Cookies help us deliver the best experience on our website. By using our website, you agree to our use of cookies Dismiss

CommBox ‘hack’ offers cyber lessons

KVH has responded to claims by an ethical hacker that he had managed to ‘hack’ a live satcom CommBox, the communications management system used by the satcoms company alongside its mini-VSAT system, to say that the equipment that was said to have been compromised was not connected to the KVH network, nor was it being used by a KVH satcom customer.

{mprestriction ids="1,2"}In a blog post published by security company Pen Test Partners, ethical hacker Ken Munro said that by using Shodan, a free search engine for internet-connected devices, he had been able to find listings for several maritime satcom terminals connected through different providers.

One search, using the string ‘html:commbox’, returned what Mr Munro described as “a nice collection of KVH CommBox terminals.”

Clicking through to one of these search results brought up a Username and Password log-in for a CommBox, with the vessel name displayed on the screen as well as a ‘Show Users’ button, which was said to have provided “a list of all the crew online at that point.”

Based on the information accessible through that link, Mr Munro was able to discover the first and last name of the crew member connected to the satcom system at that time, and after a short Google search “had the Facebook profile of the deck cadet who we had spotted using the commbox.”

“This poor chap is ripe for phishing – we know pretty much everything about him,” the post continues.

“Simple phish, take control of his laptop, look for a lack of segregation on the ship network and migrate on to other more interesting devices. Or simply scrape his creds to the commbox and take control that way.”

It is important to note that the methods used to connect to the satcom equipment on this particualr ship would not be successful if applied to a standard CommBox installation. Since the publication of the post, KVH has moved to clarify that the CommBox in question was not in fact in use by one of its customers, and was not connected to the KVH network.

In a statement issued in response to questions on the issue from Digital Ship, KVH said that: “The vessel satcom box mentioned was evidently assigned an unrestricted static public internet IP address associated with another satellite service provider network, not with KVH.”

“KVH’s practices for its own airtime services (had it been on our network) are designed to guard against such circumstances by blocking all inbound access from the internet by default when customers request static public IP addresses.”

Perhaps the most important lesson to be learned from this ‘hacking’ episode is that the use of technology on board a ship in a manner not consistent with the best practices recommended by the manufacturer or operator opens up an enormous level of risk when it comes to a potential cyber-attack.

In his post, Mr Munro recommends, at a minimum, that TLS (Transport Layer Security) be implemented on satcom management boxes, that complex passwords be used to replace default credentials, and that all firmware is kept updated.

Qualified and professional maritime satcom installation personnel should make sure that precautions like these are taken when a system is implemented onboard ship. Cutting corners on implementation and configuration can create an invitation into the shipboard network – and the consequences of such a breach could be extremely costly.{/mprestriction}

Related items

Joomla SEF URLs by Artio


Register or Login to view even more of our content. Basic registration is free.

Register now

Digital Ship magazine provides the latest information about maritime satellite communications technology, software systems, navigation technology, computer networks, data management and TMSA. It is published ten times a year.


Digital Ship Ltd
Digital Ship - Digital Energy Journal
39-41 North Road
N7 9DP
United Kingdom

Copyright © 2020 Digital Ship Ltd. All rights reserved           Cookie Policy         Privacy Policy