AIS Spoofing Prevention: Maritime Identification Security

How AIS Works and Why It Is Trivial to Spoof

The Automatic Identification System (AIS) is a VHF-based, self-reporting broadcast system carried by most commercial vessels above 300 gross tonnes on international voyages and all passenger vessels, under SOLAS Chapter V. A Class A transceiver continuously broadcasts the vessel's identity (MMSI and IMO number), position (from its own GNSS receiver), course, speed, heading, navigation status and voyage data on two dedicated maritime VHF channels.

AIS was designed in the 1990s with a single goal: help vessels and shore traffic services see each other to avoid collisions. Security was never a design objective. The protocol has no message signing, no encryption, no authentication of the transmitting station and no integrity protection. A receiver has no cryptographic way to confirm that a message claiming to come from MMSI 123456789 actually originated from that vessel.

Because the messages are an open, well-documented standard transmitted on known frequencies, anyone with a software-defined radio (SDR) and a VHF transmitter can craft and broadcast arbitrary AIS messages. The barrier to entry is a few hundred dollars of hardware and freely available software. This is the root cause of every AIS spoofing pattern that follows.

The Four Dominant Spoofing Patterns

Documented AIS abuse around the world clusters into four recurring patterns. Each has a different motive and a different defensive answer.

• Ghost vessels: AIS transmissions describing tracks that no physical vessel is sailing. Used to create confusion near chokepoints, fabricate the presence of warships or naval assets, or test a coastal authority's reaction.
• Position falsification: a real vessel transmitting a fake position to conceal where it actually is. The dominant use case is sanctions evasion, where a tanker appears to be in permitted waters while loading or discharging elsewhere.
• Identity laundering: a vessel broadcasting another vessel's MMSI or IMO number, or a freshly invented identity, so that a sanctioned hull appears to be a different, clean vessel. Sometimes two vessels swap identities mid-voyage.
• Coordinated cluster spoofing: multiple false tracks injected simultaneously near a port or strait to overwhelm a Vessel Traffic Service (VTS) operator, mask a single real movement, or degrade trust in the entire AIS picture.

Real-World Impact on Owners, Ports and Coastal States

For a legitimate shipowner, the threat is rarely that their own crew spoofs AIS. The threat is being impersonated. When a sanctioned vessel laundes its identity by borrowing your MMSI or IMO number, your clean vessel can appear, in third-party tracking datasets, to have visited a sanctioned port or loitered in a restricted zone. Charterers, banks, insurers and port authorities increasingly screen against these datasets. An identity-laundering event you did not commit can still trigger a charter cancellation, a banking compliance hold or a port-entry refusal until you prove the track was fraudulent.

For ports and coastal authorities, the operational impact is degraded traffic awareness. A VTS centre that cannot distinguish real from spoofed tracks loses the very picture it exists to provide. Cluster spoofing near an approach channel can force conservative, costly traffic decisions, slow port throughput and, in the worst case, mask a vessel attempting an unauthorised or hostile approach.

For the wider maritime safety system, repeated spoofing erodes trust in AIS as a collision-avoidance aid. If bridge teams learn that AIS targets cannot be trusted, the system stops delivering the safety benefit it was built for, pushing more cognitive load back onto radar and visual lookout.

Detecting Spoofing: A Multi-Source Discipline

There is no single sensor that confirms an AIS message is genuine. Detection is the discipline of correlating AIS against independent sources and flagging the disagreements. The more independent the cross-check, the harder it is for an attacker to keep every source consistent.

On the bridge, the practical cross-checks are radar and ARPA (does an AIS target correspond to a radar return at the same range and bearing?), the vessel's own GNSS and dead reckoning (does an AIS target's reported motion make physical sense?), and visual or binocular observation in clear conditions. An AIS target with no radar return, or a reported position that implies impossible speed or a track over land, is a strong spoofing indicator.

Shore-side and at fleet scale, satellite AIS (S-AIS) provides over-the-horizon verification and helps detect vessels that go dark (stop transmitting) or whose terrestrial and satellite tracks disagree. Behavioural analytics flag impossible kinematics (teleport jumps, speeds inconsistent with the hull type), duplicate MMSI broadcasts from geographically separated positions, and identity changes mid-voyage. Coastal authorities increasingly layer dedicated AIS anomaly-detection systems on top of their VTS feeds.

• Radar correlation: AIS target with no matching radar return is suspect
• Kinematic sanity: position jumps, over-land tracks, or speeds impossible for the hull
• Duplicate identity: the same MMSI broadcasting from two distant positions
• Terrestrial vs satellite mismatch: ground stations and S-AIS disagree on the track
• Sudden identity or voyage-data change: MMSI, IMO number, name or destination changing mid-passage

Prevention Controls for Vessels and Coastal Infrastructure

Because the AIS protocol itself cannot yet be made tamper-proof in the in-service fleet, prevention is about hardening what you control and refusing to over-trust what you do not. On the vessel side, the AIS transceiver and the inputs feeding it (the GNSS position source and the serial or networked interface carrying that data into the unit) must be protected. A compromised GNSS feed or a tampered NMEA stream into the AIS unit will cause your own vessel to broadcast false data without anyone aboard intending it.

Practical vessel controls: place the AIS transceiver and its GNSS source on a protected bridge OT segment, isolated from crew Wi-Fi and vendor remote access; verify the integrity of the position feed against an independent GNSS or inertial source; control physical and logical access to the transceiver's configuration interface; and brief the bridge team to treat AIS targets as advisory and to escalate anomalies rather than steer on AIS alone.

For coastal and port infrastructure operators, prevention extends to monitoring: deploy AIS anomaly-detection over the VTS feed, fuse terrestrial AIS with radar and satellite AIS, maintain a watchlist of MMSI and IMO identities associated with prior spoofing, and establish a reporting channel so masters and pilots can flag suspected spoofing in real time. Reporting suspected spoofing to the relevant coastal authority is itself a control, because it feeds the regional picture other vessels depend on.

Where AIS Security Is Heading

The long-term fix for AIS spoofing is authentication at the protocol level, and work is underway. The forthcoming VHF Data Exchange System (VDES), which extends AIS with additional data channels and a satellite component, is the natural vehicle for adding message authentication. Authenticated GNSS signals such as Galileo's OS-NMA also reduce one upstream spoofing vector by making the position source harder to falsify in the first place.

None of this helps the current fleet today. For the next several years, AIS security remains an operational and analytical problem rather than a cryptographic one. The owners and authorities who manage it best are those who have internalised that AIS is one input among several, who log multi-source position evidence continuously, and who have a defined response when an anomaly appears, on the bridge and in the operations centre alike.

Codesecure helps shipowners and coastal operators assess their AIS exposure as part of broader bridge-OT and ship-to-shore assessments: verifying transceiver segmentation, reviewing the integrity of GNSS and NMEA inputs, and designing the monitoring and response that turns AIS from a blind trust into a managed signal.