UK: Controls manufacturer RDM says it will be contacting customers reminding them to set secure passwords after hackers revealed that hundreds of its systems are vulnerable to cyber attack.
Israeli hackers and activists from the Safety Detective research lab have exposed the extent to which users’ failure to change manufacturers’ default passwords have left thousands of refrigeration and air conditioning systems vulnerable.
Using Shodan, the search engine for internet-connected devices, the hackers uncovered a major security breach in systems manufactured by Glasgow-based controls manufacturer Resource Data Management (RDM).
These control systems are used by a wide range of companies and industries including hospitals and supermarket chains all over the world.
A basic scan is said to have revealed hundreds of installations in the UK, Australia, Israel, Germany, the Netherlands, Malaysia, Iceland, and many other countries around the world. Safety Detective argues that as each installation has dozens of machines under it, many thousands of units could be vulnerable.
The systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80) and use the default username and password combination. The hackers say that not only can you change refrigerator and freezer settings through this system, you can also modify user settings, alarm settings, and more.
Sites exposed included a UK Marks and Spencer supermarket in Surrey, Italian food manufacturer Menu Italiano, one of the largest pharmaceutical company in Malaysia, a coldstore in Dusseldorf, and a food storage facility in Iceland.
RDM insists that its controls documentation states that the default passwords must be changed when the system is installed, and argues that it has no control over how its systems are set up by the installer. However, it said it would write to all its known customers, installers and distributors reminding them of the importance of changing the default user names and passwords as part of their installation and set up.
Concerns over the vulnerability to the increasing numbers of internet-connected devices prompted European manufacturers’ group ASERCOM to publish a free-to-download guide to securing components against the threat of cyber-attacks.
Last month the Cooling Post revealed that a Dutch man had received a prison sentence for hacking into a supermarket refrigeration system and changing the temperature settings.