Major Security Breach in Hospital Refrigeration Systems
Major security breaches have been discovered in hospital and supermarket refrigeration systems by the Safety Detective research lab. They have kindly agreed to share its findings with Norway Today.
Israeli hackers and activists, Noam Rotem and Ran L from Safety Detective research lab, have uncovered a major security breach in temperature control systems manufactured by Resource Data Management (RDM), a Scotland-based remote monitoring solutions company.
These control systems are used by hospitals and supermarket chains all over the world, including Marks & Spencer, Ocado, Way-on, and many others.
A basic scan reveals hundreds of installations in the UK, Australia, Israel, Germany, the Netherlands, Malaysia, Iceland, and many other countries around the world. As each installation includes dozens of machines, Safety Detective is looking at many thousands of vulnerabilities.
Analysis by Safety Detective now estimates there are hundreds of locations with thousands of machines affected.10,606 cases are confirmed. These systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80). They all come with a default username and “1234” as the default password, which is rarely changed by system administrators. All the screenshots taken in the report did not require entering usernames and passwords, but it came to the researchers’ attention that almost all devices use the default password.
The systems can be accessed through any browser. All you need is the right URL, which as the tests show, isn’t too difficult to find. Safety Detective won’t go into the specifics here, as it’s not the intention to encourage hacking systems that could literally put lives at risk; but all it takes is a simple Google search.
Safety Detective instructed its office secretary on how to find other devices online, and she quickly found a cooling factory in Germany and a hospital in the UK, using only Google.
With Shodan, a potential attacker can identify thousands of devices.
- Marks and Spencer Brooklands
- A food storage facility in Iceland
- Menu Italiano, an Italian food manufacturer with locations in Italy, Denmark, Belgium, Sweden, Germany, and China
- Münstermann Külhaus am Grossmarket, Düsseldorf, a cooling facility in Germany
- CCM Duopharma Biotech Berhad, a pharmaceutical company from Selangor, Malaysia
In the era of the Internet of Things, system administrators need to take special care to secure their remote systems, and never rely on manufacturers’ default settings. This is particularly crucial when it literally becomes a matter of life and death, as illustrated in some examples.
Safety Detective notified Resource Data Management of the severe vulnerability while urging them to fix it ASAP and provided technical information and screenshot evidence that hackers can obtain their clients’ information. When they didn’t reply, the research lab contacted them via twitter (without disclosing information on the nature of the vulnerability). Safety Detective was amazed to receive the following official response from Resource Data Management by email:
Thank you for your email and approach. Having looked at your services they are not of interest to Their company.
As a senior team member within the company can I please ask you to refrain from contacting us any further, on any of individual or general email accounts. It would also be greatly appreciated if you could refrain from tagging us on posts on social media.
Thank you for your co-operation.
Safety Detective got another response from RDM:
Safety Detective Team, thank you for the information.
To clarify the situation from RDM. We would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who install them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. Its similar to an off the shelf router with default user names and passwords Admin Admin.
We would also point out that RDM do not have remote connectivity to many systems and even though it is possible to upgrade our software remotely. We are unable to do this without the consent of the owner. RDM will inform owners that we have new software available with new functions and features but ultimately it is up to them to request an upgrade which can be done via USB locally or by there installer/maintainer remotely.
I hope this clarifies the situation. RDM have no control over how our systems are set up by the installer and we suggest your article is directed at the users and installers of our equipment. We will write to all our known customers, Installers and distributors today reminding them of the importance of changing the default user names and passwords and part of their installation and set up.
Safety Detective got a third response from RDM (February 11, 2019):
Safety Detective Team,
Further to your article which was published on Friday.We found the investigation a little confusing as most sites on the Shodan report that were identified were in Russia, RDM have sold very few systems in this country.
We investigated further and found the report actually shows systems open to the internet using the “##Deleted string (SD)##” web server which is what we use in the Data Manager.
After checking further this report shows every manufacturer’s device such as routers etc that uses this web server. The bulk of these devices look to be 3rd party devices and not Data Managers.
Please find attached our plans to assist with issues highlighted in your article.
We thank you for highlighting this on Friday and apologise if our first response did not seem grateful only I’m sure you will understand we received your first mail into our spam bucket along with many other spam and originally it seemed a little vague. Hence our response. However after the contact on Thursday afternoon. RDM did take action to help protect our users and have a plan to remove all default uses going forward and have added a unique set up password per system.
We would appreciate it if you could publish our update.
Updates and corrections to the original report (February 11th, 2019)
RDM clarified that there couldn’t be as many as 7000 installations, as Safety Detective initially reported. In addition, several independent researchers reached out to let them know that the number of affected installations and refrigerators is lower than originally reported; claiming there were between 600-700 based on what seemed to be a serious investigation.
As is quite common whenever Safety Detective contact companies to inform them of a security breach, the initial reaction is usually denial, followed by questioning the validity of the research and how they calculated the numbers, thereby downplaying the problem. So when other researchers also pointed out problems with the original numbers, Safety Detective thought it would be a good idea to go back and double check the preliminary research.
In a private communication with one researcher, Safety Detective asked if they really expected them to check over 7000 URLs in order to count the number of refrigerators at each location. The researcher suggested that if verifying the validity of the claim was too much work, then maybe Safety Detective was in the wrong business, to begin with. So Safety Detective decided to listen to its critics and do some rigorous fact-checking in order to ensure the integrity of its research, and provide the correct, verified figures for the benefit of the public.
- Safety Detective downloaded Shodan’s data on 7419 locations and opened a few dozen links. Many URLs are no longer available (hopefully due to an improvement in security by the refrigerator owners).
- Safety Detective then looked at 2215 URLs that provided status code OK200.
- Safety Detective found a pattern in the title tag on pages that were real sites, and not routers, and was able to screen 380 results.
- Then Safety Detective carefully examined all 380 results and discovered that 319 are totally open locations with refrigerators accessible to anyone with a link, including 10 hospitals in the UK.
- Safety Detective then took the first 24 URLs from the list, which seemed to be distributed randomly and included locations from the US, Malaysia, France, UK, New Zealand, Australia, Canada, Iceland, and the Netherlands. Safety Detective believes they represent a good sample of the 319 locations they came from.
- Lastly, Safety Detective manually counted the number of refrigerators, cooling rooms, and freezers at each location. Of these 24 locations, there were a total of 798 machines, therefore the average worked out to 33.25 refrigerators per location.
Based on the above analysis, Safety Detective can confirm that there are 319 locations, with an estimated 10,606 machines that are still accessible online as of this latest update (five days after Safety Detective did the research and hopefully after many businesses already fixed the issue since February 12).
Safety Detective wants to remind the readers that Shodan doesn’t cover the entire internet. The fact that five days passed, and Safety Detective was very conservative in its methodology in order to report the smallest possible number of vulnerabilities, means that the research lab is confident the impact of the breach could have been much greater. However, Safety Detective doesn’t think the important question is whether there are 7000, 8000, or even the revised estimate of 10,000 refrigerators accessible to hackers; but rather, why so many people thought that connecting the machines to the internet while remaining accessible to anyone, didn’t raise any red flags.
Safety Detective wants to thank everyone who encouraged the research lab to be more precise with its research, which allowed them to improve the findings of this report.
You may also want to read about why Safety Detective consider Kaspersky a virus, how to hack ethically, and a recently discovered major security breach affecting nearly half of all airlines worldwide.
© Safety Detective / #Norway Today