Thousands of IoT Refrigerators Worldwide Are Using Default Passwords

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
20,361
Refrigerators worldwide featuring temperature control systems from Resource Data Management still have the default password "1234" as their login. "These systems all use the unsecured HTTP protocol and the 9000 port (or sometimes 8080, 8100, or even simply 80)." Israeli security activists Noam Rotem and Ran L from Safety Detective research lab discovered the vulnerability in refrigeration systems at hospitals, supermarket chains, pharmaceutical companies, and more. In total, a search on Shodan revealed over 7,400 devices worldwide with vulnerabilities. The researchers were initially criticized for contacting the company via email and social media, but later on a RDM representative told Safety Detectives that it is up to the customer and installer to change the default password.

To clarify the situation from RDM we would confirm that the default passwords must be changed by the installer at the time of setup. RDM does not have any control over where our systems go and who install them. We clearly state in our documentation that the default passwords MUST be changed when the system is installed. Its similar to an off the shelf router with default user names and passwords Admin Admin.
 

joobjoob

Gawd
Joined
Jun 29, 2004
Messages
546
Who could have predicted???

In a healthy harmonious society people must pay some price for stupid decisions with predictable outcomes.
 
Last edited:

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,852
That's a design flaw.

You have to know that customers will be lazy and not set proper passwords, so you have to design them to require a password change on first startup before you can use it, and set requirements on the password so you make sure it is strong.
 
Joined
Mar 18, 2013
Messages
3,677
You_Knew_I_Was_Going_To_post_This.gif
 

Advil

[H]ard|Gawd
Joined
Jul 16, 2004
Messages
1,997
That's crazy. Each one needs a random default password hard coded in the firmware if you do a factory reset. That password needs to be permanently stuck inside the door jam.

That way, someday, WHEN your fridge gets it's firmware corrupted by... anything just like your PC bios and you reset it the password doesn't become generically accessible to the public.

If that is too much work for the manufacturer to bother with during assembly and testing then they shouldn't offer the connected device.

The alternative is that IOT functionality is turned off entirely by default or upon firmware reset and must be enabled along with a unique password being set when it is enabled. No default password option. You have to set a unique PW to enable it at all.

Anything else is just insanity.

And why would a fridge need to do anything more than report what the temp is remotely? It doesn't even need the ability to adjust it from off-site for 99% of use cases. That would also be inherently secure even if someone were to be able to see the temp, they can't DO anything with it.
 

ChoGGi

[H]ard|Gawd
Joined
May 7, 2005
Messages
1,571
Is it so hard to not allow remote access if it's the default password? Apparently yes (or at least cheaper).

I wouldn't ever advocate it, but if certain people made badly secured hardware ddos the manufacturer that could ease up the issue for the rest of us ;)
 

OutOfPhase

2[H]4U
Joined
May 11, 2005
Messages
3,753
I am often asked why I have "low tech" stuff in my house from friends who are not techies. Their explanation is "but you're a techie!".
I answer "That's WHY I know it is bad idea".

The race-to-the-bottom on firmware quality is completely real. We see this with printers now (my god what awful wifi implementations), and now... kitchen stuff.

I hate it when I'm right. Not really.
 

seanreisk

[H]ard|Gawd
Joined
Aug 29, 2011
Messages
1,715
They big question is why do you really need that refrige connected to the internet ?

Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

I'm curious what the password is now. I don't see why it would be a problem to write the password on the side of the damn'd thing, if you wanted to hack a refrigerator you had physical access to you could just reset it, the refrigerator we set up had to reboot so often that the college asked us to turn off alerts for resets.
 

carlbme

[H]ard|Gawd
Joined
Aug 17, 2001
Messages
1,233
Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

To be fair it isn't always entirely clear that it is. For example I just recently purchased a new refrigerator for our home. No where on the model pamplet on the showroom floor did it state that it had Internet connectivity. No WiFi button on the fridge or anything. On the models in the same family, but higher price range, it was advertised. On the Lowes (where I purchased it from) website it said nothing about the model I purchased having that capability either. On the manufactures website it stated that "some models" had it. About the only thing I didn't do was to download the manual for the machine and read it before the purchase.

