How Maritime VSAT Systems Are Being Used as a Pivot Point for ICS Attacks

TLDR: Researchers at DEF CON 2025 demonstrated a multi-stage attack chain against maritime VSAT systems, moving from exposed web interfaces to full control of industrial control systems (ICS). By exploiting command injection and authentication flaws in antenna control units, they gained the ability to manipulate shipboard equipment and overwrite PLC projects. This research highlights the critical risk of blurred IT/OT boundaries in modern shipping and provides a methodology for building realistic testbeds to validate these threats.

Modern maritime operations rely heavily on Very Small Aperture Terminal (VSAT) systems to maintain connectivity, but these systems are increasingly becoming the weakest link in the shipboard network. As ships transition toward autonomous navigation and remote diagnostics, the traditional air-gap between IT and Operational Technology (OT) is disappearing. This research proves that a simple, internet-exposed web interface on a satellite antenna is enough to grant an attacker a foothold that leads directly to the physical control of a vessel.

The Attack Chain: From Web Interface to Physical Control

The research focuses on the Antenna Control Unit (ACU), a device that manages the satellite link and often provides a web-based management interface. The researchers identified six distinct vulnerabilities across these systems, ranging from Cross-Site Scripting (XSS) to Command Injection.

The attack starts with OSINT. Using tools like Shodan or Criminal IP, an attacker can identify thousands of internet-facing ACU web interfaces. Many of these devices still use default credentials, which are easily found in manufacturer documentation. Once inside the ACU, the attacker has a direct pivot point into the ship's internal network.

The researchers demonstrated that by exploiting command injection vulnerabilities—specifically CVE-2023-44856 and CVE-2023-44857—they could execute arbitrary commands on the ACU. From there, they performed network reconnaissance using standard tools like ping and nc to map out the internal network, eventually reaching the Human-Machine Interface (HMI) that controls the ship's propulsion systems.

Technical Deep Dive: Firmware Rehosting

One of the most impressive aspects of this research is the methodology used to analyze the firmware without needing to purchase expensive, proprietary hardware. The researchers used binwalk to extract the filesystem from the firmware images and then used QEMU to emulate the environment.

By rehosting the firmware, they were able to run the ACU web interface locally on their own machines. This allowed them to debug the binary responsible for web execution and identify the exact point where user input was passed to the system without validation. The following snippet illustrates the vulnerability where the sender and recipient parameters are passed to a system function:

// Vulnerable code snippet from the ACU web interface
if (sub_21904(function_input, "sender", "recipient")) {
    // Unsanitized input passed directly to system()
    system(command_buffer);
}

This approach is a masterclass in how to perform deep-dive research on embedded devices on a budget. For a pentester, this means you do not need to break the bank to build a lab. If you can get your hands on a firmware image, you can often replicate the entire attack surface in an emulated environment.

Real-World Applicability for Pentesters

If you are conducting a penetration test on a maritime client or a company that manages critical infrastructure, you should look for these pivot points. The key takeaway is that the ACU is not just a communication device; it is a gateway. During an engagement, do not stop at the first web interface you find. Map the network behind it. Look for HMIs, PLCs, and other OT devices that are often left unauthenticated because they were "never meant to be connected to the internet."

The impact of this attack is severe. By overwriting a PLC project, an attacker can force a ship to shut down its propulsion system or manipulate sensor data to cause physical damage. The researchers showed that they could even inject ransomware disguised as a PDF, which would be executed by the HMI, effectively holding the ship's control systems hostage.

Defensive Considerations

Defenders must move beyond simple compliance. While IACS UR E27 provides a baseline for individual device hardening, it is insufficient against a determined attacker who understands the interdependencies of the entire network.

The most effective defense is to implement strict network segmentation. The ACU should never have a direct path to the HMI or the PLC network. If you are a defender, assume that your internet-facing devices will be compromised. Use a jump host, implement multi-factor authentication for all internal management interfaces, and monitor for unusual traffic patterns between your IT and OT segments.

This research is a wake-up call for the maritime industry. The technology is moving faster than the security policies, and the result is a massive, unmanaged attack surface. If you are a researcher, this is a target-rich environment that desperately needs more eyes on it. If you are a founder or a security leader, stop relying on vendor certifications and start running red team engagements that actually test how your systems behave when they are chained together. The ocean is calling, and it is time we secured the bridge.