A Bug in a Popular Maritime Platform Left Ships Exposed
Ah, the high seas. Nothing around you but salt air, water for miles, and web connectivity from satellites. Peace and quiet. But researchers at the security consulting firm IOActive say that software bugs in the platforms ships use to access the internet could expose data at sea. And these vulnerabilities hint at larger threats to international maritime infrastructure.
A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers. Compromising AmosConnect products, developed by the Inmarsat company Stratos Global, would expose extensive operational and personal data, and could even undermine other critical systems on a ship meant to be isolated.
“It’s low-hanging fruit,” says Mario Ballano, principal security consultant at IOActive who conducted the research. “The software that they’re using is often 10 to 15 years old, it was meant to be implemented in an isolated way. So other software in these environments probably suffer from similar vulnerabilities, because the maritime sector originally didn’t have connection over the internet. But now things are changing.”
The two vulnerabilities Ballano found in AmosConnect 8 aren’t readily accessible, but would provide deep access into a ship’s systems for an attacker with a gateway onto the ship’s network—perhaps through a compromised mobile device brought on board, a tainted USB stick used to exchange documents at ports, or physical access. The first bug is in the platform’s login form that would allow an attacker to access the database where credentials are stored for the software, revealing all the username and password sets. Even worse, AmosConnect 8 stores these credential pairs in plaintext, meaning an attacker wouldn’t even need to crack an encryption scheme to use what they find.
The other flaw exploits a backdoor account built into every AmosConnect server that has full system privileges, and can use a tool called the AmosConnect Task Manager to execute remote commands. The backdoor is guarded by a ship’s “Post Office ID” (used to coordinate wireless connectivity at sea, like satellite internet) and a password. But Ballano found that the password was derivable because it was generated off of the Post Office ID using a simple algorithm. This means an attacker could gain privileged remote access to the Task Manager’s setup and configuration pages governing the whole platform.
Maritime networks are generally architected to isolate systems like navigation, industrial control, and general IT—an important security practice. But with administrative privileges on AmosConnect, an attacker would be in position to probe for flaws in this setup.
“Usually the different parts of a ship’s networks don’t have a lot of overlap, but there has to be some flow of traffic to exchange data at some points within the network,” Ballano says. “So there’s the possibility that if you break into the server where AmosConnect is installed you might be able to access some of those other networks. In that case the attack gets worse, because an attacker might be able to jump from one network to another.”
IOActive says it contacted Inmarsat about the AmosConnect 8 findings beginning in October 2016. Inmarsat promised fixes for the bugs, and also began notifying its customers in November 2016 that it would end support for AmosConnect 8 in June. The company encouraged customers to downgrade to an older platform, AmosConnect 7. It is unclear whether this was in reaction to IOActive’s findings or unrelated. Inmarsat claims that it issued patches for AmosConnect 8 before retiring the entire platform and fully disabling it. IOActive disputes that Inmarsat patched the flaws.
“When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed,” Inmarsat says in a statement to WIRED. “Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.”
A Computer Emergency Response Team vulnerability report about the bugs noted, “Successful exploitation of this vulnerability may allow a remote attacker to access or influence AmosConnect 8 email databases on computers that are installed onboard ships. AmosConnect 8 has been deemed End of Life, and no longer supported.” Before AmosConnect 8 was disabled, the nonprofit Mitre Corporation listed both bugs’ “Likelihood of Exploit” as “Very High.”
‘The software that they’re using is often 10 to 15 years old, it was meant to be implemented in an isolated way.’
Mario Ballano, IOActive
Thousands of ships worldwide use the AmosConnect platform, and those that haven’t migrated to the older version will remain exposed indefinitely. That potentially longstanding, widespread vulnerability only adds to what experts describe as a general lack of security in maritime connectivity. Much like other infrastructure and industrial control systems developed before the advent of the internet or before its widespread adoption, maritime industries are now scrambling to implement comprehensive cybersecurity protections.
In June, a dangerous spoofing attack—unrelated to the AmosConnect vulnerability—disrupted GPS service for about 20 ships in the Black Sea. Later that month, the largest terminal in the Port of Los Angeles was closed for days when its tenant, the Danish shipping company Maersk, was hobbled by the NotPetya ransomware attack. “The June cyberattack that impacted the Port of Los Angeles revealed serious vulnerabilities in our maritime security, and we must address these weaknesses before it is too late,” Congresswoman Norma Torres said on Tuesday when a maritime cybersecurity bill she introduced passed the House of Representatives.
Legislation could certainly help keep networks at sea shipshape. But deeper structural changes will need to come soon if the industry is going to keep up with a rapidly evolving cyberthreat that it wasn’t built to withstand.
October 26, 2017 10:45am: This article has been updated to include a statement from Inmarsat and clarification about AmosConnect 8’s availability.