Maritime comms flaws exposed: It's OK cuz we canned it, says vendor

AmosConnect v8 vulnerable to 'blind SQL injection'

Detail from the pirate ship box, showing the offending figure with pistol and map

Security researchers have gone public about "critical" security flaws in a maritime communication platform.

Stratos Global's AmosConnect 8.4.0 satellite-based shipboard communication platform is vulnerable to cyber attacks, according to researchers from IOActive. Inmarsat, which owns Stratos Global, dismissed the research as irrelevant because it related to a recently discontinued platform. The vendor also said the hacking scenario against its earlier kit outlined by IOActive would be difficult to pull off in practice.

Friggin' in the riggin'

AmosConnect mobile satellite communications platform was used by thousands of vessels worldwide. Flaws in the technology discovered by IOActive include "blind SQL injection" in a login form and a backdoor account that allows full system privileges. This account provides a means for hackers to execute arbitrary code on the AmosConnect server leaving any sensitive information it might contain exposed to theft, according to IOActive's principal security consultant Mario Ballano.

IOActive warns that the flaws could allow hackers to gain access to sensitive information stored on AmosConnect servers including emails, instant messaging, position reporting and automatic file transfer, as well as potentially opening access to other connected systems or networks.

AmosConnect supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication, and more into a single messaging system.

IOActive informed Inmarsat of the vulnerabilities in October 2016, and completed the disclosure process in July this year. Inmarsat has since discontinued the 8.0 version of the platform with the recommendation that customers revert back to AmosConnect 7.0 or switch to an email solution from one of their approved partners.

In response to queries about IOActive's research from El Reg, Inmarsat downplayed the significance of the findings, arguing it affected discontinued version of its technology that it planned to retire even before IOActive informed it about security problems.

We are aware of the IO Active report but it is important to note AmosConnect 8 (AC8) is no longer in service. Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.

When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.

Inmarsat's central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.

Inmarsat has made IO Active aware of all of this information.

All at sea

An Inmarsat spokesman added the "potential vulnerability" would have been "very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. Any attempt to enter remotely would have been blocked by Inmarsat's shoreside firewalls."

Maritime cybersecurity has been under increasing scrutiny this year after a series of disasters, including the June GPS spoofing attack involving over 20 vessels in the Black Sea. In August, there was speculation that the collision involving the USS John McCain with a chemical tanker might have been the result of cyber tampering.

Ballano conducted his research in September and found that he could gain full system privileges, essentially becoming the administrator of the box where AmosConnect is installed. If there were to be any other software or data stored in this box, the attacker would have access and potentially to other connected networks.

"Essentially anyone interested in sensitive company information or looking to attack a vessel's IT infrastructure could take advantage of these flaws," Ballano said. "This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cybercriminals increasingly find new methods of attack."

Recent research by security consultancy Pen Test Partners into shipboard comms more generally can be found here. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018