A popular satellite communications (SATCOM) system installed on ships across the world is affected by two serious security flaws — a hidden backdoor account with full system privileges access and an SQL injection in the login form.
These vulnerabilities affect the AmosConnect 8 designed and sold by Stratos Global, a company acquired in 2009 by mobile satellite services firm Inmarsat Group.
The two vulnerabilities are part of a report released today by cyber-security and penetration testing firm IOActive, but they won't receive any patches because Stratos retired the AtmosConnect 8 product just months before, in June 2017, according to an end-of-life announcement on the company's site.
"Effective 30 June 2017 we will be discontinuing the availability and support of AmosConnect 8," the company said. "AmosConnect 7 will continue as the primary product offering."
The product's deprecation was not the direct consequence of the discovery of these two flaws but was announced back in November 2016.
AtmosConnect 8 boxes are SATCOM systems that are specifically designed to work on ships, oil rigs, and other isolated maritime environments.
The system provides Internet connectivity to ships via a satellite connection. AtmosConnect 8 is a password-protected platform that a ship's crew can use to access on-ship Internet services.
According to a report shared with Bleeping Computer before today's publication, the AtmosConnect 8 platform comes with a secret backdoor account that allows full access to the platform.
Researcher spotted the backdoor account when they found a function in the AtmosConnect source code that was named "authenticateBackdoorUser".
You don't have to be a rocket scientist to realize what the function does. Investigating the code, researcher realized that the backdoor account username is unique per device, and is the "Post Office" ID showed on each AtmosConnect 8 login screen.
The password is derived from this ID, and anyone can deduce how to compute it just by looking at the AtmosConnect source code and reverse-engineering the authenticateBackdoorUser function.
Besides the backdoor, the same platform was also affected by a blind SQL injection vulnerability in the login form that allowed attackers to gain access to credentials stored in its internal database.
"These flaws would only allow an attacker to take control over the server where AmosConnect is installed," Mario Ballano, IOActive principal security consultant and author of this research told Bleeping Computer via email.
"Now, this server would be usually located within the IT network of a vessel, it might be the case that the server where AmosConnect is installed has access to other networks (e.g. a navigation systems network) and that would allow attackers to access those networks, again, this won't probably be a typical scenario and network architectures are completely different from vessel to vessel.
"Also, even if attackers get access to another network (e.g. a navigation systems network), they'd likely need to exploit further vulnerabilities on the systems located in that network to take control over them.
"Summing up, it's a long shot," the expert told Bleeping. "There's a slim chance these flaws would provide attackers with access to a sensitive network, vulnerabilities in that networks' systems would also need to be discovered/exploited."
Furthermore, Ballano says "these particular vulnerabilities are not well suited to be massively exploited," such as botnets or other scripted scenarios.
"Access to the ship's internal network is required so that rules out massive attacks conducted over the internet," Ballano said.
While Ballano rules out botnet operators from using ship resources, these vulnerable systems are most likely to be exploited by nation-state actors and financially motivated attackers. These systems handle a ship's entire external communications and are a treasure trove of information.
"Essentially anyone interested in sensitive company information or looking to attack a vessel's IT infrastructure could take advantage of these flaws," Ballano said. "This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cyber security must be taken seriously as our global logistics supply chain relies on it and as cyber criminals increasingly find new methods of attack."
UPDATE: Post publication, Inmarsat provided more clarification on the vulnerabilities reported today by IOActive, accusing the company of ignoring some details in its report. Full, unedited statement below.