Thousands of IoT Refrigerators Worldwide Are Using Default Passwords

[cageymaru]

Refrigerators worldwide featuring temperature control systems from Resource Data Management still have the default password "1234" as their login. "These systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80)." Israeli security activists Noam Rotem and Ran L from Safety Detective research lab discovered the vulnerability in refrigeration systems at hospitals, supermarket chains, pharmaceutical companies, and more. In total, a search on Shodan revealed over 7,400 devices worldwide with vulnerabilities. The researchers were initially criticized for contacting the company via email and social media, but later on a RDM representative told Safety Detectives that it is up to the customer and installer to change the default password.

To clarify the situation from RDM we would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who install them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. Its similar to an off the shelf router with default user names and passwords Admin Admin.

 

[Deleted member 89137]

I am not a tiny bit surprised.

 

[exiled350]

Meh.

 

[joobjoob]

Who could have predicted???

In a healthy harmonious society people must pay some price for stupid decisions with predictable outcomes.

 

[Zarathustra[H]]

That's a design flaw.

You have to know that customers will be lazy and not set proper passwords, so you have to design them to require a password change on first startup before you can use it, and set requirements on the password so you make sure it is strong.

 

[Twisted Kidney]

 

[Advil]

That's crazy. Each one needs a random default password hard coded in the firmware if you do a factory reset. That password needs to be permanently stuck inside the door jam.

That way, someday, WHEN your fridge gets it's firmware corrupted by... anything just like your PC bios and you reset it the password doesn't become generically accessible to the public.

If that is too much work for the manufacturer to bother with during assembly and testing then they shouldn't offer the connected device.

The alternative is that IOT functionality is turned off entirely by default or upon firmware reset and must be enabled along with a unique password being set when it is enabled. No default password option. You have to set a unique PW to enable it at all.

Anything else is just insanity.

And why would a fridge need to do anything more than report what the temp is remotely? It doesn't even need the ability to adjust it from off-site for 99% of use cases. That would also be inherently secure even if someone were to be able to see the temp, they can't DO anything with it.

 

[The Mad Atheist]

FFS!, not even secured as Spaceballs' password.....

 

[ChoGGi]

Is it so hard to not allow remote access if it's the default password? Apparently yes (or at least cheaper).

I wouldn't ever advocate it, but if certain people made badly secured hardware ddos the manufacturer that could ease up the issue for the rest of us

 

[OutOfPhase]

I am often asked why I have "low tech" stuff in my house from friends who are not techies. Their explanation is "but you're a techie!".
I answer "That's WHY I know it is bad idea".

The race-to-the-bottom on firmware quality is completely real. We see this with printers now (my god what awful wifi implementations), and now... kitchen stuff.

I hate it when I'm right. Not really.

 

[jeffj7]

They big question is why do you really need that refrige connected to the internet ?

 

[seanreisk]

They big question is why do you really need that refrige connected to the internet ?

Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

I'm curious what the password is now. I don't see why it would be a problem to write the password on the side of the damn'd thing, if you wanted to hack a refrigerator you had physical access to you could just reset it, the refrigerator we set up had to reboot so often that the college asked us to turn off alerts for resets.

 

[clockdogg]

Great. Now I have to change my router password to match my smart fridge, my smartphone and my smartass.

 

[carlbme]

Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

To be fair it isn't always entirely clear that it is. For example I just recently purchased a new refrigerator for our home. No where on the model pamplet on the showroom floor did it state that it had Internet connectivity. No WiFi button on the fridge or anything. On the models in the same family, but higher price range, it was advertised. On the Lowes (where I purchased it from) website it said nothing about the model I purchased having that capability either. On the manufactures website it stated that "some models" had it. About the only thing I didn't do was to download the manual for the machine and read it before the purchase.

Once it was installed and I started skimming through the manual I saw that it indeed would connect up to WiFi and there was an app from LG to control and monitor. If I wouldn't of read the manual I'd of never known. But I also know most of my family, if they'd of found out that it had that capability they'd of enabled it right away because it's a cool new feature. I also know they wouldn't of taken the time to change the password, because that's just too much hassle or takes too much time when you could be playing with your shiny new app.

