Thousands of instances of a temperature control system made by Resource Data Management (RDM) are exposed to remote attacks because they were using default passwords and failed in implementing other security measures.
The vulnerable instances are used by organizations from several industries, including healthcare providers and supermarket chains such as Marks & Spencer, Ocado,
The experts have found 7,400 devices exposed online by querying
the Shodan search engine, most of them in Russia, Malaysia, Brazil, the United Kingdom, Taiwan, Australia, Israel, Germany, the Netherlands, and Iceland.
Systems exposed online could be accessed via HTTP on ports 9000, 8080, 8100, or 80. An attacker can easily access the vulnerable instances because they use a known default username and password combination. In many cases, the web interface can be accessed without authentication.
“They all come with a default username and “1234” as the default password, which is rarely changed by system administrators.” reads the analysis published by Safety Detective.
“All the screenshots taken in this report didn’t require entering the user and password but it came to our knowledge that almost all devices used the default password.”
Experts pointed out that many systems can be easily found using a simple Google search, they explained that the office secretary of the company quickly discovered a cooling factory in Germany and a hospital in the UK.
Accessing the exposed refrigeration systems, an unauthorized attacker can change user and alarm settings. Imagine the damages that could be caused by activating the defrost function, especially when dealing with hospitals where refrigeration systems are used to store blood and drugs.
Safety Detective reported its findings to RDM, but the vendor initially downplayed the report. RDM later acknowledged the risks but highlighted that the issues reported by the experts were caused by wrong installations made by users and installers.
“To clarify the situation from RDM we would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who install them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. It’s similar to an off the shelf router with default user names and passwords Admin Admin,” replied an RDM spokesman.
“We would also point out that we do not have remote connectivity to many systems and even though it is possible to upgrade our software remotely we are unable to do this without the consent of the owner. We will inform owners that we have new software available with new functions and features but ultimately it is up to them to request an upgrade which can be done via USB locally or by there installer / maintainer remotely,”
(SecurityAffairs – refrigeration systems, hacking)