A widely used shipping satellite communications (Satcomms) system has been shown to be vulnerable to cyber-attack, an ethical hacking company has revealed.
Vulnerabilities affecting Stratos Global’s AmosConnect 8 (AC8) onboard platform were revealed by IOActive, a company that does IT penetration testing for firms across many business sectors and has investigated shipping cybersecurity in the past two to three years.
The AC8 system has been withdrawn by Stratos parent group Inmarsat, which says it had already told customers the product and service would be terminated by July 2017 before IOActive informed it of its findings after laboratory testing it in the autumn of 2016.
IOActive downloaded the AC8 software from an Inmarsat website and discovered it could open a “backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server”.
AC8 succumbed to a blind SQL attack as it used Structured Query Language within the software, allowing the system to be questioned repeatedly to discover whether each letter of a password is correct.
“Essentially anyone interested in sensitive company information or looking to attack a vessel’s IT infrastructure could take advantage of these flaws,” IOActive principal security consultant Mario Ballano said.
“This leaves crew member and company data extremely vulnerable, and could present risks to the safety of the entire vessel."
Inmarsat says it does not believe the system is as vulnerable as IOActive claims and that it issued a security patch, which greatly reduced the risk before taking the system out of use. No customers can now use AC8, while the AC7 system that Inmarsat has reverted to does not use SQL databases.
“From a customer perspective, it was considered very difficult to exploit this vulnerability because it required direct access to the shipboard PC, which runs the AC8 email client — meaning either direct physical access to the PC or remote access via the internet,” an Inmarsat spokesman told TradeWinds.
Remote access is unlikely because onboard systems are blocked by Inmarsat’s shoreside firewalls, he adds.
Cybersecurity experts advise that vessel networks are isolated from each other to avoid illegal access to one opening a gateway to others, as is increasingly the case.
But IOActive says navigation systems can be interconnected with satcomms on some ships, particularly older ones where legacy equipment has not been updated to account for connectivity with the internet that did not exist when it was built. In this case, control of a vessel could potentially be achieved via this kind of gateway.
Sebastian Wilkinson, IOActive's business development manager for Europe and the Middle East and a former broker with Shipping 360, says the firm has legitimately hacked into some of the world’s largest fleets as part of cyber-penetration tests agreed with shipping companies.
“We’ve hacked fleets to the point where you can take control of a vessel completely,” he told TradeWinds. “We think like hackers. We don’t do a tick box.
“Threat modelling is a big part of what we do. For a lot of organisations, it is actually a defining moment as to what is truly important to them. It’s a thought-provoking exercise.”
Recent events have included an incident in June involving more than 20 vessels in the Black Sea that navigation experts have speculated was due to cyber-attack. Then, in August, a collision involving a US warship and a chemical tanker also led to questions of whether it was the result of cyber tampering.
