Broadband satellite terminals using Iridium Pilot and OpenPort have been found to contain undocumented hardcoded login credentials (CWE-798). Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows unauthenticated users to perform privileged operations on the devices (CWE-306).
Iridium Pilot and OpenPort are a shipboard communication device used to communicate voice and data from ship-to-ship and to ground stations through the Iridium satellite constellation.
CWE-798 - Use of Hardcoded Credentials - CVE-2014-0326
A remote unauthenticated attacker may be able to gain privileged access to the device. Additionally, a remote unauthenticated attacker may be able to execute arbitrary code on the device.
We are currently unaware of a practical solution to this problem.
Thanks to Cesar Cerrudo and Ruben Santamarta for reporting these vulnerabilities.
This document was written by Chris King.