Notified:  January 16, 2014 Updated: September 12, 2014

Status

Affected

Vendor Statement

For CVE-2014-0326: Iridium is aware of this vulnerability and has taken the necessary steps to address it. We are detecting and blocking use of the identified credentials at the edge where the Iridium network connects to public terrestrial networks. Since all Pilots can only be addressed through the Iridium network, this effectively blocks any remote unauthorized use of the credentials. Iridium has also made changes to the Pilot firmware and this will be released through our normal software release process. For CVE-2014-0327: Iridium is aware of this vulnerability and does not believe it is viable. The firmware upgrade tool described is provided only to service providers, and will not work remotely, the tool must be run on a PC which is directly connected to the on ship Pilot’s BDE (below deck equipment). Any remote attempt to upgrade the firmware will disable the Iridium network connection and the software upgrade will abort. In addition, it is not technically feasible to create a “malicious” version of the firmware as the PILOT has a proprietary Operating system, processor and tool set.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.