Satellite Internet Gear Aboard Some Ships Exposed to Unauthorized Access

Skippers could find themselves in troubled waters if security for their ship’s satellite communications system is ignored. A researcher has found that satellite ground stations on some vessels expose services over the internet and permit access to their web administration consoles using default credentials.

The discovery was announced Tuesday on Twitter by a French security researcher who uses the handle @x0rz (https://twitter.com/x0rz). He was experimenting with a new service from the Shodan search engine that tracks ships with very small aperture terminal (VSAT) antennas and publicly reachable web services. The researcher posted a picture showing that he successfully logged into the control panel of a Sailor 800 VSAT system.

“Duuuuuude, default creds everywhere,” he said on Twitter, adding that he managed to connect with administrator privileges to the ship.

VSAT technology is used for satellite internet connectivity in remote areas. On ships, it is used for internet-based communication services such as email, web access and voice and video calling. Such equipment integrates a GPS module to give the position of the vessel, and interfaces with various navigational instruments such as a gyro/GPS compass, other receivers and sonar. Altering this equipment’s configuration may lead to loss of satellite connection which could affect all connected instruments. The company managing the ship may also lose track of its vessel.

It’s worth noting that maritime pilots today rely on more than one navigation system, which work independently of one another. The Electronic Chart Display and Information System (ECDIS) can use VSAT to receive the latest chart updates, but this is typically done using a dedicated, secure line. ECDIS also displays data from navigation-related equipment and sensors.

Other security boffins joined x0rz’s experiment, some showing similar achievements: accessing Sailor VSAT system settings through a web interface (here and here), or via telnet and SSH (secure shell) protocols. Attackers with access to the VSAT configuration panel could change azimuth calibration settings, which would feed erroneous information to the ship. They could also install a different firmware, retrieve data logs or track the ship’s course.

Unauthorised changes to the configuration of VSAT gear alone is unlikely to allow hijacking of a ship, but it could lead to access into the local network from where attackers could cause damage to other connected devices, some of critical importance.

Exposing sensitive gear directly to the internet is a serious problem, as repeatedly highlighted by security researchers. Such a warning is also included in the user manual for Sailor VSAT systems, at least from model 600 onward – currently, the latest is model 900. The documentation for the kit is explicit, saying it “is not designed to be connected directly to the Internet” and “must be connected behind a dedicated network security device such as a firewall.” The default password issue is addressed as well, with a warning that it should be changed if communication ports are exposed to the internet, otherwise remote users with malicious intent could access the VSAT system and render it inoperable.

Image credit: Cobham