Security Flaws in Inmarsat Maritime Platform Revealed by IOActive
IOActive has released a new advisory documenting critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect communication shipboard platform. Stratos Global, which Inmarsat acquired in 2009, provides communication services to thousands of ship vessels globally.
AmosConnect supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication, and access for mobile personnel into a single messaging system. The flaws IOActive discovered include blind Structured Query Language (SQL) injection in a login form, and a backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server. If compromised, this flaw can be leveraged to gain unauthorized network access to sensitive information stored in the AmosConnect server and potentially open access to other connected systems or networks.
IOActive’s principal security consultant Mario Ballano conducted his research in September of 2016, and found that he could gain full system privileges, essentially becoming the administrator of the box where AmosConnect is installed. If there were to be any other software or data stored in this box, the attacker would have access to those and potentially to other networks connected to the box.
“Essentially, anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” said Ballano. “This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cyber criminals increasingly find new methods of attack.”
According to IOActive, it informed Inmarsat of the vulnerabilities in October 2016, and completed the disclosure process in July of 2017. Inmarsat has since discontinued the AmmosConnect 8.0 (AC8) version of the platform but had also issued a security patch to reduce the risk potentially posed.
“It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls,” Inmarsat commented on Oct. 26, 2017.