Ah, the high seas. Nothing around you but salt air, water for miles, and web connectivity from satellites. Peace and quiet. But researchers at the security consulting firm IOActive say that software bugs in the platforms ships use to access the internet could expose data at sea. And these vulnerabilities hint at larger threats to international maritime infrastructure.

A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers. Compromising AmosConnect products, developed by the Inmarsat company Stratos Global, would expose extensive operational and personal data, and could even undermine other critical systems on a ship meant to be isolated.

“It’s low-hanging fruit,” says Mario Ballano, principal security consultant at IOActive who conducted the research. “The software that they’re using is often 10 to 15 years old, it was meant to be implemented in an isolated way. So other software in these environments probably suffer from similar vulnerabilities, because the maritime sector originally didn’t have connection over the internet. But now things are changing.”

The two vulnerabilities Ballano found in AmosConnect 8 aren't readily accessible, but would provide deep access into a ship’s systems for an attacker with a gateway onto the ship’s network—perhaps through a compromised mobile device brought on board, a tainted USB stick used to exchange documents at ports, or physical access. The first bug is in the platform’s login form that would allow an attacker to access the database where credentials are stored for the software, revealing all the username and password sets. Even worse, AmosConnect 8 stores these credential pairs in plaintext, meaning an attacker wouldn’t even need to crack an encryption scheme to use what they find.

IOActive

The other flaw exploits a backdoor account built into every AmosConnect server that has full system privileges, and can use a tool called the AmosConnect Task Manager to execute remote commands. The backdoor is guarded by a ship’s “Post Office ID” (used to coordinate wireless connectivity at sea, like satellite internet) and a password. But Ballano found that the password was derivable because it was generated off of the Post Office ID using a simple algorithm. This means an attacker could gain privileged remote access to the Task Manager’s setup and configuration pages governing the whole platform.

Maritime networks are generally architected to isolate systems like navigation, industrial control, and general IT—an important security practice. But with administrative privileges on AmosConnect, an attacker would be in position to probe for flaws in this setup.