Security researchers at IOActive have disclosed critical security vulnerabilities in the maritime Stratos Global’s AmosConnect 8.4.0 satellite-based shipboard communication platform.

AmosConnect 8 is a PC-based SATCOM service, introduced in 2010, that integrates many communication tools such as email, fax, telex, GSM text and interoffice communication.

According to the researchers from IOActive. Inmarsat, which owns Stratos Global, considered the research as irrelevant because it related to a communication platform that has been discontinued.

“When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed.” reads the statement issued by Inmarsat.

The vendor speculated the attack scenario shown by the experts would be difficult to realize.

Experts at IOActive confirmed that the vulnerabilities impact thousands of customers worldwide running the newest version of the AmosConnect platform that is used in vessels.

The vulnerabilities discovered by the researchers include a “blind SQL injection, tracked as CVE-2017-3221, in a login form and a backdoor account (CVE-2017-3222) that gives attackers full system privileges.

The blind SQL injection vulnerability in AmosConnect 8 login form could be exploited by unauthenticated attackers to access login credentials of other users.

“A Blind SQL Injection vulnerability is present in the login form, allowing unauthenticated attackers to gain access to credentials stored in its internal database. The server stores usernames and passwords in plaintext, making this vulnerability trivial to exploit.” states the advisory published by IOActive.