 Good morning, everyone. My name is Julian Blanco and I'm going to be giving a talk on C2 over maritime automatic identification system and commercial aggregation websites. A couple favors. If I'm talking too fast, if I'm talking too quietly, please somebody throw something at me, let me know. I hate public speaking, so let's keep this as informal as possible. All right. So the abstract I submitted for this talk was that AIS is a worldwide program that assists vessels in preventing collisions at sea. By compromising an endpoint connected to a vulnerable AIS transmitter or connecting a software defined radio to a traditional IT network, one can bypass web filters, blah, blah, blah, blah. Basically, the idea is that we have this system known as AIS that works pretty much all over the world, on land and at sea, on land because we have satellites that pass over, we have terrestrial towers that pick up the signal, and anywhere the signal can be picked up, it can then be re-broadcast because it's a mesh protocol and it's collected into a bunch of websites and published. And what that allows you to do is create a low bandwidth throughput connection to wherever you want. And because you're connecting to a bunch of random websites, it's almost anonymous because you'd have to go through a monumental task of trying to figure out who is accessing what websites, where they're coming from with a couple of hops. You basically have a nearly anonymous C2 source that I will talk about a little bit later. Who am I? In my professional life, I'm a Coast Guard officer stationed at Coast Guard Cyber Command. I like doing DFIR, my background is in Electroengineering. I do all cyber IT stuff now. And this talk is completely mine, not the views of the government, and this is not government sponsored work. I'd like to give a shout out to my best friend, Trey Maxim. He helped me tremendously and I'm building off of some of his previous work. I wish you could be here giving the talk with me, but he could not make it out to Vegas. So we've been working on this together and this is probably more his than mine, but we've been working on this for a while. So why do we care? AIS is a system that is crucial to the maritime industry. It's required by SOLAS, which is Safety of Life at Sea, and all international ships with 300 and more gross tonnage and all passenger ships, regardless of size, has to have this system on. And when it has to have the system, it's not just receive, it's transmit. So all of these devices, all of our on commercial ships, they are transmitting, they have transmitters on them that could be useful. Do not know. How does it help? So why we have this system is basically if you're looking at your radar screen and this is not very helpful. I mean, it's helpful. You can see the things that are coming at you. But if I was on a collision course with one of these vessels, it's really hard to see, hey, I need to basically look at the window if I'm in fog, it makes it even harder and say, hey, vessel, you know, white with a black superstructure, come back on the radio. With AIS, basically it overlays who they are, where they're heading, how large they are, what their speed is. And now I can just go, hey, vessel Castello, come back on the radio, let's talk, let's pass the port to port, however we need to. And it can also be used with, since it's going to be broadcasting their speed, if they're outside of radar, we can pick them up farther and maybe we can even plan a course around them that's not going to be a collision course whatsoever. There's some previous work. So back at Black Hat in 2014, I believe, Embrite did a AIS exposed where he talked about the protocol. That was very vulnerable, did not have any security built into the protocol. And they did a whole bunch of cool things. They did a lot of spoofing. They did a lot of jamming. They filled up all the time slots in the AIS. And basically it didn't allow legitimate traffic to transmit. And then my buddy Trey and his partner, Shano, did a lot of work with software-defined radios. They created their own protocol to be able to transmit. Trend Micro also has theirs publicly on their GitHub. If you want to use their thing to create your own AIS transmitter, I've never been able to get their code to work, but supposedly it does. So there's that as well. All right. So kind of talked about AIS a little bit. Basically here, you can see this is just a cheesy infographic that the signal is mesh. If I can't see the land-based receiver, it'll transmit over to a ship and then another ship will bounce that signal to land. It is a mesh protocol. That way it gets maximum effectiveness and coverage. It is on VHF. And I believe the frequency is 161.975 is the first channel and 162.025 megahertz is the second. It is GMSK, which is really annoying to work with. If you're not familiar with GMSK, instead of modulating the actual carrier signal, it modulates the phase to encode the data into the carrier signal, which is, it works just a little less documented and a little harder to work with software-defined radios. So my buddy Trey, when they built their own software defined radio, this is what their GNU radio block ended up looking like. They basically had a sync where they created what their message they wanted to look like. They created that in Python, create it into a text file, shoved it into GNU radio, and basically did all this math to get it to actually broadcast a signal. This is what their GMSK ended up looking like. This is what it looks like demodulated. You can see