Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift's operational settings.
The two researchers are Tim Philipp Schäfers and Sebastian Neef, both with InternetWache.org, an IT security-focused organization.
On March 16, Schäfers and Neef discovered the Human Machine Interface (HMI) used for controlling Patscherkofelbahn, a ski lift that connects the village of Igls with the Patscherkofel mountain resort, to the south of Innsbruck.
The two were surprised because there wasn't any login screen to prevent Internet user from accessing and interacting with the HMI panel.
Settings for controlling the ski lift's speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.What's a worse password than "password"? Not requiring a password at all. Herren Schäfers and Neef realized the danger to life and limb and went straight to Austria's Computer Emergency Response Team. CERT contacted the ski resort, who shut down the lift.
As I like to say, security wasn't an after thought, it wasn't thought of at all. It's distressingly common:
As for Schäfers and Neef, the two said they'll continue to scan the Internet for unprotected systems. "It's like finding a 'needle in the haystack' and makes a lot of fun," Schäfers told us,
"In the past, we also found the building control panel of a clinic in Switzerland, the control panel of mobile traffic lights in Germany, control panels of wind farms across the world, and three waterworks in Germany."
"We had direct control over the Industrial Control Systems (ICSs) and would have been able to turn off the water for thousands of people, in the case of the waterworks systems, or do other harm," Schäfers said.I was promised that when the future came, I'd have a flying car. Instead, everything is insecure because idiots set everything up.