While digging through the data unearthed in an unprecedented census of nearly the entire Internet, Researchers at Rapid7 Labs have discovered a lot of things they didn't expect to find openly responding to port scans. One of the biggest surprises they discovered was the availability of data that allowed them to track the movements of more than 34,000 ships at sea. The data can pinpoint ships down to their precise geographic location through Automated Identification System receivers connected to the Internet.

The AIS receivers, many of them connected directly to the Internet via serial port servers, are carried aboard ships, buoys, and other navigation markers. The devices are installed at Coast Guard and other maritime facilities ashore to prevent collisions at sea within coastal waters and to let agencies to track the comings and goings of international shipping. Rapid7 security researcher Claudio Guarnieri wrote in a blog post on Rapid7's Security Street community site that he, Rapid7 Chief Research Officer H.D. Moore, and fellow researcher Mark Schloesser discovered about 160 AIS receivers still active and responding over the Internet. In 12 hours, the trio was able to log more than two gigabytes of data on ships' positions—including military and law enforcement vessels.

For many of the ships, the vessel's name was included in the broadcast data pulled from the receivers. For others, the identification numbers broadcast by their beacons are easily found on the Internet. By sifting through the data, the researchers were able to plot the location of individual ships. "Considering that a lot of military, law enforcement, cargoes, and passenger ships do broadcast their positions, we feel that this is a security risk," Guarnieri wrote.

Among the other information found in the AIS data were "safety messages," text messages sent between ships and navigation stations to inform each other of hazards. Some of the messages were actually the equivalent of casual texts to arriving ships' masters: "MOINMOIN GREETINGS TO YOUR CPT."

Update: As the Rapid7 report points out (and as numerous readers have pointed out as well) the data from AIS is openly published via AIS itself and a number of websites in any case. The data is public by nature—otherwise it wouldn't be effective in preventing collisions at sea. But the information collected from the AIS system itself is a vulnerable asset—the US Coast Guard counts on AIS in combination with other, secure data sources as part of its Nationwide AIS, a maritime security system.

Kurt Schwehr, Research Assistant Professor in the Center for Coastal and Ocean Mapping/NOAA Joint Hydrographic Center/Visualization Lab at the University of New Hampshire, pointed out some of the vulnerabilities in AIS in a blog post last November. The real network threats to the system come from spoofing a particular receiver's output into the AIS network as a whole, which relies on the IP backbone for communications, and from hacking of the individual devices or other attacks on their exposed IP interfaces. An attacker spoofing data from an AIS receiver could feed misinformation into NAIS and other information systems; a denial-of-service attack could cause essentially the same problem by denying information to the network. There's also the possibility of GPS spoofing near a receiver affecting the quality of safety data.