Key Takeaways
- AIS spoofing is real and documented: ghost ships in Black Sea, position manipulation for dark fleet sanctions evasion, identity cloning at port arrivals, AIS shutdown for illicit activity.
- AIS is not authenticated. The protocol broadcasts in clear, with no cryptographic verification. Any transmitter following the protocol can claim any MMSI, position, course and speed.
- Detection requires correlation: AIS vs RADAR, AIS vs Coastal Surveillance, AIS vs satellite, AIS pattern anomaly (physically impossible jumps, MMSI duplication, port-arrival mismatch).
- Defence is layered: vessel-side bridge cyber controls, fleet-side anomaly detection (SOC), class-society aligned procedures, regulator coordination.
- IMO MSC.428(98) and IACS UR E26/E27 expect vessel SMS to address cyber risks including AIS, GNSS and ECDIS-related threats.
What AIS Is and Why It Was Designed Without Security
The Automatic Identification System (AIS) is a maritime broadcast protocol mandated for SOLAS vessels over 300 gross tonnage. AIS transponders continuously broadcast position, course, speed, heading, identity (MMSI), navigational status and other parameters on VHF maritime frequencies (161.975 MHz and 162.025 MHz). Receivers on other vessels, coastal stations, satellite constellations (exactAIS, Spire, ORBCOMM) and port systems aggregate this data into the global maritime traffic picture.
AIS was designed in the 1990s primarily for collision avoidance and traffic management. Security was not part of the original design. The protocol is unencrypted, unauthenticated, and broadcast in clear over open VHF channels. Any transmitter following AIS-NMEA specifications can claim any MMSI, position, course and identity. The protocol relies entirely on physical-layer reality and operator trust, both of which break in adversarial scenarios.
This is not a flaw introduced by negligence; it is a structural design choice from a time when the maritime threat model did not include sophisticated electronic adversaries. The result today: AIS spoofing is technically trivial for anyone with software-defined radio knowledge and motivation.
Documented AIS Spoofing Cases (Not Theoretical)
Public maritime threat intelligence has documented AIS spoofing incidents across multiple categories:
Ghost Ships in the Black Sea (2017 onwards)
Multiple research groups (SkyTruth, MarineTraffic, C4ADS) documented vessels appearing on AIS at positions where physical evidence (RADAR, satellite imagery, port records) shows no actual ship. The 'ghost ship' pattern has been attributed to deliberate AIS injection, possibly by state actors, to test maritime traffic management response and mask actual vessel movements.
Dark Fleet Sanctions Evasion
Oil tankers carrying sanctioned cargo (Iranian, Russian, Venezuelan oil) routinely use AIS manipulation to obscure cargo origin: AIS shutdown during ship-to-ship transfers in international waters, MMSI swapping between sister ships, position spoofing to appear distant from the actual loading location. The C4ADS 'Dark Fleet' research and US Treasury OFAC sanctions enforcement documentation has cited specific named tankers and incidents.
Position Manipulation Near Critical Infrastructure
Documented incidents of warships appearing on AIS near coastlines where physical surveillance shows no vessel, and vice versa. These create geopolitical incidents (vessels apparently entering restricted waters they did not actually enter, or apparently absent from areas they actually traversed). Researchers attribute some to state-level information operations.
Identity Cloning at Port Arrivals
Smaller-scale incidents where vessels arrive at ports broadcasting MMSI of a different (often a sanctioned or restricted) vessel to bypass port state controls. Detection requires correlating AIS identity with physical inspection, voyage history and other independent identity proofs.
AIS Shutdown for Illicit Fishing
Illegal, unreported and unregulated (IUU) fishing vessels routinely turn off AIS transponders or use 'fake fishing' AIS settings to mask catch location and quantity. While not strictly 'spoofing' (more 'silence'), the operational signal is similar: AIS is not a reliable source of vessel reality without correlation.
Need a Maritime Cyber Assessment?
Codesecure runs vessel cyber risk assessments, OT/SCADA audits, ship-to-shore network assessments and IMO MSC.428(98) / IACS UR E26 / E27 compliance programmes. ISO/IEC 27001:2022 certified delivery, named maritime cyber consultants.
See Maritime Services →Detection Methods: How to Spot AIS Spoofing
AIS spoofing detection is fundamentally about correlation: comparing AIS data against independent reality signals. No single technique is sufficient; layered detection is the only effective approach.
