Security Breach found in Commercial Temperature Control Systems
Who: Resource Data Management
# of Records: 10,606 Confirmed Vulnerable Systems
Date: 12 February 2019
What Happened: Temperature control systems manufactured by Resource Data Management, a Scotland-based remote monitoring solutions company. These control systems are used by hospitals and supermarket chains all over the world, including brands Marks & Spencer, Ocado, Way-on, and many others.
How Did it Happen: These systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80). They all come with a default username and “1234” as the default password, which is rarely changed by system administrators. The systems can be accessed through any browser. All you need is the right URL, which isn’t too difficult to find. In order to defrost this machine, all you’d need to do is click a button and enter the default username and password. Not only were we able to change refrigerator and freezer settings through this system, but we could also modify user settings, alarm settings, and more.
Outcome: In the era of the Internet of Things, system administrators need to take special care to secure their remote systems, and never rely on manufacturers’ default settings. This is particularly crucial when it literally can become a matter of life and death. To clarify the situation from RDM we would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who install them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. We would also point out that we do not have remote connectivity to many systems and even though it is possible to upgrade our software remotely we are unable to do this without the consent of the owner. We will inform owners that we have new software available with new functions and features but ultimately it is up to them to request an upgrade which can be done via USB locally or by there installer/maintainer remotely.