The Triton

Editor's Pick

Secure at Sea: AIS fraught with vulnerabilities


Secure@Sea: by Corey D. Ranslem

AIS, or automatic identification system, has been around for about 20 years. The International Maritime Organization required the first AIS systems back in 2002 on certain types of vessels in critical areas of the world as an update to the SOLAS (Safety of Life at Sea Convention). The early requirements stated that all tankers and passenger vessels equal to or greater than 150 gross tons would be required to carry AIS, as well as all other ships of 300 gross tons or greater on international voyages, and 500 gross tons or greater on domestic voyages. 

There are additional restrictions that have been put in place over the years by various countries. The U.S. requires AIS on all vessels of 65 feet or greater. Initially, fishing vessels and passenger vessels carrying less than 150 passengers were exempt, but that changed when full AIS went into effect back in 2016. There aren’t many vessels today, including large yachts, that don’t have AIS on board.

The AIS signals are unencrypted VHF-based radio signals that provide some basic vessel information, including vessel name, position, course and speed. This information is used by port authorities and shoreside VTS (vessel traffic systems) for identifying vessels. This information is also integrated into a vessel’s ECDIS (electronic charting display information system) or navigation and radar to provide information on the other vessels around for better identification and collision avoidance. 

AIS is a great system that has enhanced collision avoidance and helped to improve vessel operations. However, there are numerous security vulnerabilities within the system. First, there are several vulnerabilities within the AIS system itself. It is very easy to intercept and change AIS information coming from vessels to shoreside facilities. It is also easy to “hack” into a vessel’s AIS and change its internal information. None of the information within the AIS system is encrypted, so it is very easy to change a vessel’s name, position, course and speed to just about anything and any location. 

The underlying issue with the AIS system is that there is no authentication within the system and no integrity check of any of the data. It is also very easy to build an AIS system to intercept and transmit erroneous data. 

Maritime security experts believed that pirates used AIS tracking to target certain vessels back in the early days of piracy, circa 2008. Now pirates, along with other nefarious actors, use AIS as a standard practice to carry out malicious activities. Many security experts recommend AIS transceivers be switched off while transiting high-risk areas. However, that is not always possible because of flag or coastal country regulations.

When you do some basic internet research, you can find several university and other research projects and studies conducted on the vulnerabilities of AIS, and how to carry out those various attacks. Even someone with basic computer knowledge could cause major issues with vessels and shoreside systems. Attackers could trigger false collision alarms or render the collision alarms useless in an actual collision situation. They can also change information to/from VTS and port authorities, causing issues with vessel arrivals and departures, as well as with collision avoidance. A hacker could theoretically render a VTS system useless and close a traffic area or port.

There are some global issues currently within the AIS system that need to be addressed on a political level that we won’t get into here. However, there are some basic measures that can be taken to ensure you are seeing and receiving the correct information. Double-check the output of your AIS to ensure the correct information is flowing from your system. Second, double check the information coming for other vessels that corresponds with the vessel’s radar or visual position in relation to your vessels. It doesn’t hurt to also ensure VTS and port authorities are seeing your correct information when navigating in restricted channels. 

Corey Ranslem, CEO at International Maritime Security Associates (, has more than 24 years of combined Coast Guard and maritime industry experience. Comments are welcome below.

Related Posts...
Secure@Sea: by Corey D. Ranslem Piracy off the Gulf Coast Read more...
Secure@Sea: by Corey D. Ranslem The world is amazingly dynamic, Read more...
Secure@Sea: by Corey D. Ranslem The hurricane season this year Read more...
Secure@Sea: by Corey D. Ranslem Considering the adventurous nature of Read more...
Secure@Sea: by Corey D. Ranslem “What is that annoying buzzing Read more...

Share This Post

Leave a comment

Your email address will not be published. Required fields are marked *

Please answer the question below to leave a comment. * Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Editor’s Picks

M/Y Anodyne refit at a standstill at Derecktor

M/Y Anodyne refit at a standstill at Derecktor

By Lucy Chabot Reed Work on M/Y Anodyne -- a massive refit of a small-ish yacht designed to make it bigger -- was halted on Aug. 13. …

Medieval sites, modern marinas lure yachts to Split

Medieval sites, modern marinas lure yachts to Split

Story and photos by Alison Gardner After four visits to the Croatian Adriatic coast in 10 years, I am convinced that it is a yachting …

Diver assesses Bahamas reefs after hurricane

Diver assesses Bahamas reefs after hurricane

Story and photos by Kevin Davidson Some time has passed and our memories of Hurricane Dorian are perhaps fading away a bit. The scenes …

Triton networks with Culinary Convenience

Triton networks with Culinary Convenience

More than 250 yacht captains, crew and industry professionals gathered for our first Triton Networking of 2020 at Culinary Convenience, a …