![](\"https:\/\/media.wired.com\/photos\/59f119e9b8d8b304906693d0\/master\/pass\/Maritime-Feature.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Thu, 26 Oct 2017 12:00:00 +0000<\/strong><\/p>\n Ah, the high <\/span>seas. Nothing around you but salt air, water for miles, and web connectivity from satellites. Peace and quiet. But researchers at the security consulting firm IOActive say that software bugs in the platforms ships use to access the internet could expose data at sea. And these vulnerabilities hint at larger threats to international maritime infrastructure.<\/p>\n A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers. Compromising AmosConnect products, developed by the Inmarsat company Stratos Global, would expose extensive operational and personal data, and could even undermine other critical systems on a ship meant to be isolated.<\/p>\n \u201cIt\u2019s low-hanging fruit,\u201d says Mario Ballano, principal security consultant at IOActive who conducted the research. \u201cThe software that they\u2019re using is often 10 to 15 years old, it was meant to be implemented in an isolated way. So other software in these environments probably suffer from similar vulnerabilities, because the maritime sector originally didn\u2019t have connection over the internet. But now things are changing.\u201d<\/p>\n The two vulnerabilities Ballano found in AmosConnect 8 aren't readily accessible, but would provide deep access into a ship\u2019s systems for an attacker with a gateway onto the ship\u2019s network\u2014perhaps through a compromised mobile device brought on board, or a tainted USB stick used to exchange documents at ports. The first bug is in the platform\u2019s login form that would allow an attacker to access the database where credentials are stored for the software, revealing all the username and password sets. Even worse, AmosConnect 8 stores these credential pairs in plaintext, meaning an attacker wouldn\u2019t even need to crack an encryption scheme to use what they find.<\/p>\n The other flaw exploits a backdoor account built into every AmosConnect server that has full system privileges, and can use a tool called the AmosConnect Task Manager to execute remote commands. The backdoor is guarded by a ship\u2019s \u201cPost Office ID\u201d (used to coordinate wireless connectivity at sea, like satellite internet) and a password. But Ballano found that the password was derivable because it was generated off of the Post Office ID using a simple algorithm. This means an attacker could gain privileged remote access to the Task Manager\u2019s setup and configuration pages governing the whole platform.<\/p>\n Maritime networks are generally architected to isolate systems like navigation, industrial control, and general IT\u2014an important security practice. But with administrative privileges on AmosConnect, an attacker would be in position to probe for flaws in this setup.<\/p>\n \u201cUsually the different parts of a ship\u2019s networks don\u2019t have a lot of overlap, but there has to be some flow of traffic to exchange data at some points within the network,\u201d Ballano says. \u201cSo there\u2019s the possibility that if you break into the server where AmosConnect is installed you might be able to access some of those other networks. In that case the attack gets worse, because an attacker might be able to jump from one network to another.\u201d<\/p>\n IOActive says it contacted Inmarsat about the AmosConnect 8 findings beginning in October 2016. Inmarsat, which did not respond to a request from WIRED for comment, apparently promised fixes for the bug, but also began notifying its customers in November 2016 that it would end support for AmosConnect 8 in June. The company encouraged customers to downgrade to an older platform, AmosConnect 7. It is unclear whether this was in reaction to IOActive\u2019s findings or unrelated, but Inmarsat has not issued patches for AmosConnect 8.<\/p>\n