CERT/CC researchers examined the satcom terminal Cobham EXPLORER 710 as an expansion of work from IOActive’s findings in 2014. They discovered multiple new vulnerabilities affecting the device and the firmware, some of which could allow an unauthenticated, local attacker to gain access to sensitive information or complete control of the device.
|The Cobham EXPLORER 710 is a portable satellite terminal used to provide satellite telecommunications and internet access. For consistency, “device” mentioned in the following section is defined as the Cobham EXPLORER 710. The affected firmware version is 1.07 for all of the vulnerabilities listed below unless otherwise noted.|
In addition to the findings above, we have found some configuration issues within the device that can leave it vulnerable to attackers. The default WiFi password is publicly documented as the serial number of the device and can be easily brute forced. Additionally, important security headers are missing, which leaves the device vulnerable to cross-site scripting and clickjacking.
|The impacts of these vulnerabilities are that an unauthenticated, local attacker could intercept traffic that may include passwords or sensitive data, remotely execute commands on the device, access files that should be restricted, and make changes to the device that could include uploading custom firmware for control over it.|
|The CERT/CC is currently unaware of a practical solution to these problems.|
This document was written by Kyle O’Meara and David Belasco of the CERT Coordination Center of the Carnegie Mellon Software Engineering Institute.