Penetration testing on a series of VSAT modems unearthed vulnerabilities to cyber threats and hackers
To ensure maritime VSAT is cyber secure, shipowners need to regularly change passwords, ensure firewalls are enabled and software updates are applied.
It is vital that all ship-to-shore communications are secure as more ships and seafarers are linked to the internet for communications, data transmissions, operational information exchange and performance monitoring.
A ship’s satellite communications terminal should be secure from hackers and cyber threats but tests this year on VSAT modems demonstrate some are not as secure as they should be.
Trustwave SpiderLabs gained access to a SatLink 2000 VSAT modem in May 2019 during penetration testing.
Penetration testers discovered this modem was vulnerable to reflected cross-site scripting, and only supported insecure protocols for its management and application.
Trustwave sensor security researcher Karl Sigler told Maritime Digitalisation & Communications vulnerabilities were identified and SatLink released firmware updates to its modems to improve their security.
“VSAT modems are the frontline gateway,” he says. “There were widespread vulnerabilities. Vendors have realised they are behind the curve in security. However, they have been serious about dealing with the issues and fixing problems,” says Mr Sigler.
One of the vulnerabilities identified by Trustwave in its investigation was with the web interface. It discovered a reflected cross-site scripting issue affecting SatLink 2000, SatLink 2900 and SatLink 2910 modems when they were running visual memory unit software version prior to 18.1.0.
This web interface did not properly sanitise input for error messages, which meant hackers could inject arbitrary client-side code.
“Hackers could add their own code to the modem, send links and execute codes, create fake passwords and capture cookies,” says Mr Sigler.
Trustwave identified a second issue, as these modems only supported insecure protocols such as hyper test transfer protocol (HTTP) and Telnet. These clear-text protocols allow a hacker to identify credentials or other sensitive information over the wire. “Hackers could monitor or hijack entire management sessions or inject their own data into the session,” says Mr Sigler.
As a result, in the latest 18.1.0 build, SatLink added SSHv2 and HTTPS support for both SatLink 2900 and SatLink 2910 modems. “These are secure protocols using encryption for web traffic to prevent any attacks or hackers snooping on sessions,” says Mr Sigler.
SatLink dealt with these issues and Mr Sigler says shipowners need to ensure their vendors do the same.
“Owners must make sure patches are in place and downloaded from their vendors and software is up-to-date,” he explains.
Satellite communications terminals are critical onboard equipment that must remain updated and secure. “Owners need to pull themselves up the security tree as hackers are looking for the low hanging fruit,” he says.
BIMCO and the International Chamber of Shipping highlighted cyber security issues in a Witherbys publication, Cyber Security Workbook for On Board Ship Use.
Within the section on satellite communications equipment, the authors guide operators to change administration passwords, as too often they remain the default admin/1234 for years after initial commissioning. Default passwords are easy to find on the dark web and provide easy entry for hackers.
“An attacker is easily able to access the terminal administration interface if all they need to do is use a default password that allows them to take control of the satellite terminal,” says the report.
Once hackers are into the interface, they can access critical networks on the ship, tamper with the software and introduce security flaws.
The report recommends administration passwords are regularly changed and there are no written reminders beside the terminal.
It also guides ship operators to confirm their onboard satellite communications is not available on the public internet. Otherwise, “anyone anywhere in the world can connect to the terminal and attempt to compromise it” says the report.
To compensate, terminal providers offer private IP addresses and many vessel operators will have a virtual private network for IT staff to use to access terminals.
BIMCO and International Chamber of Shipping recommend terminal software is kept updated with the latest version and an update is enacted every time a vendor issues one.
Updates usually include fixes to security flaws.
If these are sent by email, the ship’s master, or officer responsible for IT, should ensure his vessel has opted to receive these alerts and there is a written log to indicate when updates are completed.
An IT officer should check the current version of the software against the provider’s support web pages and notify the IT department if they do not match. Updates must be applied to satellite terminals if they are not up-to-date.
In addition, firewalls should always be enabled on the satcoms system as the first line of defence against cyber threats. Firewalls need to be integrated with the satcoms system, or an independent firewall should be operating.
If the vessel connection to mobile networks is separated from the satellite terminal, then a standalone firewall can be used to protect the business network.
Onboard guidance for cyber secure satellite terminals
These questions should be verified every six months:
Source: Cyber Security Workbook for On Board Ship Use
SatLink owner NSSLGlobal has started providing VSAT connectivity to refugee-rescuing organisation Sea-Eye. NSSLGlobal is also providing tracking hardware, safety systems and training for search and rescue (SAR) missions.
This agreement includes installing communications equipment on Sea-Eye’s third SAR vessel, Alan Kurdi. This involves deploying VSAT IP@EURO 20 equipment, plus devices for Global Maritime Distress and Safety System A3 and long range identification and tracking.
VSAT is used for crew communications and operations support and transmitting media content from the ship.
Sea-Eye manager Gorden Isler says everyone working at Sea-Eye is volunteering, professional seafarers and managers. “Therefore, we have relied on the support and advice of NSSLGlobal, and they have gone beyond that to ensure our ships are seaworthy,” he says.
Sea-Eye has saved around 15,000 people from drowning since its formation in 2015.