Boat AIS enumeration

SUMMARY

The boat Automatic Identification System (AIS) is a VHF radio identification system used in maritime communications by vessels or shore stations. It serves different purposes such as navigation, traffic control, collision avoidance and emergency management. This write up covers how to intercept and gain some intelligence on boats intercepting AIS RF signals with a portable HackRF One + PortaPack running Mayhem firmware.

KEYWORDS

Automatic Identification System (AIS), SIGINT, HackRF One, Mayehm firmware, maritime communications.

REFERENCES

https://www.imo.org/en/About/Conventions/Pages/International-Convention-for-the-Safety-of-Life-at-Sea-(SOLAS),-1974.aspx

https://treaties.un.org/doc/Publication/UNTS/Volume%201184/volume-1184-I-18961-English.pdf

https://the-bosun.com/what-is-the-difference-between-ais-class-a-and-b/

https://www.itu.int/dms_pubrec/itu-r/rec/m/R-REC-M.1371-5-201402-I!!PDF-E.pdf

https://www.vesselfinder.com

https://www.myshiptracking.com/vessels

https://www.marinevesseltraffic.com/2013/06/mmsi-number-search.html

INTRODUCTION

The International Convention for the Safety of Life at Sea (SOLAS), 1974 is an international maritime treaty issued by the International Maritime Organization (IMO), a specialized agency of the United Nations responsible for regulating shipping safety. According to the SOLAS (chapter IV, page 395 onwards), the the following types of ships must equip a radio communications Automatic Identification System (AIS):

• All vessels over 300 GT engaged in international voyages.

• All passenger vessels regardless of size.

• Vessels in certain high-traffic areas or those required by national law may need AIS, even if they don’t fall under the SOLAS requirements.

AIS transmission are made in the VHF band: 161.975 MHz (channel 87B) and 162.025 MHz (channel 88B), and the information is broadcasted unencrypted in an automatic fashion at certain intervals.

• Channel 87B (AIS 1). This channel is used for simplex ship-to-ship communications in the 161.975 MHz frequency. It is used by ships to broadcast their identification and navigation data to other nearby vessels.

• Channel 88B (AIS 2). This channel is used for duplex ship-to-shore communications in the 162.025 MHz frequency. It is used for vessels to broadcast their identification and navigation data to shore-based stations, such as Vessel Traffic Services (VTS) or coastal authorities.

The interval of each transmission depends on the class of the AIS equipment equipped on the vessel. There are two AIS equipment classes: class A and class B. Class A is designed for large vessels, its range is around 20 nautical miles and transmits every 2-10 seconds when underway and every 3 minutes when anchored. On the other hand, class B is aimed at recreational boats, smaller vessels, it has a shorter range of around 5-10 nautical miles and transmits every 30 seconds.

As said, AIS transmitters emit signals automatically; however, there is another possibility: work in a interrogator-transponder fashion. A transponder is a kind of an RF API: a device listening on a specific frequency that automatically replies when it receives certain signal (an "interrogation"), just like querying an API. The information sent by the transponder in the reply depends on the the type of interrogation received. Interrogations are usually sent by maritime navigation controllers requesting specific information about the vessel. A similar process is used by air traffic controllers when the aircraft approach the boundaries of an airport. Transponders and interrogators are common in aeronautical and satellite communications.

Regarding the information broadcasted in AIS, there are 27 possible messages to be transmitted. All of them contain the following information:

1. The station MMSI number (Maritime Mobile Service Identity). It is a unique, nine-digit identifier assigned to the transmitters equipped in all the maritime radio stations: vessels, maritime radio stations, base station, buoys, etc.

2. The identification of the message being transmitted.

3. A sequence indicator used in case it is a relayed message.

The specification, structure, number of bits and parameters of each message is defined in the Recommendation ITU-R M.1371-5 (02/2014) Technical characteristics for an automatic identification system using time division multiple access in the VHF maritime mobile frequency band.

For example, the 15th message defines an interrogation that must be replied when received by a specific AIS station.

