is an ais message the vdm is a vhf data link message so this is a message coming in from an ais device on another vessel it's not your message going out if somebody else is coming in um so ais messages are transmitted as a set of one or more sentences so what this is telling me is that there are two sentences comprising this message this is sentence number one and this is and this sentence has serial number zero i need the serial number so that i can reassemble right then i have a telling me this is being broadcast on channel a and then the rest of this gobbly group up until i get to the comma is the encapsulated ais message the zero here tells me that i'm going to have to add no bits to get six-bit alignment and then the seven b is to check some the second line says well two sentences or two sentences in the message this is sentence number two of serial number zero on channel a here's the message we need two padding bits here's the check some of the second message anyway this is a message type five it's called the ship static and voyage related data and here's the information that we get so here's the name of the ship here's the type of cargo here's the ship dimensions um this is actually telling me where's your ais antenna um so this is um how far from the bow how far from the stern how far from the port side how far from the starboard side anyway there's all this information oh and by the way where it's going and what it drafts um here is some of the code that i've written an ais parser this is taken in a different ais message but it's parsed it out same way um and giving you a url so when you click on the latitude and longitude up comes a map and shows you where this thing is so i have a couple of tools that are on my website um one is called timestamp data it's a pro program and what timestamp data does is if you point timestamp data at a tcp or udp socket ip address and a port number it will take ais data from there and put a timestamp on it and collect it into a file you can then take that file and use a program called play ais also a pro program and it will take the ais data and put it out to a tcp udp socket so i'm telling you that so i can tell you this i'm not going to show you a video um what i'm going to do is this and you guys will get to see this live so this is Daytona beach more or less um down here where this black boat is it says middle island um this is Ponce de Leon inlet um so we're on the east coast of the atlantic and you see we got all these boats here i need to go around to my terminal window um i need to get to the right window here that's timestamp i don't want timestamp um okay so we got play ais here you would have thought that i would have set this up already but um i was playing around with it so much what i'm going to do is i'm going to run a program um or run a file um and actually i'll let you see what the file says all this is doing is it's play ais and it is going to replay a whole bunch of data um and if i show you what this data looks like um i mean all this is is a whole crap load of ais data now really what i want to do here is actually play this for you so uh perhaps i was right there too here we are okay so we're actually going to run this program or run this uh shell script now i'm going to go back over here to open cpn and what's going to happen is right around here somewhere watch closely a vessel will appear it will be called the cfox yeah live demos don't you love them okay so here is the cfox and that's what the information we have on the cfox now the cfox is a real ship um so is this ship that also magically appeared jupiter um they're also a real ship but the difference is i'm going to go back here for a second see this data that's going out well let's ignore that let's just look back up here you see the date of the data 2019 723 those vessels are real but they were there a year ago so this is a classic replay attack if you're a vessel relying on your ais and all of a sudden you see a couple of ships appear that weren't there before well you're going to take um certain action um here's a ship called the voyager it's a sailboat and to be honest with you i don't remember whether that was there before so i don't know if that's a real ship or a ship now this is merely a demonstration of capability i'm not actually transmitting this on the radio i'm transmitting this from one end of my computer to the other and one of the criticisms that i have sometimes gotten when i showed this demo is well you know if you had radar oh you would know that that's not a real ship and that may be true but i've been on plenty of boats that don't have radar they do have ais but i'm going to show you this instead this is ponsonlin now for those of you who are mariners you understand the reds and the greens and all that kind of stuff you also understand the difference between the dark blue and light blue and in this case the dark blue is shallow water and the light blue is deep water so ponsonlin is dredged up here at the north side and you'll notice if you look at the buoys it's very clear here's your number two buoy and they want you coming in on the north side so i have something else i want to show you and let's see um well here we go let me see if i can just remember the name without embarrassing myself so if we go back here note we have a bunch of things just appearing these are virtual atons virtual aids and navigation this first virtual aton which i have dutifully named pi for ponsonlin is telling me that this is a preferred channel marker not only is it a preferred channel marker but it's telling me that the preferred channel keeps this marker on my starboard side meaning i want to come in this way and now if you look at the triangles and the squares it's telling me that my preferred channel brings me in right here right into the shallow zone if i do a target query on this i'm going to see that this is has an appropriate um id it tells me that the coast guard put this out there because the coast guard is the only authority in the united states that has well it's the only organization that has the authority to put out virtual atons but there's no authentication in a is so my observation is here all the radar in the world and going to help you know because if you don't know this inlet you don't have a chart and you're not talking to anybody and you're relying on your a is you just saw that this is the preferred way in and that maybe somebody knows something that your chart doesn't and you'll you'll you'll actually run out of water somewhere around here that is my um now i don't even know where anything is anymore that is that is my demo of um of spoofing so a couple things i want to say before i go over to q and a here's a picture of my wife um herding fish um because i i'd like to give that as an analogy of these problems some of the stuff i've talked about is very very real and you can pick up the newspaper and read about it all the time some of the problems you know some people pass off and say well that's theoretically possible but um and you know there's a whole bunch of people in the