Thousands of IoT Refrigerators Worldwide Are Using Default Passwords

Discussion in 'HardForum Tech News' started by cageymaru, Feb 8, 2019.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,815
    Joined:
    Apr 10, 2003
    Refrigerators worldwide featuring temperature control systems from Resource Data Management still have the default password "1234" as their login. "These systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80)." Israeli security activists Noam Rotem and Ran L from Safety Detective research lab discovered the vulnerability in refrigeration systems at hospitals, supermarket chains, pharmaceutical companies, and more. In total, a search on Shodan revealed over 7,400 devices worldwide with vulnerabilities. The researchers were initially criticized for contacting the company via email and social media, but later on a RDM representative told Safety Detectives that it is up to the customer and installer to change the default password.

    To clarify the situation from RDM we would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who install them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. Its similar to an off the shelf router with default user names and passwords Admin Admin.
     
  2. elite.mafia

    elite.mafia Broke Back [H]

    Messages:
    11,677
    Joined:
    Aug 23, 2004
    I am not a tiny bit surprised.
     
    DrezKill, Revdarian, zkostik and 3 others like this.
  3. exiled350

    exiled350 [H]ard|Gawd

    Messages:
    1,116
    Joined:
    Jun 26, 2013
  4. joobjoob

    joobjoob Gawd

    Messages:
    543
    Joined:
    Jun 29, 2004
    Who could have predicted???

    In a healthy harmonious society people must pay some price for stupid decisions with predictable outcomes.
     
    Last edited: Feb 8, 2019
  5. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,640
    Joined:
    Oct 29, 2000
    That's a design flaw.

    You have to know that customers will be lazy and not set proper passwords, so you have to design them to require a password change on first startup before you can use it, and set requirements on the password so you make sure it is strong.
     
    Maxx, Revdarian, PaulP and 8 others like this.
  6. Advil

    Advil [H]ard|Gawd

    Messages:
    1,870
    Joined:
    Jul 16, 2004
    That's crazy. Each one needs a random default password hard coded in the firmware if you do a factory reset. That password needs to be permanently stuck inside the door jam.

    That way, someday, WHEN your fridge gets it's firmware corrupted by... anything just like your PC bios and you reset it the password doesn't become generically accessible to the public.

    If that is too much work for the manufacturer to bother with during assembly and testing then they shouldn't offer the connected device.

    The alternative is that IOT functionality is turned off entirely by default or upon firmware reset and must be enabled along with a unique password being set when it is enabled. No default password option. You have to set a unique PW to enable it at all.

    Anything else is just insanity.

    And why would a fridge need to do anything more than report what the temp is remotely? It doesn't even need the ability to adjust it from off-site for 99% of use cases. That would also be inherently secure even if someone were to be able to see the temp, they can't DO anything with it.
     
  7. The Mad Atheist

    The Mad Atheist Gawd

    Messages:
    940
    Joined:
    Mar 9, 2018
    FFS!, not even secured as Spaceballs' password.....
     
  8. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,464
    Joined:
    May 7, 2005
    Is it so hard to not allow remote access if it's the default password? Apparently yes (or at least cheaper).

    I wouldn't ever advocate it, but if certain people made badly secured hardware ddos the manufacturer that could ease up the issue for the rest of us ;)
     
  9. PhaseNoise

    PhaseNoise [H]ard|Gawd

    Messages:
    2,012
    Joined:
    May 11, 2005
    I am often asked why I have "low tech" stuff in my house from friends who are not techies. Their explanation is "but you're a techie!".
    I answer "That's WHY I know it is bad idea".

    The race-to-the-bottom on firmware quality is completely real. We see this with printers now (my god what awful wifi implementations), and now... kitchen stuff.

    I hate it when I'm right. Not really.
     
    DrezKill, Revdarian, PaulP and 11 others like this.
  10. jeffj7

    jeffj7 [H]Lite

    Messages:
    101
    Joined:
    Jun 2, 2012
    They big question is why do you really need that refrige connected to the internet ?
     
  11. seanreisk

    seanreisk [H]ard|Gawd

    Messages:
    1,024
    Joined:
    Aug 29, 2011
    Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

    I'm curious what the password is now. I don't see why it would be a problem to write the password on the side of the damn'd thing, if you wanted to hack a refrigerator you had physical access to you could just reset it, the refrigerator we set up had to reboot so often that the college asked us to turn off alerts for resets.
     
  12. clockdogg

    clockdogg Gawd

    Messages:
    920
    Joined:
    Dec 12, 2007
    Great. Now I have to change my router password to match my smart fridge, my smartphone and my smartass.
     
    Aioeyu and carlbme like this.
  13. carlbme

    carlbme [H]ard|Gawd

    Messages:
    1,209
    Joined:
    Aug 17, 2001
    To be fair it isn't always entirely clear that it is. For example I just recently purchased a new refrigerator for our home. No where on the model pamplet on the showroom floor did it state that it had Internet connectivity. No WiFi button on the fridge or anything. On the models in the same family, but higher price range, it was advertised. On the Lowes (where I purchased it from) website it said nothing about the model I purchased having that capability either. On the manufactures website it stated that "some models" had it. About the only thing I didn't do was to download the manual for the machine and read it before the purchase.

