Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet IT

Ski Lift In Austria Left Control Panel Open On the Internet (bleepingcomputer.com) 59

An anonymous reader writes: Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift's operational settings. There was no authentication in place, and anyone accessing the control panel could have modified the ski lift's speed, the distance between cable cars, and cable tension.

Coincidentally, researchers discovered the ski lift's control panel on the same day that NBC ran a report about a ski lift system suffering a mechanical malfunction, going at crazy speeds, and injuring 10 people. Both ski lifts were from the same vendor, but researchers say they weren't aware of the NBC report when they stumbled upon the one in Austria. Innsbruck officials shut down the ski lift for a security audit, and the ski lift is still nonoperational today.

This discussion has been archived. No new comments can be posted.

Ski Lift In Austria Left Control Panel Open On the Internet

Comments Filter:
  • by Anonymous Coward on Thursday April 26, 2018 @04:36PM (#56509825)

    Can anyone explain why a ski lift could possibly need Internet-connected settings? What possible benefit is there to being able to control it if you aren't physically there to judge the operating conditions and environment, and to watch the customers?

    • by ELCouz ( 1338259 )
      +1 Insightful! Why the fuck someone can control these critical parameters? What's next....Nuclear launch control over WAN?!
      • by bn-7bc ( 909819 )
        Well WAN is not a problem as long as the WANin question is isolated from public norwoeks (dark finer or at least a dedicated lambda). But if you use wan as a synonuym for Internet, I completly agree
      • Many reasons. With the advent of more use with Ethernet/IP and Modbus/TCP, LAN communication is more convenient and much easier to control. Even I use it for my equipment and all the various software I made to communicate with said equipment. Of course I care about security and have this entire network isolated and separated. I don't trust any device manufacturer. Even my ABB speed drives for some reason want to talk an send data to the Internet, wtf ABB? Blocked

        Then comes the support. Many manufacturers or

    • by iggymanz ( 596061 ) on Thursday April 26, 2018 @04:49PM (#56509905)

      it pisses me off enough that at work we have faucets in the washroom that need the fucking batteries changed before they will dispense water. now young "engineers" think everything has to be internet connected too. fucking 'ooo shiny gadget toy' syndrome run amok

      • by Anonymous Coward

        Touch free faucets serve a different purpose that internet connected things though. It's a sanitation improvement.

        • by iggymanz ( 596061 ) on Thursday April 26, 2018 @05:16PM (#56510041)

          because faucets with foot pedal or that can be activated with elbow don't exist?

          it's a sanitation improvement when the thing doesn't work at all?

          get real anon, stop trying to defend the mental retardation

          • by msauve ( 701917 )
            Or the simple "push and water flows for 15 seconds" mechanical ones.

            Of course, you then stuck with one of the electric "blows germs around the room" or "needs batteries to give you towels" things to dry your hands.
            • Or the simple "push and water flows for 15 seconds" mechanical ones.

              No that one simply is a retarded waste of water, incidentally there were banned in my city when we hit water restrictions 10 years ago.

            • actually that "blow germs around the room" thing is a falsehood created by one of Dyson's competitors, they used sewage water on hands for testing to claim Dyson sprayed germs around the room. Soup cleaned hands being dried have a different result.

              The piles of waste paper in a bin from paper towel hand drying are more problematic.....

              • by msauve ( 701917 )
                2018 study [asm.org]

                There's my authority, published Feb 2018. AFAIK, Dyson's aren't heated, and that study dealt with "hot air hand dryers." Doesn't make sense that it would be funded by a Dyson competitor.

                But feel free to provide your proof that the study was funded by a Dyson competitor.
          • by tlhIngan ( 30335 )

            because faucets with foot pedal or that can be activated with elbow don't exist?

            it's a sanitation improvement when the thing doesn't work at all?

            get real anon, stop trying to defend the mental retardation

            Foot pedal controls need installation of something into the floor. If it's mechanical, it means you need to run water to a valve on the floor then to the tap, which is a lot of plumbing. Then you need a shutoff valve so you can service the valve and taps as necessary without turning off building water suppl

            • No! for foot activated the valve can be in exactly the same place, only extra mechanical things are needed. and you're going to need another shutoff valve regardless of type of faucet, look under the sink in your home sometime!

              elbow activated valves are widely used, they've stood the test of time unlike malfunctioning battery operated valves which are not fine and always having problems.

              god, the level of mental retardation people have defending unnecessary tech is truly astounding.

    • by Anonymous Coward

      This is often done for vendor support purposes. If something goes wrong, you want the dummy operator to get help from a person who knows the system. Remote control access to heaters in business and government buildings is very widespread too, for the same reason. They just shouldn't be on the open internet, and the control panel should have built-in encryption and authentication, so that even if it is exposed to the internet, it can't be hijacked.