1. AIS vs RADAR Correlation
Onboard RADAR detects physical contacts independent of AIS transmissions. A RADAR contact with no corresponding AIS signal indicates either an AIS-off vessel (illicit fishing, dark fleet) or a vessel below AIS-mandate size. An AIS signal with no RADAR contact (in line-of-sight range) indicates likely spoofing. ARPA and integrated navigation systems can flag these mismatches automatically when configured properly.
2. AIS Pattern Anomaly Detection
Statistical analysis of AIS messages reveals spoofing signatures: physically impossible position jumps (instantaneous teleportation between non-adjacent positions), MMSI duplication (same MMSI broadcasting from two distinct locations simultaneously), unrealistic speed or course changes (a tanker reporting fighter-jet acceleration), identity-vessel-type mismatch (MMSI registered to a tanker reporting a small craft type).
3. Satellite AIS vs Terrestrial AIS Cross-Check
Satellite AIS receivers (Spire, ORBCOMM, exactAIS) provide a parallel global picture independent of coastal AIS receivers. Sophisticated spoofers targeting one channel may not spoof the other consistently. Differences between satellite and terrestrial AIS for the same vessel at the same time are detection signals.
4. AIS vs Optical/SAR Satellite Imagery
Commercial Synthetic Aperture Radar (SAR) and optical satellite imagery (Planet, Maxar, Capella) can detect physical vessel presence independent of AIS. Cross-checking AIS-reported positions against SAR or optical imagery for the same time window catches ghost ships and AIS-silent vessels. Cost is no longer prohibitive: commercial SAR feeds are available to maritime operators for fleet-relevant areas.
5. Voyage and Port-Arrival Validation
Cross-referencing AIS-reported voyage with port arrival/departure records, cargo manifests, ship management system data and crew records. Discrepancies (AIS reports the vessel in Singapore while port records show it in Fujairah) are strong spoofing or fraud signals. This is best done at shore-side fleet management or in a maritime SOC.
6. Specialised Vessel Spoofing Detection Tools
Several maritime analytics vendors offer specialised vessel spoofing detection: Windward, Pole Star (Vessel Verification), Lloyd's List Intelligence, MarineTraffic. These combine multiple correlation methods at scale and provide alerts. Codesecure typically integrates these with the operator's own fleet SOC dashboard.
Defensive Measures: What Vessel Operators Should Do
Vessel-Side Bridge Cyber Controls
Harden the bridge integrated navigation system per IACS UR E26 and IMO MSC.428(98). Specific measures: ECDIS hardening (no USB acceptance during navigation, restricted accounts, regular software updates), RADAR system isolation (segregated from non-essential bridge networks), AIS transponder firmware integrity verification, alarm correlation between AIS and RADAR. Vessel master and bridge officers should be trained to question AIS data when RADAR disagrees.
Fleet-Side Anomaly Detection
Operate a maritime SOC with AIS anomaly detection across the fleet. Codesecure's maritime SOC service integrates AIS feed monitoring with vessel network telemetry and shore-side fleet management data. Anomalies (position jumps, MMSI duplication, AIS-RADAR mismatch reported from vessel) trigger investigation workflows. India-based named analysts on 24x7 watch.
Class-Society Aligned Procedures
Document AIS anomaly response in your vessel SMS per IMO MSC.428(98). Include: detection criteria, master response (continue voyage with manual verification vs alter course), shore-side notification, class society and Flag State notification thresholds. Tabletop exercise the procedure annually.
Regulator and Industry Coordination
Report suspected spoofing incidents to relevant authorities: Flag State, port state control, IMO, US Coast Guard (for sanctions-relevant cases), local coast guards. Industry coordination via TMSA 3, BIMCO, INTERTANKO, INTERCARGO helps build collective intelligence on spoofing patterns and bad actors.
How AIS Defence Fits Into IMO and IACS Cyber Frameworks
AIS spoofing defence is not a standalone capability; it is part of a broader vessel cyber programme aligned with international standards. IMO Resolution MSC.428(98) requires vessel Safety Management Systems to address cyber risks including those affecting navigation systems (AIS, GNSS, ECDIS, RADAR). IACS Unified Requirement E26 (vessel cyber resilience for new builds contracted after 1 July 2024) and UR E27 (ship system cyber resilience) include navigation system cyber resilience as a core requirement.