Once it was installed and I started skimming through the manual I saw that it indeed would connect up to WiFi and there was an app from LG to control and monitor. If I wouldn't of read the manual I'd of never known. But I also know most of my family, if they'd of found out that it had that capability they'd of enabled it right away because it's a cool new feature. I also know they wouldn't of taken the time to change the password, because that's just too much hassle or takes too much time when you could be playing with your shiny new app.

Anyway, the point is....it's not always apparent right away that these devices even have the capability to connect.
 

[Spectre]

[H] Admin
Staff member
Joined
Aug 29, 2004
Messages
17,259
Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

Doesn't require an internet connection. Things like that were managed for decades without the IoT.
 

Dayaks

[H]F Junkie
Joined
Feb 22, 2012
Messages
8,288
Actually they do, because the one we worked on was a big, hairy, pain-in-the-butt to get it to talk to our pager system. It was used to store cultures, and if the temperature gets above a certain point they have to throw everything away. In fact, if lab workers opened the door too often it would lock people out until the temperature stabilized.

I'm curious what the password is now. I don't see why it would be a problem to write the password on the side of the damn'd thing, if you wanted to hack a refrigerator you had physical access to you could just reset it, the refrigerator we set up had to reboot so often that the college asked us to turn off alerts for resets.

Or just use labwatch on a network that is air gapped and if there are any alarms security sends out an alert...
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Another security flaw not mentioned in TFA is the fact that the folks using these connected refrigeration devices also suck at configuring firewalls. Why are these things visible to the Internet at large? Limit communication to each device to the IP address(es) authorized to perform management of said devices. If the devices require management from a wide number of addresses, then require a VPN.

Wonder what other devices in these organizations are wide open to the Internet at large? Or worse, sending data to unknown outside organizations? The lack of concern about device passwords is a symptom of a larger problem.
 

BloodyIron

2[H]4U
Joined
Jul 11, 2005
Messages
3,439
Expecting the installer to change the default password is just ignoring that they won't ever give a fuck unless they have to. Just because it's in the manual means nothing.
 
  • Like
Reactions: PaulP
like this

collegeboy69us

Supreme [H]ardness
Joined
Jul 27, 2003
Messages
5,256

Oldmodder

Gawd
Joined
Aug 24, 2018
Messages
706
IOS i call it, Internet Of Stupid.
Any person / company using - developing - investing in this BS i am not able to trust one god damn bit.
 
Joined
Mar 16, 2006
Messages
3,849
Me:*calls person with smart fridge* Is your refrigerator running?

Them: "Yes"

Me: *hacks into their fridge and makes screen play the Rick Roll video on loop* "How about now?"

Them: "Fuck you!"

:ROFLMAO:
 

Dodge245

Limp Gawd
Joined
Oct 8, 2018
Messages
186
That's a design flaw.

You have to know that customers will be lazy and not set proper passwords, so you have to design them to require a password change on first startup before you can use it, and set requirements on the password so you make sure it is strong.

And then a way to reset the password when everyone inevitably forgets it.
 

zkostik

Gawd
Joined
Sep 17, 2009
Messages
929
That's a design flaw.

You have to know that customers will be lazy and not set proper passwords, so you have to design them to require a password change on first startup before you can use it, and set requirements on the password so you make sure it is strong.

IoT is a design flaw (from security perspective) ;)

There really should be some kind of security certification kind of like UL for electrical safety. Would really be handy for consumers and IoT devices could be tested for security so hopefully at least reasonable minimum is established. Wishful thinking probably and too many people don't know or don't give a fuck...
 
Joined
Apr 17, 2007
Messages
778
IoT is a design flaw (from security perspective) ;)

There really should be some kind of security certification kind of like UL for electrical safety. Would really be handy for consumers and IoT devices could be tested for security so hopefully at least reasonable minimum is established. Wishful thinking probably and too many people don't know or don't give a fuck...

there should be, but there isnt. and since the people buying this stuff dont know enough to care, the manufacturers dont care because they already got their money and no one is forcing them to do anything about it.... its not going to sort itself out without the entire issue being forced by some sort of legislation.
 
Top