Maritime comms flaws exposed: It's OK cuz we canned it, says vendor

AmosConnect v8 vulnerable to 'blind SQL injection'


Security researchers have gone public about "critical" security flaws in a maritime communication platform.

Stratos Global's AmosConnect 8.4.0 satellite-based shipboard communication platform is vulnerable to cyber attacks, according to researchers from IOActive. Inmarsat, which owns Stratos Global, dismissed the research as irrelevant because it related to a recently discontinued platform. The vendor also said the hacking scenario against its earlier kit outlined by IOActive would be difficult to pull off in practice.

Friggin' in the riggin'

AmosConnect mobile satellite communications platform was used by thousands of vessels worldwide. Flaws in the technology discovered by IOActive include "blind SQL injection" in a login form and a backdoor account that allows full system privileges. This account provides a means for hackers to execute arbitrary code on the AmosConnect server leaving any sensitive information it might contain exposed to theft, according to IOActive's principal security consultant Mario Ballano.

IOActive warns that the flaws could allow hackers to gain access to sensitive information stored on AmosConnect servers including emails, instant messaging, position reporting and automatic file transfer, as well as potentially opening access to other connected systems or networks.

AmosConnect supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication, and more into a single messaging system.

IOActive informed Inmarsat of the vulnerabilities in October 2016, and completed the disclosure process in July this year. Inmarsat has since discontinued the 8.0 version of the platform with the recommendation that customers revert back to AmosConnect 7.0 or switch to an email solution from one of their approved partners.

In response to queries about IOActive's research from El Reg, Inmarsat downplayed the significance of the findings, arguing it affected discontinued version of its technology that it planned to retire even before IOActive informed it about security problems.

We are aware of the IO Active report but it is important to note AmosConnect 8 (AC8) is no longer in service. Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.

When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.

Inmarsat's central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.

Inmarsat has made IO Active aware of all of this information.

All at sea

An Inmarsat spokesman added the "potential vulnerability" would have been "very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. Any attempt to enter remotely would have been blocked by Inmarsat's shoreside firewalls."

Maritime cybersecurity has been under increasing scrutiny this year after a series of disasters, including the June GPS spoofing attack involving over 20 vessels in the Black Sea. In August, there was speculation that the collision involving the USS John McCain with a chemical tanker might have been the result of cyber tampering.

Ballano conducted his research in September and found that he could gain full system privileges, essentially becoming the administrator of the box where AmosConnect is installed. If there were to be any other software or data stored in this box, the attacker would have access and potentially to other connected networks.

"Essentially anyone interested in sensitive company information or looking to attack a vessel's IT infrastructure could take advantage of these flaws," Ballano said. "This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cybercriminals increasingly find new methods of attack."

Recent research by security consultancy Pen Test Partners into shipboard comms more generally can be found here. ®

Similar topics

Broader topics


Other stories you might like

  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • That critical vulnerability might not be the first you should patch
    Startup Rezilion suggests enterprises should change prioritization strategies

    Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.

    Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.

    Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading

Biting the hand that feeds IT © 1998–2022