Friday, April 27, 2018

Ski Lift shut down because of bad Internet security

I'm not making this up, you know:
Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift's operational settings. 
The two researchers are Tim Philipp Schäfers and Sebastian Neef, both with, an IT security-focused organization. 
On March 16, Schäfers and Neef discovered the Human Machine Interface (HMI) used for controlling Patscherkofelbahn, a ski lift that connects the village of Igls with the Patscherkofel mountain resort, to the south of Innsbruck. 
The two were surprised because there wasn't any login screen to prevent Internet user from accessing and interacting with the HMI panel. 
Settings for controlling the ski lift's speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.
What's a worse password than "password"?  Not requiring a password at all.  Herren Schäfers and Neef realized the danger to life and limb and went straight to Austria's Computer Emergency Response Team.  CERT contacted the ski resort, who shut down the lift.

As I like to say, security wasn't an after thought, it wasn't thought of at all.  It's distressingly common:
As for Schäfers and Neef, the two said they'll continue to scan the Internet for unprotected systems. "It's like finding a 'needle in the haystack' and makes a lot of fun," Schäfers told us, 
"In the past, we also found the building control panel of a clinic in Switzerland, the control panel of mobile traffic lights in Germany, control panels of wind farms across the world, and three waterworks in Germany." 
"We had direct control over the Industrial Control Systems (ICSs) and would have been able to turn off the water for thousands of people, in the case of the waterworks systems, or do other harm," Schäfers said.
I was promised that when the future came, I'd have a flying car.  Instead, everything is insecure because idiots set everything up.


Gorges Smythe said...

Wow! Some folks are unbelievable.

Jerry said...

It's called security by obscurity. Bruce Sterling's 1992 book, "The Hacker Crackdown: Law and Disorder on the Electronic Frontier" is a marvelous reading about this. The e-book is available in the public domain.

In any case, critical infrastructure in the United States is unsecured. The problem is that multiple layers of government control these various infrastructures. No one is moving until we have a million dead.

Unknown said...

What could go wrong?

Andrew Wetzel said...

Why in the heck does any of this have to be open to the internet? What ever happened to the good old days of dedicated systems and someone actually getting up off their asses to do updates and maintenance?

Doomed, Doomed I say.

McChuck said...

We're surrounded by @$$holes!

Roy said...

Why doesn't someone actually get up off their ass to do updates and maintenance? Because management has to *pay* someone to do it, and that,my friend, goes against all modern management philosophy.

Employees? We don't need no stinkin employees. Especially since everything can be done remotely from India or Bangladesh by the lowest bidder.