Seattle-based cybersecurity firm IOActive has uncovered what it describes as critical security flaws in one of Inmarsat’s shipboard communication platforms that could leave the platform and vessels’ networks vulnerable to remote hackers.
IOActive released details of vulnerabilities after documenting critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect version 8.0 communication shipboard platform. Stratos Global, an Inmarsat company, is the leading provider of maritime communications services in the world and used by thousands of ship vessels globally.
Inmarsat said it was aware of the report and said the platform in question is no longer in service.
“The flaws IOActive discovered include blind SQL injection in a login form, and a backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server,” the IOActive said in a press release. “If compromised, this flaw can be leveraged to gain unauthorized network access to sensitive information stored in the AmosConnect server and potentially open access to other connected systems or networks.”
The security issues were discovered by IOActive researcher, Mario Ballano, who conducted the “research” in September of 2016. Ballano found that he could gain full system privileges, essentially becoming the administrator of the box where AmosConnect is installed. If there were to be any other software or data stored the box, the attacker would have access to those and potentially to other networks connected to it, according to IOActive.
“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” said Ballano. “This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cyber criminals increasingly find new methods of attack.”
IOActive said it informed Inmarsat of the vulnerabilities in October 2016, and completed the disclosure process in July of 2017.
Inmarsat has since discontinued the 8.0 version of the platform and has recommended that customers revert back to AmosConnect 7.0, or switch to an email solution from one of their approved partners.
In a statement, Inmarsat said it is aware of the IOActive report and reiterated that it is important to note AmosConnect 8 (AC8) is no longer in service.
Inmarsat’s statement continued:
“Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.
“When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.
“Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.
“It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.”