Security researchers revealed on Friday that the temperature control systems used in freezers at thousands of locations ranging from grocery stores to hospitals to pharmaceutical companies are subject to simple sabotage. To raise hell, all anyone would need to know is where to look and the systems’ stupidly guessable default password.
The vulnerability, researchers say, affects internet-connected thermostats made by Resource Data Management (RDM), which supplies to companies all over the world. Security officials at the research lab Safety Detective claim in their report that they were able to identify 7,419 installations of the RDM’s products with major vulnerabilities. The researchers say that each installation controls dozens of machines, and that RDM has left many of its clients vulnerable to attack by not requiring a change to the default password.
Using Shodan’s search engine for internet-connected devices, the researchers found that it was remarkably easy to access an RDM system and adjust the temperatures, alarm settings, and even obtain floor plans for the facilities where the refrigeration units are housed. In the case of a food storage facility in Iceland, for example, sabotage by a bad actor could theoretically result in a tremendous waste of the products it stores as well as damage to the freezers themselves, the researchers say. In the case of a hospital in the UK or the largest pharmaceutical company in Malaysia, tampering with the systems could theoretically have life-threatening consequences.
In their report, the researchers claim:
These systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80). They all come with a default username and “1234” as the default password, which is rarely changed by system administrators. All the screenshots taken in this report didn’t require entering the user and password but it came to our knowledge that almost all devices used the default password.
While the researchers claim it’s easy to locate the proper URL to access one of these systems, they didn’t go into further detail in an effort to protect RDM. Remarkably, RDM doesn’t seem very interested in protecting its own clients. The Security Detective report outlines the steps it took to mitigate this problem before disclosing it publicly and says its efforts were rebuffed by the company. The researchers claim that their initial email explaining the situation went unanswered, so they proceeded to contact RDM through social media channels and received the following response:
Thank you for your email and approach. Having looked at your services they are not of interest to our company.
As a senior team member within the company can I please ask you to refrain from contacting us any further, on any of individual or general email accounts. It would also be greatly appreciated if you could refrain from tagging us on posts on social media.
The company apparently realized that its response was insufficient and later sent a more detailed comment. An RDM spokesperson explained to the researchers that it was the client’s responsibility to make any password changes and it cannot make software updates remotely without a client’s permission. They said that RDM “will write to all our known customers, Installers and distributors today reminding them of the importance of changing the default usernames and passwords and part of their installation and set up.” Unfortunately, many admins appear to be skipping the optional step of changing the password, something that’s entirely predictable.
We asked RDM if there is any particular reason it doesn’t simply require a password change before the system can operate and a spokesperson sent us the same statement that was supplied to the security researchers. “We have no control over how our systems are set up by the installer and we suggest your article is directed at the users and installers of our equipment,” they wrote. So, uh, RDM clients, if you’re listening, I guess you should look into that.
As TechCrunch points out, California recently passed a law that bans default passwords on new consumer electronics beginning in 2020. The Scotland-based RDM may not be particularly worried about California, but the European Union is also eyeing new regulations for IoT products. Of course, if RDM’s clients start experiencing major issues, the manufacturer’s headaches could begin long before any regulations are implemented.