IOActive Discovers Security Flaws in Maritime Communication Platform

IOActive, Inc., the worldwide leader in research-driven security services, released a new advisory documenting critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect communication shipboard platform. Stratos Global, an Inmarsat company, is the leading provider of maritime communications services in the world and used by thousands of ship vessels globally.

According to the International Chamber of Shipping, about 90% of world trade is carried by the international shipping industry -- which frequently relies upon AmosConnect for its mobile satellite communication capabilities. AmosConnect supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication, and access for mobile personnel into a single messaging system.

The flaws IOActive discovered include blind SQL injection in a login form, and a backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server. If compromised, this flaw can be leveraged to gain unauthorized network access to sensitive information stored in the AmosConnect server and potentially open access to other connected systems or networks.

The research was authored by IOActive’s principal security consultant, Mario Ballano. The advisory outlining the research and Ballano’s findings is now available here.

Maritime cybersecurity has been under increasing scrutiny this year with a few maritime disasters that occurred this summer, including the June 2017 GPS spoofing attack involving over 20 vessels in the Black Sea that left navigation experts and maritime executives speculating it was due to a cyber attack. In August 2017, questions arose that the collision involving the USS John McCain with a chemical tanker could have possibly been the result of cyber tampering, leading to the Navy to implement cyber investigations on similar situations moving forward.

IOActive’s Ruben Santamarta conducted prior security research on satellite communications (SATCOM), which originally peaked Ballano’s interest in environments where SATCOM devices are in place, and ultimately led him to investigate the security of the AmosConnect 8.4.0 system. Ballano conducted his research in September of 2016, and found that he could gain full system privileges, essentially becoming the administrator of the box where AmosConnect is installed. If there were to be any other software or data stored in this box, the attacker would have access to those and potentially to other networks connected to the box.

“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” said Ballano. “This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel. Maritime cyber security must be taken seriously as our global logistics supply chain relies on it and as cyber criminals increasingly find new methods of attack.”

IOActive informed Inmarsat of the vulnerabilities in October 2016, and completed the disclosure process in July of 2017. Inmarsat has since discontinued the 8.0 version of the platform and has recommended that customers revert back to AmosConnect 7.0 or switch to an email solution from one of their approved partners.