Russia spoofed AIS data to fake British warship's course days before Crimea guns showdown
Great powers clash while the rest of us sigh and tut at data feed meddling
Russia was back up to its age-old spoofing of GPS tracks earlier this week before a showdown between British destroyer HMS Defender and coastguard ships near occupied Crimea in the Black Sea.
Yesterday Defender briefly sailed through Ukrainian waters, triggering the Russian Navy and coastguard into sending patrol boats and anti-shipping aircraft to buzz the British warship in a fruitless effort to divert her away from occupied Crimea's waters.
Russia invaded Ukraine in 2014 and has occupied parts of the region, mostly in the Crimean peninsula, ever since. The UK and other NATO allies do not recognise Crimea as enemy-held territory so Defender was sailing through an ally's waters – and doing so through a published traffic separation scheme (similar to the TSS in the English Channel), as Defence Secretary Ben Wallace confirmed this afternoon.*
Yet, among yesterday's drama and tension, Russia had previously spoofed maritime Automatic Identification System (AIS) signals to show Defender and her Dutch flotilla mate HNLMS Evertsen as sailing straight for the Russian naval base in Sevastopol, southwest Crimea. Neither warship was doing that: while Russia was claiming NATO warships were threatening Russia, both vessels were captured on live webcams in another Ukrainian port.
The latest batch of AIS fiddling took place on 17 June, according to naval analyst HI Sutton, writing for the US Naval Institute's blog: "Despite the AIS track, there is clear evidence that the two warships did not leave Odessa."
This week's tensions should remind the world that Russia has no compunction about interfering with widely available tech systems.
Open-source intelligence expert Steffan Watkins told The Register: "From a technical perspective, the receivers that were collecting the AIS transmissions (VHF, limited to line of sight) HI Sutton reported were in Chornomorsk, Crimea, quite near where [HMS Defender] would sail yesterday. A nefarious RF transmitter nearby, in a vehicle, ship, or stationary location, remotely controlled, or not, seems most likely to have been the source; that's a lot of options, but these days the sort of transmitter needed could fit in a backpack, if not a purse."
- US Navy starts an earthquake to see how its newest carrier withstands combat conditions
- UK spends £36m on 18 little 'bullet-proof' boats to protect Royal Navy assets
- Royal Navy and Air Force get low-code bridge in UK military recruitment saga
- Just let this sink in: Capita wins 12-year £1bn contract to provide training services to the Royal Navy and Marines
AIS works on an honesty-based system, at its simplest. The all-but-mandatory system (ships below 300 tons are exempt) works through each ship at sea broadcasting its GPS coordinates. Other ships receive those signals and assemble them onto display screens mounted on the vessel's bridge for crew to monitor, usually as part of an integrated ECDIS system. It's an insecure system insofar as vulns exist that allow spoofing of AIS data, as first revealed almost a decade ago. Shore stations can also receive and rebroadcast AIS signals, amplifying them – and providing a vector for the unscrupulous to insert their own preferred data.
As those revelations suggested, AIS tampering is far from new. The US Centre for Advanced Warfare, a think-tank, warned in 2019 that Russian tampering with GPS location systems revealed efforts to develop "a comparative advantage in the targeted use and development of GNSS spoofing capabilities to achieve tactical and strategic objectives."
Watkins explained that if Russia's forces were broadcasting false AIS tracks, evidence of that might have been picked up by NATO observers, saying: "Multiple AIS providers collected the bogus AIS transmissions, so we know it was not a cyber attack injecting data onto any one database. Since the attacker was transmitting VHF over the air, there is a possibility that an American SIGINT collection platform captured, or even triangulated, the source of the transmissions."
AIS spoofing is similar to GPS spoofing in that broadcasting false data can mislead the wider world. Back in 2018, researchers built a GPS-spoofing unit out of a Raspberry Pi, transmitting false location data to confuse a targeted car's satnav.
This proof-of-concept unit using consumer-grade, readily available equipment merely spells out what nation states such as Russia (and the West, naturally) have been toying with for years. Western GPS spoofing is a fact of life in the Eastern Mediterranean, as frustrated airline pilots and air traffic controllers know all too well, and the effects of AIS spoofing are very similar for those who depend on public datafeeds to keep up with the world around them.
For now, though, the decades-old game of "tweaking the bear's tail" continues – and doubtless both East and West will keep on tampering with AIS and GPS feeds whenever it suits them to do so. ®
*Wallace's statement downplays the Russian coastguard's firing of guns near HMS Defender and refers to it as "a live fire gunnery exercise… astern" [behind] the British ship.
Accounts from both the Daily Mail (linked above) and the BBC, both of which have correspondents embedded aboard the ship, revealed that the Russian coastguard boats were firing guns near the British warship. Not directly at the Defender, but after repeatedly demanding she change course away from Ukrainian waters.