Stratos Global, an Inmarsat company, offers the AmosConnect communication shipboard platform to provide narrowband satellite communications, email, fax, interoffice communication, and more for those at sea.
International shipping firms and services often deal with confidential customer data and they may also hold valuable deliveries and so can be a target for threat actors.
However, in the matter of AmosConnect, there was much left to be desired.
IOActive was able to find a critical vulnerability in login forms. The blind SQL injection bug allowed attackers to gain access to credentials stored in internal databases.
"The server stores usernames and passwords in plaintext, making this vulnerability trivial to exploit," IOActive says.
To make matters worse, the team also discovered a backdoor. The AmosConnect server features a built-in backdoor equipped with system privileges, which would give attackers full system and administration privileges and the ability to remotely execute code on the AmosConnect server.
"If compromised, this flaw can be leveraged to gain unauthorized network access to sensitive information stored in the AmosConnect server and potentially open access to other connected systems or networks," the researchers say.
The findings build on previous research conducted by IOActive's Ruben Santamarta, who discovered in September 2016 that he was able to gain full system privileges in AmosConnect 8.4.0, as well as access any other software or data stored therein.
"Essentially anyone interested in sensitive company information or looking to attack a vessel's IT infrastructure could take advantage of these flaws," said Mario Ballano, IOActive principal security consultant. "This leaves crew member and company data extremely vulnerable and could present risks to the safety of the entire vessel. Maritime cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cybercriminals increasingly find new methods of attack."
IOActive informed Inmarsat of the vulnerabilities in October 2016. The Inmarsat AmosConnect 8.0 version has now been discontinued, and so the company recommends that customers revert back to AmosConnect 7.0 or switch to an email solution.
This is not the first instance of such a vulnerability. As previously reported by ZDNetresearchers from Pen Test Partners recently found similar issues in industrial control systems from other major brands including Telenor and Cobham.
In a number of cases, default credentials were ridiculously simple to crack, and in others, Transport Layer Security [TLS] cryptographic protocols were absent.
Ken Munro, one of the firm's security researchers, said these lapses in security are "simply not acceptable" -- and he is right. When these kinds of business are so integral to the economy at large, security cannot be an afterthought.
An Immersat spokesperson told ZDNet:
"Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive's report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.
When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.
Inmarsat's central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished to. "