Experts from Safety Detective discovered thousands of refrigeration systems made by Resource Data Management (RDM) exposed to remote attacks.
Thousands of instances of a temperature control system made by Resource Data Management (RDM) are exposed to remote attacks because they were using default passwords and failed in implementing other security measures.
The vulnerable instances are used by organizations from several industries, including healthcare providers and supermarket chains such as Marks & Spencer, Ocado, and Way-On.
The experts have found 7,400 devices exposed online by querying the Shodan search engine, most of them in Russia, Malaysia, Brazil, the United Kingdom, Taiwan, Australia, Israel, Germany, the Netherlands, and Iceland.
Systems exposed online could be accessed via HTTP on ports 9000, 8080, 8100, or 80. An attacker can easily access the vulnerable instances because they use a known default username and password combination. In many cases, the web interface can be accessed without authentication.
“They all come with a default username and “1234” as the default password, which is rarely changed by system administrators.” reads the analysis published by Safety Detective.
“All the screenshots taken in this report didn’t require entering the user and password but it came to our knowledge that almost all devices used the default password.”
Experts pointed out that many systems can be easily found using a simple Google search, they explained that the office secretary of the company quickly discovered a cooling factory in Germany and a hospital in the UK.
Accessing the exposed refrigeration systems, an unauthorized attacker can change user and alarm settings. Imagine the damages that could be caused by activating the defrost function, especially when dealing with hospitals where refrigeration systems are used to store blood and drugs.
Safety Detective reported its findings to RDM, but the vendor initially downplayed the report. RDM later acknowledged the risks but highlighted that the issues reported by the experts were caused by wrong installations made by users and installers.
“To clarify the situation from RDM we would
confirm that the default passwords must be changed by the installer at the time
of setup. RDM does not have any control over where our systems go and who
install them. We clearly state in our documentation that the default passwords
MUST be changed when the system is installed. It’s similar to an off the shelf
router with default user names and passwords Admin Admin,” replied an RDM
“We would also point out that we do not have
remote connectivity to many systems and even though it is possible to upgrade
our software remotely we are unable to do this without the consent of the
owner. We will inform owners that we have new software available with new
functions and features but ultimately it is up to them to request an upgrade
which can be done via USB locally or by there installer / maintainer remotely,”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.