      • by vtcodger ( 957785 ) on Thursday April 26, 2018 @05:21PM (#56510069)

        So, the repair person flies to the nearest large city, drives a rental car 70km at 25kph through a raging blizzard, hangs out for 45 minutes while the ski area finds someone who can open up the ski rental area, finds skis and boots that don't fit too badly, slogs 500 meters through the ongoing blizzard to get to the control shed ... Only to find that someone has changed the standard password. ... and that there is no cellphone service available at the control shed.

        Sounds like a giant leap forward for mankind to me.

    • by Anonymous Coward

      Dude, these are for-profit ski resorts. It costs extra to get a lift tech to drive out to solve a problem, particularly when the problem might be resolvable remotely.

      The reason why the lifts are not properly connected to the Internet is because even lift servicing companies are for-profit and like to save a buck.

      So, that and everyone's an idiot.

    • by war4peace ( 1628283 ) on Thursday April 26, 2018 @05:17PM (#56510053)

      It doesn't. It needs a network-connected web interface, but to most... let's say "not IT companies" such a ski resort, there's no difference. These companies have one network, usually wholly connected to the Internet, and that's it. Default security and whatnot.
      Why does this happen? Simple, really. They see IT as "the cheapest dude we could find to take care of the internet stuff". And so they hire that dude, which let's be honest, won't be someone who dropped $30K on classes and spent 5 years studying networking.

      One thing leads to another and voila, critical systems exposed to the Internet. Could be just a checkmark in config panel, such as "open CP to the Internet", which someone thought it would be a good idea. or a manager asking for it to see the default dashboard.

      • Or you know the boss/director guy saying he wants to be able to connect remotely from home, but doesn't know what a fucking VPN is. (which kind of dovetails into what you just said.)

      • Most places don't even hire the cheapest IT dude.

        They don't even hire IT at all, ever!

        Most places it's always a one time thing, they have the guy install the system and that's it, gone. Many places are like this. My neighbors place is still all Cisco 100M switches and connections done way back years ago. The firewall is probably just as old.

    • by Anonymous Coward

      I can see the reason behind it. For example, to control this from the managers room in the ski building a few hundred meters away. I imagine the critical controls (on/off) are always on both the top and bottom of the lift within easy reach. I agree it's a bad idea however. Even though doing security right isn't that hard, it is so often done wrong. captcha: develop

    • Can anyone explain why a ski lift could possibly need Internet-connected settings?

      Not internet connected: Remote settings. Just that remote in this case is likely on an unsecured network connected to the internet by idiots. Why would you need that? Ever notice a ski lift slows down if someone stumbles when getting on at the bottom, and also slows down when someone stumbles getting off at the top? Already you have two different locations you need to control a single system from. Guess what the *cheapest* way of doing that is.

      What possible benefit is there to being able to control it if you aren't physically there to judge the operating conditions and environment, and to watch the customers?

      Not everything is about control. Most of these systems are setup

      • Anyone that knows about PLC controls and these systems, there is no tick box. This was just laziness. These ports were deliberately opened for technical support. This is more common in the industry than anyone thinks. None of these people give a damn about security.

        If they can't get the ports opened, download teamviewer on a pc with the required software, there you go.

        • Anyone that knows about PLC controls and these systems, there is no tick box.

          Errr who said anything about PLC controls and these systems? The tick box exercise is done entirely at the procurement stage where some project manager likely decreed they want everything, for flexibility of course and because it's cheaper to specify the most flexible solution up front rather than risk a late stage variation order. We can program PLCs and networks to do whatever customers want.

          This was just laziness.

          Nope. This was incompetence, an important distinction that applies regardless if these ports were there for some fu

  • great, now every time i get on a roller coaster, elevator, or subway train i'm just going to be wondering about whether there are online control systems for those things, and if i trust that company to properly secure it. it's a problem likely to become more widespread over time.

  • They say (Score:4, Funny)

    by Tablizer ( 95088 ) on Thursday April 26, 2018 @04:53PM (#56509935) Journal

    I hear it got infected by the S0nnyB0n0 virus.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      I hear it got infected by the S0nnyB0n0 virus.

      Thanks for Cher-ing that.

  • by Anonymous Coward

    They could have protected themselves with APK's hosts files.

    But alas, that dumb bitch doesn't know how to sign software he expect you to run as administrator.

    ZIP - so much winning... [slashdot.org]

  • Kingsmen!! The second one which was brilliant if odd.

  • Why the hell does a ski lift control panel need to be online? Insane.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...