Ever since man started to explore the world in a boat like Christopher Columbus, they faced an isolation from the rest of the world.But the internet made every corner of the world seem connected and end such isolation.Until now, the researchers at the security consulting firm IOActive say that software bugs in the platforms of ships which access the internet could expose data at sea. And these vulnerabilities hint at larger threats to international maritime infrastructure.
Two bugs in the AmosConnect 8 web platform used in ships are monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crew members. Reducing AmosConnect products, produced by the Inmarsat Company Stratos Global, would expose comprehensive functional and personal data, and could even undermine other critical systems on a ship meant to be protected.
Mario Ballano, the principal security specialist at IOActive says “its low-hanging fruit”. “The program that they’re using is often 10 to 15 years of age, it was meant to be implemented in an isolated way. So other software in these conditions probably have problems with similar vulnerabilities, because the maritime sector originally didn’t have a connection to the internet.
Ballano found two vulnerabilities in AmosConnect 8 aren’t readily accessible, but would provide deep gain access to into a ship’s systems for an attacker with a gateway onto the ship’s network-perhaps through a pre-hacked mobile device induced board with a traveller, a tainted USB stick used to switch documents, or physical gain access to. Which means that almost anyone can access sensitive data. The first problem is the platform’s login form that would allow an attacker to gain access to the database where credentials are stored for the software, disclosing all the password and username models. Even worse, AmosConnect 8 stores these credential pairs in plaintext, meaning an attacker wouldn’t even need to crack an encryption system to use what they find.
The other flaw exploits a backdoor account built into every AmosConnect server that has full system privileges and can use the AmosConnect using a tool called Job Manager to execute remote control commands. The backdoor is guarded by a ship’s “POSTOFFICE ID” (used to coordinate cellular connection at sea, like satellite internet) and a password. But Ballano found that the password was derivable since it was generated from the POSTOFFICE ID using a simple algorithm. This means an attacker could gain privileged remote control access to the duty Manager’s setup and configuration pages governing the complete platform.
Maritime networks are generally architected to isolate systems like navigation, industrial control, and general IT (an important security practice). But with administrative privileges on AmosConnect, an attacker would be in the position to probe for flaws in this setup.
IOActive says it contacted Inmarsat about the AmosConnect 8 findings began in October 2016. Inmarsat promised fixes for the bugs and also began notifying its customers in November 2016 that it would end support for AmosConnect 8 in June. The company encouraged customers to downgrade to an older platform, AmosConnect 7. It is unclear whether this was in reaction to IOActive’s findings or unrelated. Inmarsat claims that it issued patches for AmosConnect 8 before retiring the entire platform and fully disabling it. IOActive disputes that Inmarsat patched the flaws.
“Usually the various parts of a ship’s networks don’t have a lot of overlap, but there has to be some flow of traffic to exchange data at “Some true points within the network,” Ballano says. “So there’s the possibility that if you break into the server where AmosConnect is installed you might be able to access some of those other networks. If so the attack gets worse, because an attacker might be able to leap from one network to another. “These bugs could lead to another biggest cyber attack after ransomware
“When IOActive brought the potential vulnerability to attention, early in 2017, and despite the product reaching the end of life, Inmarsat issued a security patch for AC8 which greatly reduced the risk it posed,” Inmarsat says in a statement to WIRED. “Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.”
A Computer Emergency Response Team reported the bugs noted, “Successful exploitation of this vulnerability may allow a remote attacker to access or influence AmosConnect 8 email databases on computers that are installed onboard ships. AmosConnect 8 is now no more, and no longer be supported.” Before AmosConnect 8 was disabled, the non-profit Mitre Corporation listed both bugs’ “Likelihood of Exploit” as “Very High.”
Thousands of ships worldwide use the AmosConnect platform, and those that haven’t migrated to the older version will remain exposed. That potentially longstanding, widespread vulnerability only adds to what experts describe as a general lack of security in maritime connectivity. Much like other infrastructure and industrial control systems developed before the advent of the internet or before its widespread adoption, maritime industries are now struggling to implement comprehensive cybersecurity protections.
In June, a dangerous spoofing attack (unrelated to the AmosConnect vulnerability) disrupted GPS service for about 20 ships in the Black Sea. Later that month, the largest terminal in the Port of Los Angeles was closed for days when its tenant, the Danish shipping company Maersk, was hobbled by the NotPetya ransomware attack. “The June cyber attack that impacted the Port of Los Angeles revealed serious vulnerabilities in our maritime security, and we must address these weaknesses before it is too late,” In America Congresswoman Norma Torres said about a maritime cybersecurity bill which she passed the House of Representatives.
Using the right legislation and software we’re able to certainly keep networks at sea shipshape. But deeper structural changes should come soon if the industry wants to match a rapidly growing cyber threat it wasn’t created to withstand.