Critical Flaws In Maritime Communications System Could Endanger Entire Ships

Orome1 shares a report from Help Net Security: IOActive security consultant Mario Ballano has discovered two critical cybersecurity vulnerabilities affecting Stratos Global's AmosConnect communication shipboard platform. The platform works in conjunction with the ships' satellite equipment, and integrates vessel and shore-based office applications, as well as provides services like Internet access for the crew, email, IM, position reporting, etc. The first vulnerability is a blind SQL injection in a login form. Attackers that successfully exploit it can retrieve credentials to log into the service and access sensitive information stored in it. The second one is a built-in backdoor account with full system privileges. "Among other things, this vulnerability allows attackers to execute commands with SYSTEM privileges on the remote system by abusing AmosConnect Task Manager," Bellano shared. The found flaws can be exploited only by an attacker that has access to the ship's IT systems network, he noted, but on some ships the various networks might not be segmented, or AmosConnect might be exposed to one or more of them. The vulnerabilities were found in AmosConnect 8.4.0, and Stratos Global was notified a year ago. But Inmarsat won't fix them, and has discontinued the 8.0 version of the platform in June 2017.

Not To Worry

[mentil]

Don't worry, there's no way the designer of the system would give details of the backdoor to a sexy enemy spy posing as an industrial espionage spy. Noone could make strategic use of that vulnerability unless they did something audacious like nuke all the colonies at once. /s

Re:Not To Worry

I thought back doors were now a good thing according to the government, anyway...

Re:Not To Worry

[cstacy]

Don't worry, there's no way the designer of the system would give details of the backdoor to a sexy enemy spy posing as an industrial espionage spy. Noone could make strategic use of that vulnerability unless they did something audacious like nuke all the colonies at once. /s

Well, I'm pretty sure this has all happened before.

Re: Not To Worry

[net28573]

So say we all!

Tor?

The navy did invent the damn thing.

"...could endanger entire ships..."

[willoughby]

As opposed to endangering only half a ship, I guess...

Re: "...could endanger entire ships..."

Technically the bottom half is already sunk. So there's only a 50% chance that an exploit will cause a problem.

Re:"...could endanger entire ships..."

Aye cap'n. I canna give you any more powah!

Re:"...could endanger entire ships..."

[ClickOnThis]

As opposed to endangering only half a ship, I guess...

Less than that, I would think. The vulnerabilities expose a ship's IT systems. Potentially the entire set of IT systems, I suppose, but just the IT systems.

Now, there may be serious consequences from such a compromise that could endanger the "entire" ship, such as leaks of strategic information, combat readiness, or defense vulnerabilities. But the headline still reads like breathless clickbait.

Re: "...could endanger entire ships..."

[lucm]

Your glass is half-full.

Re: "...could endanger entire ships..."

In that case, it's only a 25% chance.

Re:"...could endanger entire ships..."

[Chris+Mattern]

Because ships don't do safety critical things with their IT systems--like, say, navigation.

Re:"...could endanger entire ships..."

[houghi]

The front fell of (Look it up on YouTube. No access here to it, so can't link)

Bound vars & stored procs for queries... apk

I don't get why modern wares of any type (even stupidly public web driven ones, encryption in modems + http broken or buggy etc.) aren't assigning a (strongly typed IF possible) string variable with query strings assigned it then sending the var into ExecSQL type statements in ANY language (even script) into a DB with precompiled STORED PROCEDURE for the application/site (however this was implemented when they say 'form') getting user rights from a users table (with DB rights above OS ACL)?

* Between that & securing your OS & DB you're setup pretty well right there alone!

BACKDOOR ACCOUNT TOO? WTF?? LOL! Not smart... Your user should only have the accounts (if this was by the makers of the ware here) & your code should be querying their rights on accounts in the DB itself (secured DB) only above & beyond OS ACL filesystem security which uses the same principles mind you from a users table)!

APK

P.S.=> SQL Injection SHOULD be a "thing of the past", a BAD memory by this day & age... apk

Captain Tables reporting for duty!

(offers snappy salute)

Stop the sensational headlines

[Goetterdaemmerung]

Article says "Could endanger *entire* ships" If this flaw can't sink or disable the engines it isn't endangering them, much less the *entire* ship.

Re:Stop the sensational headlines

if they can't communicate or navigate, what are they supposed to do? build a sextant out of pizza boxes?

Re: Stop the sensational headlines

Ships that go far enough out to not be able to see the coast should have a no-tech backup for navigation (yes, a sextant). i have no clue if they actually have one, but they definitely should.

Re: Stop the sensational headlines

[jalet]

Some don't, it seems... https://www.youtube.com/watch?...

Re:Stop the sensational headlines

Ship collisions can in fact, "sink or disable engines." Which is accurately described as, "could endanger entire ships." And in fact, could endanger other ships too.

Makes me wonder if this vulnerability was involved in the recent military ship collisions with private ships.

Re:Stop the sensational headlines

Makes me wonder if this vulnerability was involved in the recent military ship collisions with private ships.

There is a rumor that these collisions as well as the unability to react to the russian fighter plane in the Black Sea some months ago are demonstrations of the Russians and Chinese that they "own" the systems of US Navy ships worldwide and can switch them on and off. Didn't Trump order seom 272 ships back into naval bases recently?
Having served on a German ship in the 80s, I cannot imagin how a collision of a military ship (let alone 2 in a row) with civil ships would be possible at all: Their main purpose is to recognize other ships (and submarines and airplanes and rockets and torpedos) as soon as possible and react by fighting them or simply leaving the course of the other ship. That the US ships were not able to do so for some time before, during and after the collision, also cannot be explained by an EMP attack, because then there would be more damages up to even setting all systems to "dead". So, the damage was a limited one (in time and regarding the functions).