community who have been making the well that's theoretical they've been making it practical for for decades i like this quote by arthur c clark um if an elderly but distinguished scientist says that something is possible he's most certainly right if he says it's impossible he's very probably wrong um there's a lot of things that i can think of that um are bad things that i could do i may not be able to do them today but they might the technology might catch up with me in the next couple years and the last thing i want to give is is a quick analogy and story and then i'll be mostly done for those of you who are mariners you recognize this lighting configuration rule 27f um this is a minesweeper engaged in minesweeping activity by the way based on the red white and green lights is aimed directly at you which means you're already in the minefield but the analogy that i really want to use is this if you're in a minefield what's your problem is your problem the the threat of the mine or is it the vulnerability of your ship to the explosion and i asked that because again i'm going to give you a story out of early world war two history during battle of the atlantic the germans came up with the idea of a magnetic mine so they planted magnetic mines and all sorts of places the way a magnetic mine got tripped was because when a battleship or any metal hulled ship went over it it disrupted the earth's magnetic field sufficiently so that the mine could deploy the british figured that out they then figured out a way to degauss all of their ships and now they could go over magnetic mines and there was no problem the point is what they did was fix the vulnerability of the ship that obviated the threat of the mine so when we're talking about threats and vulnerabilities we need to know which to go after basically we can't stop all the threats we can find and fix our vulnerabilities in any case here's some contact information i'll leave that up for now i'm going to go back to the beginning here and we have some time for q and a if people have some cues today's there are questions from twitch okay i'm trying to find out where i can get my oh i think i've gone too far i can get questions from aishex if there are questions i'm not sure the best way to get them to me but feel free to get them to me let's see now let's go back up here and see what we got transmitting fake packets um yeah you can actually transmit fake packets and i'm not a hundred percent sure what devices will do if you're a legitimate ship you send out your packet it displays on the ais and then all of a sudden i send out a fake packet i'm sorry you send out the real packet i followed up with a fake packet my suspicion is that other vessels are going to display the latest information they got um you can in fact flood you can you can flood the system um you can launch a denial of service on ais you can cause ships um you can cause some ships to go blind um or or get blinded and only be transmitting to effectively use the attacker can see them um ais is mostly tdma but um but it's not strictly tdma because it's self-organizing so let's see i'm getting a message over here on slack what does the shadow have for me now nothing over there got a whole bunch of things over here the questions from uh from twitch did it figure out how the crop circle spoofing worked um you know i have not read anything that describes how um how the crop circle is working um in fact i have read a number of things where people at first were saying we have no clue how they did this um how realistic is the concern that ais spoofing oh how do i get rid of this oh here we go i can lead to ship collisions okay so how realistic is the concern um i don't know that it can lead to collisions per se other than altering the information so that other vessels can't see that you're there so for example you know the collisions with the um us navy vessels uh particularly the john mccain a couple years ago were probably not due to anything like this and they did investigate it um but if you don't have an appropriate watch and it's nighttime and you don't have good situational awareness um i can probably devise scenarios where ships get way closer to each other than they want to be um there's a question here about incidents of spoofing on the space and controls segments not of which i am aware and read it out's got a couple things where did i get the vessel name for the shanghai incident um well certainly not from a secret document because i don't have access to those and i would be very careful about sharing it um i got it i must have gotten it from the from the coast guard so hang on two seconds um that's a stellar imperil right um yeah i i got something from um us coast guard navson um back well that's when it got reported so i guess i'm not a hundred percent sure right now where i got it but i know that it was out there somewhere oh dear i've now lost myself oh there was something i just missed there about the the something about the Fitzgerald um let's let me get back up here um i i heard some stuff about the Fitzgerald being subjected to any number of things i thought the latest that i've read was that they said sorry it was operator error because a lot of warships turn off their ais now when they turn it off they're still receiving they're just not transmitting um and i've i've actually been on a couple ships it's sort of funny um i was on one boat where they could turn off their ais they had a toggle switch like you know a toggle switch like you could go to lows and get a two-position toggle switch and then they had like a plastic label that said on off and that was that was their ais switch they could turn it on and off um i but but i don't know i don't i don't know the detail of the Fitzgerald i had not read that it was spoofed but if anybody has any detail about that you'd like to forward to me i would love to see it thank you very much my pleasure so listen um i'm going to stay on for a few more minutes um i know that i'm at the end of my witching hour um if you've got more questions obviously feel free um i will be taking um the slides and um within the next 10 or 15 minutes i'll be making a pdf and i'll upload them um or i'll send them to the people who will upload them to places obviously anybody's welcome to contact me at any point about any of this um i should give a little bit of an advertisement um some of the research that i've been doing for the last year and a half or so that caused me to build some of these tools was i came up with a demonstration and capability system to build a protected ais which had a lot of fun doing um i'm going to talk i'll be talking about that tomorrow at i think i think is it four o'clock eastern time so one o'clock pacific time and if anybody wants to sit in on that and um you know i'll i'll talk a little bit more about what ais looks like and how i built in the protected code and you know that kind of stuff and um i think that's that's it for now otherwise but like i said i'll hang here for a couple of minutes before they uh they kick me out but thank you all very much