BIMCO Guidelines on Cyber Security Onboard Ships (currently version 5) explicitly cover AIS and GNSS threats in the threat profile. TMSA 3 Element 13 (Maritime Security) for tanker operators covers cyber including bridge integrated navigation security. Class societies (IRS, DNV, BV, LR, ABS) audit vessel SMS cyber elements against these references.
Codesecure delivers vessel cyber risk assessments, OT/SCADA audits and SMS cyber integration programmes that explicitly address AIS, GNSS and ECDIS threats per IMO and IACS expectations. Reports are accepted by major class societies and charterer vetting programmes.
Frequently Asked Questions
Is AIS spoofing actually happening in real maritime operations?
Yes. Public threat intelligence has documented multiple categories: ghost ships in the Black Sea (research by SkyTruth, MarineTraffic, C4ADS), dark fleet sanctions evasion for Iranian/Russian/Venezuelan oil tankers (cited in US Treasury OFAC enforcement), position manipulation near critical infrastructure, identity cloning at port arrivals, AIS shutdown for IUU fishing. These are documented operational incidents, not theoretical attacks.
How can a vessel detect that it is receiving spoofed AIS signals?
Onboard, the primary correlation is AIS vs RADAR: a RADAR contact with no AIS signal or an AIS signal with no RADAR contact (in line-of-sight range) is a spoofing or AIS-silence signal. Bridge ARPA and integrated navigation systems can flag this when configured properly. Additionally, watch for physically impossible position jumps, MMSI duplication and identity-vessel-type mismatches. Train bridge officers to question AIS data when reality disagrees.
What standards address AIS cyber defence for vessels?
IMO Resolution MSC.428(98) requires vessel SMS to address cyber risks affecting navigation systems including AIS and GNSS. IACS Unified Requirement E26 (new build cyber resilience, applies to ships contracted after 1 July 2024) and UR E27 (ship system cyber resilience) include navigation system cyber resilience. BIMCO Guidelines on Cyber Security Onboard Ships and TMSA 3 Element 13 explicitly cover these threats.
Do vessel operators need specialised vessel spoofing detection software?
Specialised tools (Windward, Pole Star Vessel Verification, Lloyd's List Intelligence, MarineTraffic) provide useful fleet-wide AIS anomaly detection. They are not strictly required for compliance but are recommended for operators of high-value cargo or sensitive trades (tankers, LNG, military, government supply). Codesecure typically integrates these tools with the operator's own maritime SOC dashboard.
How does Codesecure approach AIS defence in vessel cyber assessments?
We address AIS, GNSS and bridge integrated navigation cyber risk as part of every vessel cyber risk assessment per IMO MSC.428(98). Specific elements: threat profile including AIS spoofing scenarios, bridge integrated navigation segmentation review, ECDIS and RADAR hardening recommendations, vessel SMS cyber procedure including AIS anomaly response, optional fleet SOC monitoring with AIS feed integration. We are ISO/IEC 27001:2022 certified and class-society aligned.
Can AIS spoofing be used to attack a vessel directly?
Direct attack via AIS alone is limited because AIS receivers feed display systems, not control systems. However, AIS-induced confusion can lead to navigation decisions that put the vessel at risk: course alterations based on false collision contacts, traffic separation scheme violations, accidental entry into restricted areas, masking of real threats. The risk is operational rather than direct cyber takeover, but the operational consequences (grounding, collision, charterer dispute) can be severe.
Is GNSS spoofing as much of a concern as AIS spoofing?
Yes, possibly more. GNSS (GPS, GLONASS, Galileo, BeiDou) provides position fix to ECDIS, RADAR, AIS itself and most modern bridge systems. GNSS spoofing has been documented near Black Sea, Eastern Mediterranean and several other geopolitically sensitive areas, causing ships to appear at airport positions or incorrect coastlines. Detection requires correlating GNSS with INS (inertial), RADAR fixes and crew situational awareness. We address GNSS spoofing as part of the same vessel cyber risk assessment framework as AIS.
Get a Vessel Cyber Risk Assessment That Addresses AIS, GNSS and Bridge Threats
Codesecure delivers IMO MSC.428(98) and IACS UR E26 / E27 aligned vessel cyber risk assessments that explicitly cover AIS spoofing, GNSS threats and bridge integrated navigation. ISO/IEC 27001:2022 certified, class-society accepted reports.