In the parameter Destination ID1 it is included the MMSI number of the destination station that is requested to reply. This way, any station knows whether the message is aimed at it or not, and therefore if there is a need to reply to the interrogation.

SIGNAL TRACKING

Preparation

First, you need to go where the ships are. This may sound trivial but it is not. AIS communication happens in the VHF band, meaning there must be a line of sight between the emitter and the receiver, and that is not always the case in RF communications.

For example, in the HF band (3-30 MHz), there is no need to have a line of sight between emitter and transmitter because at that frequency waves reflect off the ionosphere. This means you are able to communicate beyond the horizon with an HF transmitter, you can even communicate with the other end of the world if transmitted with enough power.

As said, it is not the case in VHF, so to intercept AIS signal so you must have a line of sight to ships. Also, bear into account that the range of the AIS emission is around 75 Km.

Find a spot with a good visual on ships if you live close to the ocean, or take advantage of you holidays in the sea, such as this place.

Or this one.

Antenna calculations

As discussed in the radio communications introduction, the length of the antenna determines the quality of the signal received, so it is mandatory to have the right antenna in each case. We are going to use a HackRF One equipped with a common SMA telescopic monopole antenna, which implies we should calculate its length as a quarter of the wavelength.

Let's calculate it for the two maritime frequencies (161.975 MHz and 162.025 MHz).

$l = \frac{\lambda}{4}= \frac{c}{4 \times f} = \frac{3 \times 10^8 \,\text{m/s}}{4 \times 161.975 \times 10^6 \,\text{Hz}} \approx 46.3 \,\text{cm}$

$l = \frac{\lambda}{4}= \frac{c}{4 \times f} = \frac{3 \times 10^8 \,\text{m/s}}{4 \times 161.975 \times 10^6 \,\text{Hz}} \approx 46.28 \,\text{cm}$

Then, with the Mayhem firmware antenna length calculator application, we find out the optimum extension for the telescopic antenna.

Which means we have to fully extend 5 elements and three quarters of the sixth element.

Signal interception

Power on the HackRF One, extend the telescopic antenna 5 ¾ elements and configure the gain so the signal saturation is around 70-80%.

Soon, transmissions from the nearby boats are intercepted in the 87B channel.

And also in the 88B channel.

Selecting the boat MMSI captured, the application decodes the information from the AIS messages, such as country, position, heading, etc.

Passive enumeration has resulted in a list of MMSI identifiers. Although some of them look like shore stations, the application does not provide any more data about them. However, using the map feature we can get a rough idea where the emitting station is.

Next step is to gain some intelligence about them on the internet, since the MMSI 9-digits ID uniquely identify the maritime objects.

SIGNAL INTELLIGENCE

There are several online MMSI databases such as VesselFinder, MyShipTracking and Marine Vessel Traffic.

Let's use them to enumerate the MMSI's collected with the HackRF One.

MMSI	Name	IMO	Country	Type
250000096	VIGILANT	9131979	🇮🇪 Ireland	Fishing
636020514	FLAMURI	9472713	🇱🇷 Liberia	Cargo
224631000	MARÍA DE MAEZTU	9429091	🇪🇸 Spain	Tug / SAR
244297000	LAGANBORG	9407419	🇳🇱 Netherlands	Cargo
224075190	SAN PRUDENCIO	9181948	🇪🇸 Spain	Fishing

These databases provide basic information such as name, country, type and even a picture. Other technical features such as draught, depth and material, as well as details on the registered owner, builder and contact address are available upon subscription.

WRAPPING UP

We have learned about a maritime automatic broadcasting radio-system called AIS. Using the HackRF One we are able to calculate the length of a telescopic antenna matched to receive signals in the 87B and 88B channels. With this, we are able to take the HackRF + PortaPack to a good spot and intercept the signals to passively enumerate ships in our surroundings. It resulted in a list of MMSI's, which uniquely identify the stations for navigation control purposes. Finally, with this list we are able to gain intelligence on the ships (such as name, country, destination, type, etc) from databases available on the internet.