Security firm warns of Copeland controller vulnerabilities

USA: A cyber security company says it has exposed vulnerabilities in Copeland E2 and E3 controllers that could enable unauthorised persons to remotely manipulate parameters and disable systems.

California-based Armis claims to have identified ten vulnerabilities affecting the controllers, which are widely used in the air conditioning and refrigeration industry for controlling equipment including compressor groups, condensers and walk-in units, HVAC and lighting systems.

Collectively, Armis has named them Frostbyte10 and said it has worked with Copeland to investigate these findings, understand the underlying issues, and work towards a resolution.

According to Armis, the flaws discovered could have allowed unauthorised actors to remotely manipulate parameters, disable systems, execute remote code, or gain unauthorised access to sensitive operational data. It warns that, when combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges.

This could result in food being spoiled and cold chain logistics and cooling systems being rendered inoperable. The vulnerabilities could also leave users open to attackers seeking to disrupt or ransom retail infrastructure providers. There is, however, no evidence that any of these vulnerabilities have been found and exploited.

Upgrading to Copeland’s latest firmware version 2.31F01 is said to mitigate all the security issues.

“Due to the severity of these vulnerabilities and the impact, we urge any organisation using these controllers to assess their current exposure and to deploy mitigation actions immediately,” Artemis warns.

In response to questions from the Cooling Post as to how customers had been alerted to the vulnerabilities, Copeland said: “We have had direct and open communication with affected customers, providing transparent updates and patching ahead of the disclosure.” 

The company emphasised that there had been no reported incidents related to the vulnerabilities, “and customers with large installed bases have been proactively contacted to ensure they are informed and supported”.

Copeland went on to say: “It is important to note that the disclosed vulnerabilities are not remotely exploitable when the products are installed and configured according to the provided instructions.”

According to a report on The Register website, one of the major flaws was due to a default predictable password that’s generated daily (the password includes the date), that could be abused to gain system administrator privileges.  

Quoting Copeland’s VP of software Josh Weaver, The Register report says that this “One Day” user admin default was available due to “customer demand” as it “made it easier for refrigeration contractors to remotely access and control the systems”. The latest firmware update 2.31F01 fixes this issue and the One Day password is no longer supported.

Copeland’s E2 facility management system has long been considered a standard in the industry. Introduced in 2021, the E3 supervisory control is designed as a direct upgrade to the E2 system, offering enhanced features such as a built-in 10-inch touchscreen display, faster processing power, increased memory, and remote accessibility via web browsers or mobile devices. The E3 controller has been gaining popularity among OEMs, contractors, and service technicians for its modern interface and improved capabilities.