Thousands of industrial refrigerators can be easily hacked
The security of internet-connected devices is an issue that needs to be taken more seriously. Thousands of industrial refrigerators have just been found that can be accessed by anyone from anywhere using the manufacturer’s default password. Among the users of these refrigerators are restaurants and warehouses but also some hospitals, which makes the situation worrying.
More than 7000 refrigerator systems are found to be vulnerable to this type of “attack”, even if it’s not quite a real cyber attack. The manufacturer of these industrial devices, called Resource Data Management, has made its devices accessible from the Internet for remote administration and maintenance purposes, it is assumed.
The problem? During the installation of these devices, the default username and password were not changed making the systems accessible to anyone who can read the default values in the documentation publicly available on the manufacturer’s website.
It is even possible to thaw the entire system, which could cause considerable damage to the contents of the fridges as well as water leaks that could affect everything in the room. The financial losses for the affected companies can be very serious.
Among those affected are restaurants, hospitals, supermarkets and grocery stores in the UK, Ireland but also in Sweden, Germany and China. According to Noam Rotem, one of the researchers who found the systems vulnerable, even a pharmaceutical company in Malaysia is accessible.
Rotem told his colleagues at Tech News that thawing a machine only requires “the click of a button and the entry of a username and password”. Both of these values are almost universal in all the company’s devices. Of course, from the moment you log in, you have full control over the system and you can’t just thaw the content. Timers can be set, settings can be changed, and so on…
Resource Data Management has stated that in their installation procedures it is recommended to change the default access credentials but also that the procedure is not mandatory. “We haveno control over how our systems are set up by the installer and we suggest that your article be directed at users and installers of our equipment.” The company told Tech News that it would send emails recommending a change of credentials again.
This security flaw certainly does not affect consumer customers but it is good to remember that any gadget connected to the Internet is a possible gateway for malicious actors and security must be kept under control at all times.
By the way: have you changed your passwords since the recent publication of Collection #1 (and the other collections that followed)?