Large shipping vessels and aircraft are often equipped with VSAT systems, allowing crewmembers to send and receive messages and access the Internet during voyages. Turns out, some of these VSAT systems are profoundly insecure, and could allow an attacker to gain access, and disrupt communications.
Security researcher x0rz discovered that many VSAT systems can be reached from the public Internet. Not only does this mean they can be tracked through services like Shodan, but some are configured in a way that could see a remote attacker gain access using default credentials.
TNW spoke to the x0rz over the messaging app, Signal. At the start of the interview, he wrote “no ships were harmed during [his] experiments.” However, anyone with less scruples could have caused significant harm. The system they obtained access to allowed them to review the call history from the VSAT phone, change the system settings, and even upload new firmware.
They also noted that the VSAT system “might be connected to other onboard devices — maybe more critical,” noting that theoretically, you could exploit a VSAT system to get inside a network, in order to cause more damage.
Because these systems are publicly accessible, it’s possible to figure out where ships are to a troubling precision. During the interview, x0rz gave me the latitude and longitude of a vessel which he insisted was Russian in origin, due to the language used in the system, and its IP address. John Matherly, founder of Shodan, has also created a map where you can track vessels in real-time.
x0rz has only identified a few vulnerable VSAT. These are all from the British manufacturer Cobham (although they note that other systems may ship with the same flaw), and are configured to expose HTTP web services to the Internet. Others exposed SNMP or UDP only.
As pointed out by x0rz, VSAT systems are also popular on aircraft, ranging from small private jets, to military and passenger aircraft.
While it’s theoretically possible that there’s an aircraft equipped with an insecure VSAT system, x0rz noted that they hadn’t found any.
According to Thane & Thane, a Danish shipping company, the VSAT system is used to calibrate instruments. Any disruption could have disastrous consequences.
This news adds a troubling dimension to the “Internet of Insecure Things.” It’s no longer about $10 Chinese-made IP cameras, and hackable fridges. The paradigm now includes boats and planes. With that comes the inherent risk of loss of human life.
Update: Cobham got in touch.
“An individual claimed they achieved unauthorized access to our VSAT system by using default administrative credentials. Our terminals, as is customary with most communications hardware, are delivered with default administrative credentials such as passwords which we strongly advise VSAT users change during technology installation and frequently afterwards in accordance with general password-best-practice processes. We emphasise this in our training and throughout our installations manuals.
A feature of our VSAT terminals allows us to quickly reset the password and regain control of the terminal in the instance of passwords being compromised, as was the case in this instance.”
They also note that it’s standard practice in the industry to deliver systems with default, hard-coded credentials, based on the assumption they’ll be reset with something stronger later.