Critical flaws in maritime comms system could endanger entire ships

IOActive security consultant Mario Ballano has discovered two critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect communication shipboard platform.

About AmosConnect

Stratos Global is a leading provider of maritime communications services, and its solutions are used on thousands of ships around the world.

The AmosConnect platform works in conjunction with the ships’ satellite equipment, and integrates vessel and shore-based office applications, as well as provides services like Internet access for the crew, email, IM, position reporting, etc.

AmosConnect is usually deployed on ships’ IT systems network, which is typically separated from the their navigation systems network, Industrial Control Systems network, and BYOD network.

The vulnerabilities

The first vulnerability is a blind SQL injection in a login form. Attackers that successfully exploit it can retrieve credentials to log into the service and access sensitive information stored in it.

The second one is a built-in backdoor account with full system privileges. “Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote system by abusing AmosConnect Task Manager,” Bellano shared.

The found flaws can be exploited only by an attacker that has access to the ship’s IT systems network, he noted, but on some ships the various networks might not be segmented, or AmosConnect might be exposed to one or more of them.

“A typical scenario would make AmosConnect available to both the BYOD ‘guest’ and IT networks; one can easily see how these vulnerabilities could be exploited by a local attacker to pivot from the guest network to the IT network. Also, some the vulnerabilities uncovered during our [earlier] SATCOM research might enable attackers to access these systems via the satellite link,” he added.

What should customers do?

The vulnerabilities were found in AmosConnect 8.4.0, and Stratos Global was notified a year ago.

But Inmarsat won’t fix them, and has discontinued the 8.0 version of the platform in June 2017. They advise customers to revert back to AmosConnect 7.0 or switch to an email solution from one of their approved partners.

“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws. This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel,” Ballano says.

“Maritime cyber security must be taken seriously as our global logistics supply chain relies on it and as cyber criminals increasingly find new methods of attack.”

UPDATE: Thursday, October 26, 07:10 AM PT – Jonathan Sinnatt, Director of Communications at Inmarsat, sent us the following comment on the story:

We are aware of the IOActive report but it is important to note AmosConnect 8 (AC8) is no longer in service. Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.

When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.

Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.

It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.

Inmarsat made IOActive aware of these facts.