jcpjr - Fotolia
The Stratos Global AmosConnect 8.4.0 satellite communication platform used by ships at sea is vulnerable to cyber attacks, a security researcher has found.
But the impact of NotPetya on Maersk’s shipping operations is just the tip of the iceberg in terms of cyber attacks on the maritime sector, according to a report by maritime cyber security firm CyberKeel.
The report said the maritime sector is a prime target because there is a significant need for exchanging detailed information across multiple stakeholders with different levels of cyber security.
Security consultancy IOActive has issued a warning about two security vulnerabilities in a particular version of the AmosConnect software, which supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication and access for mobile personnel into a single messaging system.
Mario Ballano, IOActive’s principal security consultant, discovered a blind SQL injection vulnerability in the log-in form and a built-in backdoor account with full system privileges, posing a “serious security risk”.
The SQL injection vulnerability allows unauthenticated attackers to gain access to credentials stored in its internal database.
The server stores usernames and passwords in plaintext, which makes this vulnerability simple to exploit, said Ballano, meaning attackers that successfully exploit this vulnerability can retrieve credentials to log in to the service.
The backdoor account could allow attackers to execute commands with system privileges on the remote system by abusing AmosConnect Task Manager, Ballano found.
The flaws mean that unauthenticated attackers could execute arbitrary code on the AmosConnect server and gain unauthorised network access to sensitive information stored in the server, and potentially open access to other connected systems or networks.
Ballano conducted his research in September 2016 and found he could gain full system privileges, essentially becoming the administrator of the box where AmosConnect is installed.
“Essentially, anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” said Ballano. “This leaves crew members and company data extremely vulnerable, and could present risks to the safety of the entire vessel.”
Ballano said maritime cyber security must be taken seriously because the global logistics supply chain relies on it, and cyber criminals are finding more methods of attack.
Maritime cyber security has been under increasing scrutiny this year. In addition to the impact of the NotPetya attack, a GPS spoofing attack, which involved more than 20 vessels in the Black Sea in June 2017, left navigation experts and maritime executives speculating that it was due to a cyber attack. In August 2017, questions arose that the collision involving the USS John McCain with a chemical tanker might have been the result of cyber tampering.
AC8 no longer in service
IOActive informed Inmarsat of the vulnerabilities in October 2016, and completed the disclosure process in July 2017. Inmarsat has since discontinued the 8.0 version of the platform and has recommended that customers revert to AmosConnect 7.0 or switch to an email system from an approved partner.
Responding to the IOActive report, Inmarsat emphasised that AmosConnect 8 (AC8) is no longer in service, adding that customers were notified that the service would be terminated in July 2017 and that a security update was applied to AC8 to “greatly reduce” the risk potentially posed.
“We also removed the ability for users to download and activate AC8 from our public website, and Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too,” the company said in a statement.
Inmarsat also said the vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client.
“This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. Remote access was deemed to be [an unlikely] possibility as this would have been blocked by Inmarsat’s shoreside firewalls,” the company said.