the signal. All the ones and zeros were then transmitted and received on the other end. This is the actual block of Python that they used. So what it looks like is something like this. Excuse the horribly code, and this is probably way too small to see. Basically, we would plug in an MSSI number, what we wanted the name, the ship type, the draft, what their destination was, and we just shoved it into a bunch of hex and transmitted. We're going to publish all this stuff open source once we get it a little bit better documented and commented. So don't feel like you need to take pictures of this. We will put it out there. But basically, the goal was to be able to take something modular. In this case, Python, that's pretty easy to work with for anybody and use that to be able to create new transmissions. Whether that's because you want to legitimately, hey, we want to not buy an expensive transceiver to put on our boat. We want to just use the software to find a radio for 150 bucks, have our own MSSI number put in registration to the FCC, and have basically a low cost transmitter, just because let's say we're doing a Bergata sailing. A lot of people like to do that. But that's why we wanted to create a modular. It also, because it's modular, is easy to be used for nefarious purposes. So we had some fun with it. This is an example where we spit out a bunch of coordinates and created a bunch of tracks. We did this null terminated into another software to find radio and then picked up in a open CPN. So this was not broadcast. It looks like Cape Cod. But because we have this modular piece of Python that we can create new AS messages, then it makes it really easy to spit out, in this case, a smiley face or whatever we wanted to do with it. Now, why this is important is when we want to generate messages, let's say for creating C2, the idea is we're not going to be broadcasting a legitimate target. We're going to be broadcasting an illegitimate target. Now, could it look like a legitimate target? Sure, we have a vessel. We make it look like it's navigating. But let's say the least significant digits of the coordinates or something in the info field. We are encoding data into there, depending on how much data we want to get through and how much risk we're willing to take in whether we want to be detected or not, kind of determines whether we want to just use like one single digit on the back of the lat long, or if we're just going to put a bunch of, let's say, encrypted or encoded text into the info field of the AS message. So some of the benefits of doing CTO over AS is it could be extremely hard to trace. It can bypass your IDS and IPS. If you have a traditional SATCOM IP connectivity on your ship and your beaconing traffic, most of the time these are really small links, maybe 250 kilobits per second, five or six end points. If you were having legitimate, let's say, C2 over a common, let's say, a meterpreter shell or power shell empire, it's probably pretty easy to pick up in your IPS, especially since there's not going to be a lot of traffic leaving the vessel. If you were to do something with either a radio link or over AIS, your traditional SOC is not going to be able to notice it. It allows us to connect to air gap networks. If we're at ship and they don't have a SATCOM unit, then we could use AIS as a possible other venue to talk to that air gap network, whether that's on the engine control network, on their traditional IT network, or if we just want a foothold on their network to be able to do something. And it works on land and sea. It's not just limited to vessels. If we wanted to use this method and go plug a software defined radio into a workstation in a bank in Miami, there's plenty of towers in that area that are going to pick up that signal and vessels that are going to relay that signal. If we created a fake vessel that's just sitting in one of the ports and just shove this on a traditional endpoint in a bank, you could smuggle C2 out that way. Is it going to be used? Probably not. It's very niche, but it just highlights a vulnerability in the AIS protocol and the fact that there's no security, which has been discussed before, and I'm not going to really talk about here, but yeah. So to tractors, it is easy to detect. Because all these signals are picked up and you probably have to use an illegitimate MMSI number or an MSI number of a ship that is already broadcasting. It's going to be noticed whether it's going to be traced back to you. Who knows? It is very niche. You're not going to get a lot of data and it's expensive. If you have to plant a software defined radio or let's say one of these, this is a lime SDR. These are tiny. This would be really easy to plant on to a ship. No one would ever notice it, either on a Raspberry Pi or directly into one of their endpoints. It's going to cost you between under 200 bucks a pop for each thing you're going to try to create a transmitter on. Whether that's expensive to you or not depends on your threat model and who you're going up against. So let's talk, how would you get that signal off? So one way you could get the signal off is sit there with another software defined radio or a legitimate AIS receiver and pick up the signal. Now why that is not maybe your best option is because if you're within radio distance of your target then you're probably pretty easy to find. One thing you could do is wait for it to be picked up on either Ship Tracker or MarineTraffic.com and these are commercial aggregation websites that show basically all of your ships