IOActive, Inc. released a new advisory documenting critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect communication shipboard platform, which is used by thousands of ships globally. Responding to this claim, Inmarsat, mother company of Stratos Global, confirmed that AC8 is no longer in service, noting that its central server no longer accepts connections from AmosConnect 8 email clients, therefore the software is not applicable.
AC8 supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication, and access for mobile personnel into a single messaging system.
The flaws IOActive discovered include blind SQL injection in a login form, and a backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server. If compromised, this flaw can be leveraged to gain unauthorized network access to sensitive information stored in the AC server and potentially open access to other connected systems or networks.
“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” said Ballano. “This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cyber security must be taken seriously as our global logistics supply chain relies on it and as cyber criminals increasingly find new methods of attack,” said IOActive’s principal security consultant, Mario Ballano, who conducted the research in September of 2016.
However, Inmarsat clarifies that it had begun a process to retire AmosConnect 8 from portfolio prior to IOActive’s report and, in 2016, it had communicated that the service would be terminated in July 2017.
“When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website,” said the company.
Further, the company explained that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.
Maritime cyber security has been in focus this year with a few maritime disasters this summer, including the June 2017 GPS spoofing attack involving over 20 vessels in the Black Sea that left navigation experts and maritime executives speculating it was due to a cyber attack. In August 2017, questions arose that the collision involving the USS John McCain with a chemical tanker could have possibly been the result of cyber tampering, leading to the Navy to implement cyber investigations on similar situations moving forward.