Inmarsat responds to report of cyber vulnerability

OCTOBER 27, 2017 — Satellite communications giant Inmarsat has responded to an advisory issued yesterday by a cyber security specialist that document vulnerabilities uncovered by the firm's white hat hackers. They affect the Amos Connect shipboard communications platform.       

The flaws discovered included blind SQL injection in a login form, and a backdoor account that provides full system privileges that could allow remote unauthenticated attackers to execute arbitrary code on the Amos Connect server, says Seattle, WA, headquartered cyber security specialist IOActive. If compromised, it said, this flaw can be leveraged to gain unauthorized network access to sensitive information stored in the AmosConnect server and potentially open access to other connected systems or networks.

IOActive says that it informed Inmarsat of the vulnerabilities in October 2016 and completed the disclosure process in July of 2017.

You can read the IOActive advisory HERE

Following is Inmarsat's response:

Inmarsat is aware of the IOActive report but it is important to note AmosConnect 8 (AC8) is no longer in service.

Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive’s report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.

When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.

Inmarsat’s central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished too.

It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.

Inmarsat made IOActive aware of these facts.

Subscribe to Marine Daily for breaking marine news