Why Your Next Maritime Pentest Needs to Include Software Defined Radio

TLDR: Maritime communication systems like AIS, GPS, and VSAT are notoriously insecure, often lacking basic authentication and encryption. This research proposes a unified framework using Software Defined Networking (SDN) and Software Defined Radio (SDR) to replace legacy, hardware-locked radio systems with reconfigurable software. For researchers, this highlights a massive, under-audited attack surface where traffic interception and manipulation are trivial due to the lack of cryptographic integrity in standard maritime protocols.

Maritime security is often treated as a black box, but the reality is that the protocols keeping global trade moving are decades old and fundamentally broken. If you are performing a red team engagement or a penetration test against critical infrastructure, you are likely looking at IT networks, cloud configurations, or web applications. You are probably ignoring the radio frequency layer that connects these assets when they are offshore. The recent research presented at DEF CON 2025 on Resilient and Reconfigurable Maritime Communications makes it clear that the "Internet of Ships" is built on a foundation of trust that simply does not exist.

The Inherent Fragility of Maritime Protocols

Legacy maritime systems were designed for reliability and interoperability, not security. Protocols like the Automatic Identification System (AIS) were never intended to be authenticated. As a result, an attacker with a low-cost SDR can easily inject fake vessel positions, spoof identities, or perform denial-of-service attacks on navigation systems. This falls squarely into OWASP A07:2021 – Identification and Authentication Failures, but at the physical layer.

GPS spoofing is another well-documented vector. By manipulating the signal timing or content, an attacker can force a vessel’s Electronic Chart Display and Information System (ECDIS) to report an incorrect location, potentially causing a ship to deviate from its course. When these systems are updated via insecure IT networks, the risk compounds. If the update mechanism for an ECDIS unit lacks code signing or integrity checks, a compromised bridge workstation becomes a gateway to manipulating the ship's navigation data.

Moving from Fixed Hardware to Software Defined Resilience

The core of the proposed research is the shift from proprietary, fixed-function radio hardware to a unified framework using Software Defined Radio (SDR) and Software Defined Networking (SDN). By decoupling the control plane from the data plane, the researchers aim to replace a rack of disparate, single-purpose radios with a reconfigurable software platform.

In a traditional setup, every vessel in a Carrier Strike Group (CSG) maintains its own independent, often narrow-bandwidth satellite link. This is inefficient and creates a massive, fragmented attack surface. By integrating SDN, the network can dynamically route traffic based on availability and security requirements. If a high-latency GEO satellite link is compromised or degraded, the SDN controller can automatically fail over to a lower-latency LEO link without dropping the session.

For a pentester, this means the target is no longer just a single radio unit. It is the SDN controller itself. If you can gain access to the controller—often running on platforms like ONOS or OpenDaylight—you effectively control the entire communication topology of the fleet.

Technical Implications for Researchers

The research highlights the potential for SDR-based signal validation. By using USRP hardware and software suites like GNU Radio, researchers can implement multi-sensor fusion to validate GPS signals against other data sources. This is a significant step toward mitigating spoofing. However, the complexity of these implementations is high.

If you are looking to get started with this type of research, the barrier to entry is lower than you might think. You do not need a ship to test these concepts. You can simulate these environments using REDHAWK SDR, which provides a framework for building and managing complex, distributed radio applications. The goal for a researcher is to identify where the software-defined logic fails. For example, if the SDN controller relies on a cleartext protocol to manage the radio front-ends, you have a clear path to intercepting or modifying the control traffic.

The Defensive Reality

Defending these systems requires a move toward a zero-trust model at the network layer. Maritime operators must stop assuming that the radio link is a "trusted" pipe. Implementing end-to-end encryption for all data transmitted over VSAT and other satellite links is non-negotiable. Furthermore, network segmentation is critical. The navigation data network (ECDIS) should be physically or logically isolated from the general-purpose IT network used by the crew.

The research presented at DEF CON is a wake-up call for anyone involved in the security of industrial or critical infrastructure. We are moving toward a world where radio systems are just another piece of software, which means they are subject to the same vulnerabilities as any other application. If you are not including the RF layer in your threat model, you are missing the most critical link in the chain. Start looking at the radio protocols, start auditing the SDN controllers, and start assuming that the signal you are receiving is not the signal that was sent.