Container ship

A popular satellite communications (SATCOM) system installed on ships across the world is affected by two serious security flaws — a hidden backdoor account with full system privileges access and an SQL injection in the login form.

These vulnerabilities affect the AmosConnect 8 designed and sold by Stratos Global, a company acquired in 2009 by mobile satellite services firm Inmarsat Group.

Flaws won't receive patches

The two vulnerabilities are part of a report released today by cyber-security and penetration testing firm IOActive, but they won't receive any patches because Stratos retired the AtmosConnect 8 product just months before, in June 2017, according to an end-of-life announcement on the company's site.

"Effective 30 June 2017 we will be discontinuing the availability and support of AmosConnect 8," the company said. "AmosConnect 7 will continue as the primary product offering."

The product's deprecation was not the direct consequence of the discovery of these two flaws but was announced back in November 2016.

AtmosConnect 8 boxes are SATCOM systems that are specifically designed to work on ships, oil rigs, and other isolated maritime environments.

The system provides Internet connectivity to ships via a satellite connection. AtmosConnect 8 is a password-protected platform that a ship's crew can use to access on-ship Internet services.

Backdoor account grants full system access

According to a report shared with Bleeping Computer before today's publication, the AtmosConnect 8 platform comes with a secret backdoor account that allows full access to the platform.

Researcher spotted the backdoor account when they found a function in the AtmosConnect source code that was named "authenticateBackdoorUser".

You don't have to be a rocket scientist to realize what the function does. Investigating the code, researcher realized that the backdoor account username is unique per device, and is the "Post Office" ID showed on each AtmosConnect 8 login screen.

The password is derived from this ID, and anyone can deduce how to compute it just by looking at the AtmosConnect source code and reverse-engineering the authenticateBackdoorUser function.

AtmosConnect 8 backdoor account

Besides the backdoor, the same platform was also affected by a blind SQL injection vulnerability in the login form that allowed attackers to gain access to credentials stored in its internal database.

Vulnerabilities can't be mass-exploited, but are bad

"These flaws would only allow an attacker to take control over the server where AmosConnect is installed," Mario Ballano, IOActive principal security consultant and author of this research told Bleeping Computer via email.

"Now, this server would be usually located within the IT network of a vessel, it might be the case that the server where AmosConnect is installed has access to other networks (e.g. a navigation systems network) and that would allow attackers to access those networks, again, this won't probably be a typical scenario and network architectures are completely different from vessel to vessel.

"Also, even if attackers get access to another network (e.g. a navigation systems network), they'd likely need to exploit further vulnerabilities on the systems located in that network to take control over them.

"Summing up, it's a long shot," the expert told Bleeping. "There's a slim chance these flaws would provide attackers with access to a sensitive network, vulnerabilities in that networks' systems would also need to be discovered/exploited."

Furthermore, Ballano says "these particular vulnerabilities are not well suited to be massively exploited," such as botnets or other scripted scenarios.

"Access to the ship's internal network is required so that rules out massive attacks conducted over the internet," Ballano said.

A treasure trove for financially motivated hackers

While Ballano rules out botnet operators from using ship resources, these vulnerable systems are most likely to be exploited by nation-state actors and financially motivated attackers. These systems handle a ship's entire external communications and are a treasure trove of information.

"Essentially anyone interested in sensitive company information or looking to attack a vessel's IT infrastructure could take advantage of these flaws," Ballano said. "This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cyber security must be taken seriously as our global logistics supply chain relies on it and as cyber criminals increasingly find new methods of attack."

This is not the first report that focused on maritime cyber-security. Rapid7 researchers published similar research in 2013, IOActive in 2014, and Pen Test Partners did the same a few weeks back.

A link to the IOActive report will be provided once made available to the general public. UPDATE: Here it is. These flaws were also the subject of a US-CERT alert earlier this year.

UPDATE: Post publication, Inmarsat provided more clarification on the vulnerabilities reported today by IOActive, accusing the company of ignoring some details in its report. Full, unedited statement below.

We are aware of the IOActive report but it is important to note AmosConnect 8 (AC8) is no longer in service. 

Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.  

When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed.  We also removed the ability for users to download and activate AC8 from our public website.   

Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too. 

It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client.  This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer.  While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.

Inmarsat made IOActive aware of these facts.