Thursday, 30 January 2014

Raymarine: Security FAIL, Customer Services FAIL

Three weeks ago I visited the London boat show with my laptop.  My aim was try and test the GoFree extensions to kplex but sadly Navico weren't at the show.  Stopping by the Raymarine stand I tried to confirm what I'd been told that the new Raymarine MFDs don't have an IP-based nmea-0183 server like the competition.  Most of my boat's electronics are Raymarine, but my plotter is one of their older models which I may soon consider updating.  Sadly there was no-one on the stand with any knowledge in this area so I asked the rep if he'd mind if I connected my laptop to an MFD to see for myself what services were available.  I was told to help myself.

All wireless security was off on the MFDs, presumably for show convenience as according to the manuals this is not the default.  After connecting up to an e165 I listened for traffic (none), so with the consent of the rep on the stand I did a basic port scan (tcp only) to check for services.

21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
111/tcp   open  rpcbind
2049/tcp  open  nfs
6000/tcp  open  X11
6668/tcp  open  irc
8080/tcp  open  http-proxy
50000/tcp open  ibm-db2 
I  couldn't help but wonder whether services running on assigned ports were really what those ports are officially assigned to. The ftp port does indeed seem to have a copy of tnftpd running which supports anonymous accesss.  Dropbear sshd is running on 22 and both it and the telnet daemon running on 23 give a login prompt.  There is indeed something serving http on 8080.  I didn't poke the (apparent) X11 or irc ports but rpcbind is really a portmapper:

   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  52498  mountd
    100005    1   tcp  35944  mountd
    100005    2   udp  52498  mountd
    100005    2   tcp  35944  mountd
    100005    3   udp  52498  mountd
    100005    3   tcp  35944  mountd
    100024    1   udp  44953  status
    100024    1   tcp  52967  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100021    1   udp  49439  nlockmgr
    100021    3   udp  49439  nlockmgr
    100021    4   udp  49439  nlockmgr
    100021    1   tcp  40926  nlockmgr
    100021    3   tcp  40926  nlockmgr
    100021    4   tcp  40926  nlockmgr  

Although running mountd, no network file systems are apparently exported.

If you installed a standard Linux or other UNIX system from CD 15 years ago it would have come with all the services you would probably ever need running and waiting to be used.   In a secure or business environment it would then be someone's job (often mine as it happens) to customise the installation process so that everything that wasn't needed was turned off.  These days manufacturers are more security conscious and deliver systems with most services turned off by default and leave it to the customer to enable those which they den necessary.

There's a lot of apparently unnecessary things here.  Everything necessary for sharing file systems but no files shared.  Notably, the telnet service is running. Telnet used to be the predominant protocol for command line login to systems up until the turn of the last century.  Its problem is that everything, including passwords, is sent unencrypted so passwords are easily snooped by anyone listening in.  Consequently it was superseded by the "secure shell" (ssh).  ssh encrypts all communications and also performs other functions like file transfer and some nifty port forwarding.  Use of telnet is deprecated these days so it is a surprise to see it running, especially when the ssh service is also running: Hard to imagine what telnet is needed for when ssh is there.  Ssh also performs file transfer functions, so the ftp service (also running) might also appear to be unnecessary.

Maybe there was a reason for all of this, but it seemed a sound hypothesis that Raymarine had simply concentrated on their app and forgotten to turn off unnecessary OS services.  This is generally considered bad practice both from an efficiency point of view (idle services don't cause much system overhead, but they're still unnecessary) and a security perspective.  They may not have any known security flaws, but they may have flaws which will be publicised at some point in the future.  The fewer services you run, the less chance that you are running something that could give access to an attacker.

I posted a question on Raymarine's support forum saying that I'd noticed apparently superfluous services running on their MFDs and was this perhaps an oversight.  The post was immediately removed and I was contacted by a moderator who told me to post the question privately using their "Ask Raymarine" contact form.
This I did and received a mail telling me that the query had been forwarded to their engineering department and I would receive a reply in due course.

At this time  I started thinking about writing a post about the differing approaches of the established computer industry and the marine electronics industry to software development and network security but thought it appropriate to wait for a response from Raymarine.  If there was a sound explanation for these services, or if the issue was simply an acknowledged oversight which would be corrected in the next release then I didn't really have a story: errors happen in all organisations and don't necessarily indicate a problem of ethos.  Failure to react on the other hand would indicate a culture that is worth questioning.

A week went by with no reply so I mailed again, asking when I could expect a reply as I was considering writing an article related to my observations.  This got the attention of their press office and I was quickly contacted to ask about my writing qualifications, what I was writing about and who I was writing for. I gave them the information they asked for and asked about the possibility of interviewing their head of product development about the approach to security in current future network-connected products, including any proposed OneNet security strategy.

I received no reply.  Another week passed.  I mailed the press office back to ask how things now stood and was told that as my query did not relate to a system I had installed on my boat, I could not expect to receive a reply.

I left it another week before posting this, just in case they decided to answer my original query. They didn't.

Clearly I am personally disappointed.  I wasted time following a procedure I was told to follow by a Raymarine representative, was told to expect a reply, was grilled for information about my background and then simply ignored.  Not encouraging on the customer services front.  Not good PR either, as a simple reply wouldn't have encouraged me to write about the company negatively.

It does make me question their procedure for handling security reports, which large established software vendors will have.  Do they have one? Did I not receive a reply because they believed that this was a non-issue but couldn't be bothered to reply to me, or because the question never reached the right people?

The marine electronics industry has traditionally dealt in closed systems which people did not try to deliberately break for fun and profit.  Are they now blundering like naifs into the connected world with the same approach?  Unfortunately the system is no longer guaranteed to be closed.  It may be connected to the Internet.  A customer might unwittingly connect a malware infected PC to it.  The person on the next boat may simply enjoy cracking wireless systems.

For the past quarter century the mainstream computing industry has operated with the constraint that security cannot be simply an afterthought.  What customer-impacting events will it take to bring the marine electronics industry into the 1990s?

No comments:

Post a Comment