All wireless security was off on the MFDs, presumably for show convenience as according to the manuals this is not the default. After connecting up to an e165 I listened for traffic (none), so with the consent of the rep on the stand I did a basic port scan (tcp only) to check for services.
PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 111/tcp open rpcbind 2049/tcp open nfs 6000/tcp open X11 6668/tcp open irc 8080/tcp open http-proxy 50000/tcp open ibm-db2
I couldn't help but wonder whether services running on assigned ports were really what those ports are officially assigned to. The ftp port does indeed seem to have a copy of tnftpd running which supports anonymous accesss. Dropbear sshd is running on 22 and both it and the telnet daemon running on 23 give a login prompt. There is indeed something serving http on 8080. I didn't poke the (apparent) X11 or irc ports but rpcbind is really a portmapper:
program vers proto port service 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100005 1 udp 52498 mountd 100005 1 tcp 35944 mountd 100005 2 udp 52498 mountd 100005 2 tcp 35944 mountd 100005 3 udp 52498 mountd 100005 3 tcp 35944 mountd 100024 1 udp 44953 status 100024 1 tcp 52967 status 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100227 3 tcp 2049 nfs_acl 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100227 3 udp 2049 nfs_acl 100021 1 udp 49439 nlockmgr 100021 3 udp 49439 nlockmgr 100021 4 udp 49439 nlockmgr 100021 1 tcp 40926 nlockmgr 100021 3 tcp 40926 nlockmgr 100021 4 tcp 40926 nlockmgr
Although running mountd, no network file systems are apparently exported.
If you installed a standard Linux or other UNIX system from CD 15 years ago it would have come with all the services you would probably ever need running and waiting to be used. In a secure or business environment it would then be someone's job (often mine as it happens) to customise the installation process so that everything that wasn't needed was turned off. These days manufacturers are more security conscious and deliver systems with most services turned off by default and leave it to the customer to enable those which they den necessary.
There's a lot of apparently unnecessary things here. Everything necessary for sharing file systems but no files shared. Notably, the telnet service is running. Telnet used to be the predominant protocol for command line login to systems up until the turn of the last century. Its problem is that everything, including passwords, is sent unencrypted so passwords are easily snooped by anyone listening in. Consequently it was superseded by the "secure shell" (ssh). ssh encrypts all communications and also performs other functions like file transfer and some nifty port forwarding. Use of telnet is deprecated these days so it is a surprise to see it running, especially when the ssh service is also running: Hard to imagine what telnet is needed for when ssh is there. Ssh also performs file transfer functions, so the ftp service (also running) might also appear to be unnecessary.
Maybe there was a reason for all of this, but it seemed a sound hypothesis that Raymarine had simply concentrated on their app and forgotten to turn off unnecessary OS services. This is generally considered bad practice both from an efficiency point of view (idle services don't cause much system overhead, but they're still unnecessary) and a security perspective. They may not have any known security flaws, but they may have flaws which will be publicised at some point in the future. The fewer services you run, the less chance that you are running something that could give access to an attacker.
I posted a question on Raymarine's support forum saying that I'd noticed apparently superfluous services running on their MFDs and was this perhaps an oversight. The post was immediately removed and I was contacted by a moderator who told me to post the question privately using their "Ask Raymarine" contact form.
This I did and received a mail telling me that the query had been forwarded to their engineering department and I would receive a reply in due course.
At this time I started thinking about writing a post about the differing approaches of the established computer industry and the marine electronics industry to software development and network security but thought it appropriate to wait for a response from Raymarine. If there was a sound explanation for these services, or if the issue was simply an acknowledged oversight which would be corrected in the next release then I didn't really have a story: errors happen in all organisations and don't necessarily indicate a problem of ethos. Failure to react on the other hand would indicate a culture that is worth questioning.
A week went by with no reply so I mailed again, asking when I could expect a reply as I was considering writing an article related to my observations. This got the attention of their press office and I was quickly contacted to ask about my writing qualifications, what I was writing about and who I was writing for. I gave them the information they asked for and asked about the possibility of interviewing their head of product development about the approach to security in current future network-connected products, including any proposed OneNet security strategy.
I received no reply. Another week passed. I mailed the press office back to ask how things now stood and was told that as my query did not relate to a system I had installed on my boat, I could not expect to receive a reply.
I left it another week before posting this, just in case they decided to answer my original query. They didn't.
Clearly I am personally disappointed. I wasted time following a procedure I was told to follow by a Raymarine representative, was told to expect a reply, was grilled for information about my background and then simply ignored. Not encouraging on the customer services front. Not good PR either, as a simple reply wouldn't have encouraged me to write about the company negatively.
It does make me question their procedure for handling security reports, which large established software vendors will have. Do they have one? Did I not receive a reply because they believed that this was a non-issue but couldn't be bothered to reply to me, or because the question never reached the right people?
The marine electronics industry has traditionally dealt in closed systems which people did not try to deliberately break for fun and profit. Are they now blundering like naifs into the connected world with the same approach? Unfortunately the system is no longer guaranteed to be closed. It may be connected to the Internet. A customer might unwittingly connect a malware infected PC to it. The person on the next boat may simply enjoy cracking wireless systems.
For the past quarter century the mainstream computing industry has operated with the constraint that security cannot be simply an afterthought. What customer-impacting events will it take to bring the marine electronics industry into the 1990s?