Hidden Backdoor Account Found in Popular Ship Satellite Communications System

[LASER_oneXM]

A popular satellite communications (SATCOM) system installed on ships across the world is affected by two serious security flaws — a hidden backdoor account with full system privileges access and an SQL injection in the login form.

These vulnerabilities affect the AmosConnect 8 designed and sold by Stratos Global, a company acquired in 2009 by mobile satellite services firm Inmarsat Group.

Flaws won't receive patches
The two vulnerabilities are part of a report released today by cyber-security and penetration testing firm IOActive, but they won't receive any patches because Stratos retired the AtmosConnect 8 product just months before, in June 2017, according to an end-of-life announcement on the company's site.

"Effective 30 June 2017 we will be discontinuing the availability and support of AmosConnect 8," the company said. "AmosConnect 7 will continue as the primary product offering."

The product's deprecation was not the direct consequence of the discovery of these two flaws but was announced back in November 2016.

AtmosConnect 8 boxes are SATCOM systems that are specifically designed to work on ships, oil rigs, and other isolated maritime environments.

The system provides Internet connectivity to ships via a satellite connection. AtmosConnect 8 is a password-protected platform that a ship's crew can use to access on-ship Internet services.

Backdoor account grants full system access
According to a report shared with Bleeping Computer before today's publication, the AtmosConnect 8 platform comes with a secret backdoor account that allows full access to the platform.

Researcher spotted the backdoor account when they found a function in the AtmosConnect source code that was named "authenticateBackdoorUser".

You don't have to be a rocket scientist to realize what the function does. Investigating the code, researcher realized that the backdoor account username is unique per device, and is the "Post Office" ID showed on each AtmosConnect 8 login screen.

The password is derived from this ID, and anyone can deduce how to compute it just by looking at the AtmosConnect source code and reverse-engineering the authenticateBackdoorUser function.

Besides the backdoor, the same platform was also affected by a blind SQL injection vulnerability in the login form that allowed attackers to gain access to credentials stored in its internal database.

 

[ForgottenSeer 58943]

Perhaps found after the investigation into all of the US Navy ship collisions?

 

[boredog]

Perhaps found after the investigation into all of the US Navy ship collisions?

You may be right but I don't think the Navy uses that. They have their ouwn Sat navagations systems on their own Sats.

 

[ForgottenSeer 58943]

You may be right but I don't think the Navy uses that. They have their ouwn Sat navagations systems on their own Sats.

They use both.

 

[zzz00m]

I wonder how may more discoveries like this will be made in industrial systems?

Just when we are rolling out self driving cars. What if the AI gets back doored?

 

[ForgottenSeer 58943]

I wonder how may more discoveries like this will be made in industrial systems?

Just when we are rolling out self driving cars. What if the AI gets back doored?

I suspect the FBI and CIA are anxiously awaiting precisely all of this...

The CIA may be hacking cars, as well as phones and TVs, according to WikiLeaks - ExtremeTech

Then you have Michael Hastings who angered many powerful people, including the FBI and CIA. He reported his vehicle was acting strange days before it allegedly went out of control. He even borrowed his neighbors Volvo some days because he was so concerned.

‘People said I was crazy’