    Once it was installed and I started skimming through the manual I saw that it indeed would connect up to WiFi and there was an app from LG to control and monitor. If I wouldn't of read the manual I'd of never known. But I also know most of my family, if they'd of found out that it had that capability they'd of enabled it right away because it's a cool new feature. I also know they wouldn't of taken the time to change the password, because that's just too much hassle or takes too much time when you could be playing with your shiny new app.

    Anyway, the point is....it's not always apparent right away that these devices even have the capability to connect.
     
  14. bildad

    bildad Gawd

    Messages:
    729
    Joined:
    Jun 28, 2004
    What does anyone need an internet connection fridge for anyway?!
     
    DrezKill likes this.
  15. Paul_Johnson

    Paul_Johnson [H] Admin Staff Member

    Messages:
    16,032
    Joined:
    Aug 29, 2004
    Doesn't require an internet connection. Things like that were managed for decades without the IoT.
     
    Revdarian and Aioeyu like this.
  16. Dayaks

    Dayaks [H]ardness Supreme

    Messages:
    7,301
    Joined:
    Feb 22, 2012
    Or just use labwatch on a network that is air gapped and if there are any alarms security sends out an alert...
     
  17. PhaseNoise

    PhaseNoise [H]ard|Gawd

    Messages:
    2,012
    Joined:
    May 11, 2005
    Your ass has a password? That seems handy.
     
  18. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,557
    Joined:
    Mar 4, 2013
    Another security flaw not mentioned in TFA is the fact that the folks using these connected refrigeration devices also suck at configuring firewalls. Why are these things visible to the Internet at large? Limit communication to each device to the IP address(es) authorized to perform management of said devices. If the devices require management from a wide number of addresses, then require a VPN.

    Wonder what other devices in these organizations are wide open to the Internet at large? Or worse, sending data to unknown outside organizations? The lack of concern about device passwords is a symptom of a larger problem.
     
    PaulP, HammerSandwich and Aioeyu like this.
  19. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,440
    Joined:
    Jul 11, 2005
    Expecting the installer to change the default password is just ignoring that they won't ever give a fuck unless they have to. Just because it's in the manual means nothing.
     
    PaulP likes this.
  20. clockdogg

    clockdogg Gawd

    Messages:
    920
    Joined:
    Dec 12, 2007
    Yeah, gotta minimize those backdoor attack vectors...
     
    DrezKill, Revdarian, PaulP and 3 others like this.
  21. Glock24

    Glock24 [H]Lite

    Messages:
    122
    Joined:
    Jan 2, 2005
    Hmm, let's use them for the Pied Piper network!
     
    SamuelL421 likes this.
  22. collegeboy69us

    collegeboy69us [H]ardness Supreme

    Messages:
    5,257
    Joined:
    Jul 27, 2003
    zkostik, SamuelL421, Maxx and 2 others like this.
  23. Oldmodder

    Oldmodder Gawd

    Messages:
    707
    Joined:
    Aug 24, 2018
    IOS i call it, Internet Of Stupid.
    Any person / company using - developing - investing in this BS i am not able to trust one god damn bit.
     
    DrezKill likes this.
  24. [21CW]killerofall

    [21CW]killerofall Aliens...

    Messages:
    3,091
    Joined:
    Mar 16, 2006
    Me:*calls person with smart fridge* Is your refrigerator running?

    Them: "Yes"

    Me: *hacks into their fridge and makes screen play the Rick Roll video on loop* "How about now?"

    Them: "Fuck you!"

    :ROFLMAO:
     
  25. Dodge245

    Dodge245 Limp Gawd

    Messages:
    183
    Joined:
    Oct 8, 2018
    And then a way to reset the password when everyone inevitably forgets it.
     
  26. zkostik

    zkostik Gawd

    Messages:
    929
    Joined:
    Sep 17, 2009
    IoT is a design flaw (from security perspective) ;)

    There really should be some kind of security certification kind of like UL for electrical safety. Would really be handy for consumers and IoT devices could be tested for security so hopefully at least reasonable minimum is established. Wishful thinking probably and too many people don't know or don't give a fuck...
     
    clockdogg and PaulP like this.
  27. harbingerofdoom

    harbingerofdoom Gawd

    Messages:
    773
    Joined:
    Apr 17, 2007
    there should be, but there isnt. and since the people buying this stuff dont know enough to care, the manufacturers dont care because they already got their money and no one is forcing them to do anything about it.... its not going to sort itself out without the entire issue being forced by some sort of legislation.
     
    zkostik likes this.
  28. grim4593

    grim4593 Limp Gawd

    Messages:
    224
    Joined:
    Nov 30, 2014
  29. DrezKill

    DrezKill Limp Gawd

    Messages:
    486
    Joined:
    Mar 11, 2007
    The flaw is designing a fucking IoT fridge to begin with.
     
    Paul_Johnson and Zarathustra[H] like this.
  30. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,640
    Joined:
    Oct 29, 2000
    Well, yeah, that too!
     
    Glock24 and DrezKill like this.