A software suite intended to let merchant ships’ crews digitally communicate with the world ashore was riddled with security vulnerabilities including undocumented admin accounts with hardcoded passwords and widespread use of Adobe Flash.
Infosec consultancy Pen Test Partners said it took all of 90 minutes to discover enough problems with Dualog Connection Suite to submit six CVE number requests.
In a detailed blog post, the firm said: “Within a few seconds we’d already noticed our first vulnerability, simply by watching the network traffic in the browser developer tools. There were enough signs to warrant deeper investigation.”
Findings included an undocumented admin account with a hardcoded password – a password that Pen Test Partners cracked in 10 minutes. The Oracle database underpinning the suite used the outdated MD5 hash with no salting, meaning researchers were able to brute-force them with relative ease.
Salting is the art of adding random but unique characters during the hashing process to safely store passwords or phrases and is explained in more detail here.
The user interface was “secured” with an Adobe Flash app (don’t laugh) with a unique 2FA interface. Users were prompted to enter a six-digit code as the second limb of authenticating themselves to the system. Unfortunately, PTP found that all the numbers required to authenticate “were stored in the Flash application itself and could easily be extracted”.
A closer look at queries made to Dualog Connection Suite’s backend revealed SQL traffic passing to and forth; PTP discovered that tweaking some queries returned “all the details about all of the users… across all ships operated by the company, not just the ship we were on.”
Last but not least, when visiting the login page for the software suite, it autocompleted the username field. When doing so the “entire list of users is downloaded using an API call in the background, leaking all the valid usernames.”
Shipping is so insecure we could have driven off in an oil rig, says Pen Test Partners
We have asked Dualog’s chief exec if he wishes to comment on PTP’s findings. PTP said it took the best part of 2020 to get a response out of the company, beginning in January and not seeing any updates until a new, Flash-free and updated version of the suite [PDF] was deployed on 8 December.
Digitally securing ships at sea is difficult. Large parts of the shipping industry still see their assets as floating air gaps that occasionally talk to the world ashore, despite innovations to allow crew to use the internet like anyone else in the 20th century.
PTP has dived deep into the field of maritime infosec, finding earlier this year that an oil rig at sea was so insecure that anyone with enough determination could have remotely driven it off.
A few years ago infosec firm IOActive found flaws lurking in a maritime satellite communications platform used by thousands of ships worldwide, to the indifference of the software’s makers. ®