Cookies help us deliver the best experience on our website. By using our website, you agree to our use of cookies Dismiss

Inmarsat responds to ‘exploit’ claim for retired AmosConnect version

Cyber security firm IOActive has released a report outlining a potential vulnerability it says it discovered in Inmarsat’s AmosConnect platform that would provide a backdoor into the shipboard system – however, Inmarsat has responded to note that the software version in question was already retired prior to IOActive’s test, and that it has also previously issued a patch to close the vulnerability.

{mprestriction ids="1,2"}The research, authored by IOActive's principal security consultant, Mario Ballano, says that the flaws that were discovered in AmosConnect version 8.0 include blind SQL injection in a login form, and a backdoor account that provides full system privileges and could allow remote unauthenticated attackers to execute arbitrary code on the AmosConnect server.

The report notes that, if compromised, this flaw could be leveraged to gain unauthorised network access to information stored in the AmosConnect server and potentially open access to other connected systems or networks.

IOActive says that it informed Inmarsat of these potential vulnerabilities in October 2016, and completed the disclosure process in July of 2017.

In response, an Inmarsat spokesperson noted that AmosConnect 8 (AC8) is no longer in service, and said that the satellite operator had already begun a process to retire that version of the software from its portfolio prior to IOActive’s report, having communicated to customers in 2016 that the service would be terminated in July 2017.

“When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website,” Inmarsat’s spokesperson said, in a statement.

“It is important to note that this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 e-mail client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer. (Remote) access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.”

Inmarsat also says that, in addition to the fixes issued, its central server no longer accepts connections from AmosConnect 8 e-mail clients, so the software could not be connected even if a customer wanted to use it. The satellite operator notes that it has made IOActive aware of all of the above information.{/mprestriction}

Related items

  • Inmarsat supports seafarers with 50% off voice calling

    In a direct response to the COVID-19 pandemic and its impact on seafarer well-being, Inmarsat has formalised a sweeping 50 per cent discount for crew voice calling services available for up to 40,000 ships for three months until the end of June.

  • Inmarsat takes founding role in Asian start-ups decarbonisation programme

    Inmarsat has become a founding member of Asia’s first ‘Decarbonising Shipping’ initiative to harness the power of start-ups to meet UN targets on greenhouse gas emissions, which launched earlier this month.

  • Connecting crew during COVID-19

    By Ronald Spithout, president, Inmarsat Maritime. 

    Inmarsat Maritime president Ronald Spithout says providing crews with enhanced levels of connectivity and support is critical at this unprecedented time, and offers an insight into the work already underway with welfare organisations to assist seafarers in need.

  • i4sea signs up as Inmarsat Fleet Data provider

    Brazil-based startup i4sea and Inmarsat have signed an agreement for i4sea to join a group of certified application providers to provide a dedicated application for Inmarsat’s Fleet Data service.

    Fleet Data collects data from onboard sensors, pre-processes that data, and uploads it to a central cloud-based database, equipped with a dashboard and an Application Programming Interface (API).

    The partnership came as a result of the Bluetech Accelerator, a program created by the Portuguese Ministry of the Sea in 2019 to create an ecosystem of maritime innovation and business acceleration. i4sea was one of 20 startups around the world – and the only one from Latin America - selected to develop pilot projects with maritime market leaders including Inmarsat.

    Headquartered in Salvador, Brazil and with offices in São Paulo, Shanghai and London, i4sea will provide a high-precision sea and weather forecasting application with up to seven days forecasting in advance through i4cast’s Atm Ocean tool.

    “As a Certified Application Provider, we will be constantly developing new features to generate increasingly powerful tools for the maritime market,” said i4sea CEO Bruno Balbi. “Working with a company like Inmarsat is really a great deal for i4sea and this is the first smart system that integrates in a single platform, all the essential tools to support decision making regarding vessel’s maneuvers and port terminal’s operations,” he said.

    Six integrated tools are offered and includes services such as ocean and weather hyperlocal forecasts, dynamic draft prediction, terminal efficiency analytics and analysis and prediction of siltation or erosion dynamics of the seabed.

    “We are delighted to be working with such an innovative start-up such as i4Sea, a company we worked with as part of the Portuguese Bluetech accelerator programme earlier this year,” said Marco Cristoforo Camporeale, head of digital Solutions, Inmarsat Maritime. “

    “This tie-up will allow ship operators and managers to both route plan and improve terminal efficiency and this is all achieved through the i4sea application on Fleet Data and via a secure platform that is fully scalable, fleet-wide and now commercially available on both Fleet Xpress and FleetBroadband,” said Mr Camporeale.