in real time. So if we take a look at all the AIS targets that are out in the world right now you can see there's a whole lot of stuff out there. Would someone notice an extra dot on this map? Maybe maybe not. There's also some weird dots on here like this one over here in Vegas not Vegas but in Nevada. Not really sure what that one is but that also shows that there is pretty good coverage inland in the United States and if you look in some of these major rivers in Europe there's also a lot of coverage over there. So what you do is you would basically scrape the website and you would pull depending however you're encoding your message whether you encode it in the coordinates you encode it in the info field or even in the name of the AIS ship that you're broadcasting you would put your signal in there put your message in there and then you'd pick it up on one of these commercial websites. If somebody let's say knew that was an illegitimate target whether let's say the government or somebody who is really curious they would have to rely on cooperation from the website to be able to say hey give us your access log let's pull all the IP addresses of who's reaching out to your website and at that point it's really hard to be able to pinpoint who that is so is it possible to then trace from I plug the software to find radio into a ship it broadcasts a signal and then I go on the other end and I know what website I want to use or what multitude of websites I'm going to use. Technically yes it is possible to trace all that way back although it would be very very difficult. Bypass IDSIPS because you're going to be routing your traffic through the AIS transmitter it's not going to go through your traditional network I think I talked about that a little bit especially on ships where you don't have a lot of throughput this might be important depending on who you are and works on land and sea and that's really important. Airgaps is another one and what we're going to be hoping to do in the next couple months is we want to rewrite everything from GNU radio over to SOPE SDR this is an all python based module that's cross-platform works on Linux Mac Windows. The reason we want to do this is GNU radio is kind of heavy it's very well documented but it is annoying to work with by switching to SOPE SDR we could put it even on the smallest of a Raspberry Pi and be able to you know transmit our signal that way plus working in purely python is preferable to us. We did all of our previous work on really expensive software to find radio so we're hoping to get it working on either a HackRF1 or a line SDR mini just to bring the cost down from you know expensive USRPs that are let's say $8,000 once you buy the right daughter boards to transmit on the signals that you want and we're going to be open sourcing the tools soon. Basically what we'd like to hit is reliable transmission and then commented that way other people can not just look at our code and make fun of us and be able to improve and hopefully make this a useful tool that obviously is not going to be widespread but for a niche client if you're trying to work with an AAS or work with a maritime client you can say hey this is another method that you should be aware of probably not going to happen but another thing to throw in your report and I think that's it we're going to be putting it up on my github so I'll put these slides are going to be up there later and this is where we will put the code once we're done. I got about five minutes for questions before the next person needs a setup. Cool. Appreciate it. I have a question here. Yep. You mentioned when you easily detect world time to the MSI that will register and be not a real ship. Is there anything stopping you from for example more software if I'm radio for example listening or legitimate traveling and then sending out essentially the technical ship again and making them out of my different fields and that would then overlay them. So the question was would it be difficult to listen to existing traffic and then it'd be a detectable because you're using an MSSI number that is either illegitimate already broadcast. No it is possible to just grab somebody MSSI number because there is no encryption or any basically thing protecting the protocol you can easily just spoof somebody else's MSSI number and use that. If they weren't broadcasting it probably not be picked up as easily. There's a lot of work in looking at the data for illegal fishing basically they'll monitor the AS tracks and watch where they go dark especially as they go into protected zones. So it's possible that some of those heuristics would pick up on our stuff if you're broadcasting and then all of a sudden goes dark they might not realize what you're doing but it might show on somebody's screen. The other thing is there's two channels of AS so if you broadcast on the other channel that's not very frequently used there's a chance that nobody would even notice it because nobody's looking and another thing you can do is message 42 I believe in the AS will tell a receiver to switch channels so if I have a legitimate vessel or a buoy that is let's say it's a aton buoy underneath one of the bridges saying hey there's 20 feet of clearance right now if I broadcast at that one and say hey switch to channel B I'm gonna take your main spot on channel A and I'm going to look legitimate maybe even have the legitimate height under the bridge but maybe there's some extra data in there maybe maybe no one would notice that it's really a question of who's looking