Security researchers at Safety Detective have discovered vulnerabilities in networked refrigeration systems made by Resource Data Management (RDM) that could allow a hacker to hijack the devices and alternate their temperature settings, according to a company blog post published last Thursday (Feb.7th).
The company’s products are used by organisations from several industries, including healthcare providers and supermarket chains, such as Marks & Spencer, Ocado & Way-on.
A Shodan search reveals that 7,419 devices were exposed online, and most of them are based in Russia, Malaysia, Brazil, the UK, Taiwan, Australia, Israel, Germany, the Netherlands, and Iceland.
According to the researchers, systems exposed online could be accessed through the HTTP protocol and the 9000 port (or sometimes 8080, 8100, or 80), which are only protected by a default username and password combination.
In many cases, the web interface can be accessed without zero authentication, but the password is required to make changes to the setting. If an unauthorised user gains access to one of these systems, they can change the refrigerator, user and alarm settings.
Researchers said that changing the temperature of the fridges could cause a lot of problems, especially for hospitals, where refrigerators are used to store blood, organs, and vaccines.
“The systems can be accessed through any browser,” the researchers explained. “All you need is the right URL, which as our tests show, isn’t too difficult to find. We will not go into detail here, as it is not our intention to encourage the hacking of systems that could literally put lives at risk, but all it takes is a simple Google search.”
Safety Detective contacted RDM to inform them about the issue, but the vendor initially downplayed the reports. RDM later acknowledged the risks but blamed users and installers for the situation.
“To clarify the situation from RDM we would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who installs them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. It’s similar to an off-the-shelf router with default usernames and passwords such as Admin & 1234,” replied an RDM spokesman.
“We would also point out that we do not have remote connectivity to many systems and even though it is possible to upgrade our software remotely we are unable to do this without the consent of the owner. We will inform owners that we have new software available with new functions and features but ultimately it is up to them to request an upgrade which can be done via USB locally or by there installer/maintainer remotely.”