    Currently, i4sea's clients include Brazilian companies such as TECON Salvador (Wilson, Sons), Açu Petróleo, CSN Coal and Ore Terminal, Cotegipe Port, Bahia’s Maritime Authority, Itajaí Port, Enseada, among others. There are also international contracts with the ports of Leixões and Sines, in Portugal.

     

  • Fleet Xpress chosen for Nekton ocean research project

    Inmarsat’s Fleet Xpress has been chosen to provide the connectivity backbone enabling images captured by the deep ocean research institute, Nekton from the floor of the Indian Ocean to be transmitted to audiences worldwide.

    The Nekton Institute is an independent, not-for-profit research institute working in collaboration with the University of Oxford. It aims to accelerate the scientific exploration and protection of the oceans.

    The maritime high-speed broadband service provided connectivity to relay broadcast images from Nekton’s submersible off the Seychelles last year. Along with Associated Press, Sky News and Sonardyne, it won the 2019 IBC Innovation Award for Content Distribution and the 2020 Royal Television Society News Technology Award.

    The 2020 mission entitled ‘First Descent – Midnight Zone’ will include a 35-day long voyage starting in mid-March exploring biodiversity around the Maldives, Seychelles and the High Seas. Video, audio and - for the first time - data will be transmitted from the deepest parts of the High Seas in the Indian Ocean to the research vessel Pressure Drop, then relayed via Fleet Xpress to marine science projects focusing on sustainable oceans.

    “The ocean is a key part of each Maldivian,” said president Ibrahim Mohamed Solih of Maldives. “71 per cent rely on the ocean for their primary source of income. We have committed to a 5-year initiative to advance ocean protection and sustainably develop the blue economy. This expedition will help us establish the long-term sustainability of our economic growth, livelihoods and jobs through establishing marine protected areas to build ocean resilience”

    Deep ocean locations are often also the farthest from shoreside support. For high-tech research vessels monitoring and managing subsea activities today, reliable connectivity is becoming an operational as well as a safety need.

    “For all practical purposes, until now it has not been possible for research vessels in remote seas to transmit large quantities of data back to base in real time, let alone stream images suitable for high-definition TV broadcast,” said Peter Broadhurst, senior vice president, Inmarsat. “Nekton’s decision to work with Inmarsat has changed that.”

    Pressure Drop’s video-streaming capability has already been proven through her role in the ‘Five Deeps Expedition’, supporting the world’s only manned submersible able to descend to full ocean depth (11,000m). For its new mission, data from submersibles will feed into the 2022 Indian Ocean Summit, where Seychelles and Maldivian governments, and ‘First Descent’ partners seek to create a sustainable management plan for 2,000,000km2 of ocean.

    Part of the Pressure Drop project also sees Inmarsat installing Fleet Data, the maritime industry's first secure IoT platform, which extracts data from sensors and uploads it to a secure central cloud-based database for easy access with no additional airtime cost. Its use will enable the first-ever transmissions of water chemistry and geophysics datasets.

    Fleet Data will also allow scientific research to be shared onto an open source platform, with processed datasets made available so that registered marine scientists around the world can participate in a virtual Hackathon to interrogate data and publish findings within two weeks. All datasets will be blockchain-coded to ensure security, transparency, and decentralisation.

    “One of the biggest issues is that it can take months or even years to publish data analysis, by which time data may have less relevance and application. By using Fleet Data we can publish data in an instant via an Inmarsat API: this is ground-breaking for marine science and could accelerate the analysis and publication of ocean data,” said Oliver Steed, chief executive, and Nekton.

    Inmarsat’s yachting partner YachtProjects designed, installed and commissioned Pressure Drop’s management and communications systems, including ECDIS, CCTV and open port capability.

    Nekton’s research, sampling and survey technologies fully integrate with shipboard systems, with the YachtProjects’ Seawall package controlling the shipboard network and shaping bandwidth and streaming, with the terminal hardware provided by Intellian Technologies.

     

     

Joomla SEF URLs by Artio

Login/Register

Register or Login to view even more of our content. Basic registration is free.

Register now

Digital Ship magazine provides the latest information about maritime satellite communications technology, software systems, navigation technology, computer networks, data management and TMSA. It is published ten times a year.

 

Address:
Digital Ship Ltd
Digital Ship - Digital Energy Journal
39-41 North Road
London
N7 9DP
United Kingdom

Copyright © 2019 Digital Ship Ltd. All rights reserved           Cookie Policy         Privacy Policy