Anyway, the point is....it's not always apparent right away that these devices even have the capability to connect.

 

[bildad]

What does anyone need an internet connection fridge for anyway?!

 

[[Spectre]]

Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

Doesn't require an internet connection. Things like that were managed for decades without the IoT.

 

[Dayaks]

Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

I'm curious what the password is now. I don't see why it would be a problem to write the password on the side of the damn'd thing, if you wanted to hack a refrigerator you had physical access to you could just reset it, the refrigerator we set up had to reboot so often that the college asked us to turn off alerts for resets.

Or just use labwatch on a network that is air gapped and if there are any alarms security sends out an alert...

 

[OutOfPhase]

Great. Now I have to change my router password to match my smart fridge, my smartphone and my smartass.

Your ass has a password? That seems handy.

 

[Dead Parrot]

Another security flaw not mentioned in TFA is the fact that the folks using these connected refrigeration devices also suck at configuring firewalls. Why are these things visible to the Internet at large? Limit communication to each device to the IP address(es) authorized to perform management of said devices. If the devices require management from a wide number of addresses, then require a VPN.

Wonder what other devices in these organizations are wide open to the Internet at large? Or worse, sending data to unknown outside organizations? The lack of concern about device passwords is a symptom of a larger problem.

 

[BloodyIron]

Expecting the installer to change the default password is just ignoring that they won't ever give a fuck unless they have to. Just because it's in the manual means nothing.

 

[clockdogg]

Your ass has a password? That seems handy.

Yeah, gotta minimize those backdoor attack vectors...

 

[Glock24]

Hmm, let's use them for the Pied Piper network!

 

[collegeboy69us]

Would have made Anton's job easier.


View attachment 140605

Stolen from www.reddit.com/r/SiliconValleyHBO/comments/6fcbph/suck_it_jinyang

Soon as I saw "fridge" and "password"... instantly came here to post this.

For anyone interested in the full scene from that show here you go: (mime BJ part starts at 3:50)

God I love Silicon Valley

 

[Oldmodder]

IOS i call it, Internet Of Stupid.
Any person / company using - developing - investing in this BS i am not able to trust one god damn bit.

 

[[21CW]killerofall]

Me:*calls person with smart fridge* Is your refrigerator running?

Them: "Yes"

Me: *hacks into their fridge and makes screen play the Rick Roll video on loop* "How about now?"

Them: "Fuck you!"

 

[Dodge245]

That's a design flaw.

You have to know that customers will be lazy and not set proper passwords, so you have to design them to require a password change on first startup before you can use it, and set requirements on the password so you make sure it is strong.

And then a way to reset the password when everyone inevitably forgets it.

 

[zkostik]

That's a design flaw.

You have to know that customers will be lazy and not set proper passwords, so you have to design them to require a password change on first startup before you can use it, and set requirements on the password so you make sure it is strong.

IoT is a design flaw (from security perspective)

There really should be some kind of security certification kind of like UL for electrical safety. Would really be handy for consumers and IoT devices could be tested for security so hopefully at least reasonable minimum is established. Wishful thinking probably and too many people don't know or don't give a fuck...

 

[harbingerofdoom]

IoT is a design flaw (from security perspective)

There really should be some kind of security certification kind of like UL for electrical safety. Would really be handy for consumers and IoT devices could be tested for security so hopefully at least reasonable minimum is established. Wishful thinking probably and too many people don't know or don't give a fuck...

there should be, but there isnt. and since the people buying this stuff dont know enough to care, the manufacturers dont care because they already got their money and no one is forcing them to do anything about it.... its not going to sort itself out without the entire issue being forced by some sort of legislation.

 

[grim4593]

California did pass a law last year requiring that connected devices have unique passwords: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
I wonder if that actually has any teeth or will cause industries to start following better practices.

 

[DrezKill]

That's a design flaw.

The flaw is designing a fucking IoT fridge to begin with.

 

[Zarathustra[H]]

The flaw is designing a fucking IoT fridge to begin with.

Well, yeah, that too!