IOActive Identifies Security Gaps in Satcom Software

Cybersecurity research firm IOActive has been researching vulnerabilities in satcom systems for years. Last week it reported serious security gaps in a popular software platform for shipboard email, instant messaging, position reporting, file transfer, application integration and crew-use internet service. 

One version of this shipboard software – since withdrawn from the market – had two "critical vulnerabilities," IOActive said. First, a flaw in the software's login form could potentially allow attackers to gain access to unencrypted usernames and passwords in an internal database. The exploit was relatively simple, relying on a method known as "SQL injection," a common and well-documented attack that anti-hacking foundation OWASP describes as "extremely simple" to prevent.

In addition, the software's server included a backdoor SysAdmin account. IOActive demonstrated a method to obtain the system administrator password for a given software license number, which would allow the attacker access to full system privileges.

"All in all, these vulnerabilities pose a serious security risk. Attackers might be able to obtain corporate data, take over the server to mount further attacks, or pivot within the vessel networks," IOActive wrote. Even worse, "some the vulnerabilities uncovered during our SATCOM research might enable attackers to access these systems via the satellite link."

IOActive notified the software's author of these flaws in October 2016, and the faulty version was discontinued as part of an “email modernisation programme” and replaced with a previous edition. "Customers cannot use this software even if they wished to," the satcom firm said in a statement Friday. "It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to [a] shipboard PC."