Software Engineering Institute

Notified:  October 10, 2013 Updated: June 12, 2014

Status

Not Affected

Vendor Statement

Inmarsat is the market leader in the provision of mobile satellite services, with the largest portfolio of global satellite communications solutions and value-added services on the market. Inmarsat owns and operates four constellations of communication satellites, comprising a total of 11 spacecraft. Inmarsat customers include but are not limited to merchant shipping, governments, airlines, the broadcast media, the oil and gas industry, mining, construction, and humanitarian aid agencies. These customers connect to the Inmarsat fleet of satellites using a variety of devices and related equipment, including global handheld satellite phones and notebook-size broadband internet devices, as well as specialist terminals and antennas fitted to ships, aircraft and road vehicles.

The IOActive researcher identified potential vulnerabilities in the firmware used by some Inmarsat terminal manufacturers.

It is important to stress that the IOActive researcher did not identify any potential vulnerabilities in the Inmarsat network. The potential vulnerabilities are related to firmware used by some vendors that manufacture terminals authorised for use over the Inmarsat network.

It is further important to stress that nature of the terminals operating over the Inmarsat network greatly limits the number and type of security threats which these terminals could potentially encounter. Terminals used on the Inmarsat network primarily operate as communications modems linked to the open Internet. These terminals that access Inmarsat services store no confidential user information and rely upon standard end-to-end IP security mechanisms (encryption) to protect any sensitive user traffic that may pass through them. In addition, the manufacturers have confirmed that, in the majority of instances, physical access to the terminal would be required to make any modification to the firmware.

Inmarsat has been in contact with each of the terminal vendors identified in the CERT Vulnerability Note, and continues to work with them as they publish individual terminal manufacturer responses.

Although, as the network operator, Inmarsat was not identified by IOActive as the source of these potential vulnerabilities, Inmarsat takes any issues relating to security very seriously. The company has therefore been in close contact with CERT and has also reached out to IOActive, to ensure that their research team fully understands the nature of satellite communications and how devices operate over the Inmarsat network.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.