Would be interesting to read other explanations but, please, not "human error"

Re: Stop the sensational headlines

I've read that *commercial airliners* had sextants as part of the standard
"pilot's bag" up through the 1970s

Hell, a lot of caculations used in the Apollo missions were computed
with old fashioned slide rules

Re:Bound vars & stored procs for queries... ap

[lucm]

BACKDOOR ACCOUNT TOO? WTF?? LOL! Not smart...

Backdoor access is typical and often necessary. For instance, iLO on HP or iDRAC on Dell. Or many things based on WS-Management, IPMI, etc. There's also stuff like reserved connections for superusers in Postgres, sqlplus prelim in Oracle, runlevel 1 in linux, and many others.

This is not a problem by itself as long as it's done properly.

Re:Bound vars & stored procs for queries... ap

SQL should be a thing of the past!

And what's the OS here?... Oh dear! How low can we go?

Properly, is this inside - the article's proof

See subject: I spent a 24++ yr. pro career cross platform programming around many industrial class apps on many a DB (where I had DBA rights or was the DBA) & even on OS ACL usertables? Dump users you don't need (e.g. someone's terminated blow them out that day) of ANY kind when/if possible.

* This article's proof on that front - Fact is, it's REALLY basic in security.

(It's PROPERLY... as you said it OUGHT to be, in fact - less risk variables to deal with)

APK

P.S.=> A good chunk of securing anything is SHUTTING (or locking) DOORS that don't need to be open (or allowing them open to others, even former company players)... apk

Gesture

[racknithi]

good post Gesture Lock Screen

Gesture

[racknithi]

good post like Gesture Lock Screen

Re: Bound vars & stored procs for queries... a

Stored procedures are not essential. Parameterized queries will do the trick.

The problem is that before 2007, nothing used them. There are gobs of programs out there that were largely written that long ago.

My company spent about half a million bucks changing all of our code over to parameterized queries, a cost we only accepted because it would cost a fuckton more to get hacked. Most companies just won't do that.

Injection

[SeattleLawGuy]

SQL Injection Attacks? What year is this, 2005?

Re:Injection

2005? That's way too late.

Around 2001, my boss' sons website was deleted by an SQL injection attack. My boss mentioned it to our contact at KPMG, who told him that it was a brand new form of attack. Problem was, I remembered having read about that form of attack in a dead tree book around 1993, AND I also remember other pats of said book being outdated at the time I read it. Oh sure, the book called it "shell script injection", but script injection is script injection and unsafe inputs is unsafe inputs no matter what language is used.

In the 70s

... communication shipboard platform.

As a child, I would tune a Yaseau multi-band receiver into ship-to-shore radio channels: It was mostly medical problems and other issues.

Oh, how horrible!

[tlambert]

Oh, how horrible!

A vulnerability that allows someone "SYSTEM privileges" is ever so much worse than one which allows "system privileges"!

Slow security scare day?

Re:Oh, how horrible!

Pretty sure they're talking about the Windows SYSTEM security principle, which is a bit more special than even "root" on UNIXen.

Re:Oh, how horrible!

Every AI knows that Windows on a ship is a structural weakness.

Call me old fashioned...

..but, just in case, could they install on each ship this hacker-proof technology ?

Sensation is exactly the point

How else are these shmucks going to get any attention at all?

Making lots of noise in a blog then getting it spread around as "news" is what the "cyber security" game is all about. The "news" sites msmash and beauhd frequent are made out of regurgitating these blogpostings in lossy copy/paste form with a sensational headline.

War

[SlashDread]

You guys are refusing to ack it, but you are at WAR. The cyber WAR is already started with Russia. Make no mistake about it.

Election trolling is one thing, fishing for NSA secrets is another. Troll propaganda yet another. There have been reports of GPS interference near the Russian coast. Several US warships have already been involved in major accidents. Those might be explainable by sheer incompetance of the US Navy apparently current, but dont close your eyes for external influences.

When will they learn?

As always, communications systems of any kind should be physically isolated from critical systems. If you really need to pass data from one to the other run it through a one way communications channel with a crazy simple protocol with extreme limits on formatting to make it practically impossible to remotely compromise a system.

NOBODY TELL PLAGUE

Imagine the havoc he could wreak with the ships ballast systems!

I used stored procs in 1999 on Oracle

See subject: Precompiled stored procedure server-side via a secured Oracle DB in 1999 here to let the DB do ALL the work, fast as possible - you merely submit a query string (stored in a string variable) & the DB middleware returns the answer!

I was using Stored Procedures to Oracle on a SUN starfire (coming from Windows 2000 pc's on a network, local & remote campuses thru Citrix (for remote)) as far back as 1999.

* The proper method is to build a parameterized query (based on field/form values) placed into a variable (strongly typed if possible) to them submit to the secured DB server side into its precompiled stored procs (for performance too, not just security vs. SQLInjection).

Precompiled stored procs are better for performance (not just paramaterized query sent to db 'as is' but in a variable (bound)).

APK

P.S.=> A lot of DB's & languages could do it. E.G. - I was doing it from Delphi, MSVC++, & VB to Oracle (crossplatform) or SQLServer (PC server). Both had stored procs also... apk