Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ski Lift In Austria Left Control Panel Open On the Internet (bleepingcomputer.com)

Posted by msmash on from the of-course-they-did dept.

An anonymous reader writes: Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift's operational settings. There was no authentication in place, and anyone accessing the control panel could have modified the ski lift's speed, the distance between cable cars, and cable tension.

Coincidentally, researchers discovered the ski lift's control panel on the same day that NBC ran a report about a ski lift system suffering a mechanical malfunction, going at crazy speeds, and injuring 10 people. Both ski lifts were from the same vendor, but researchers say they weren't aware of the NBC report when they stumbled upon the one in Austria. Innsbruck officials shut down the ski lift for a security audit, and the ski lift is still nonoperational today.

59 comments

  1. Why does this need Internet by Anonymous Coward · · Score: 5, Insightful

    Can anyone explain why a ski lift could possibly need Internet-connected settings? What possible benefit is there to being able to control it if you aren't physically there to judge the operating conditions and environment, and to watch the customers?

    1. Re:Why does this need Internet by ELCouz · · Score: 1

      +1 Insightful! Why the fuck someone can control these critical parameters? What's next....Nuclear launch control over WAN?!

    2. Re:Why does this need Internet by iggymanz · · Score: 4, Interesting

      it pisses me off enough that at work we have faucets in the washroom that need the fucking batteries changed before they will dispense water. now young "engineers" think everything has to be internet connected too. fucking 'ooo shiny gadget toy' syndrome run amok

    3. Re:Why does this need Internet by Anonymous Coward · · Score: 2

      This is often done for vendor support purposes. If something goes wrong, you want the dummy operator to get help from a person who knows the system. Remote control access to heaters in business and government buildings is very widespread too, for the same reason. They just shouldn't be on the open internet, and the control panel should have built-in encryption and authentication, so that even if it is exposed to the internet, it can't be hijacked.

    4. Re:Why does this need Internet by Anonymous Coward · · Score: 1

      Dude, these are for-profit ski resorts. It costs extra to get a lift tech to drive out to solve a problem, particularly when the problem might be resolvable remotely.

      The reason why the lifts are not properly connected to the Internet is because even lift servicing companies are for-profit and like to save a buck.

      So, that and everyone's an idiot.

    5. Re:Why does this need Internet by Anonymous Coward · · Score: 1

      Touch free faucets serve a different purpose that internet connected things though. It's a sanitation improvement.

    6. Re:Why does this need Internet by iggymanz · · Score: 5, Insightful

      because faucets with foot pedal or that can be activated with elbow don't exist?

      it's a sanitation improvement when the thing doesn't work at all?

      get real anon, stop trying to defend the mental retardation

    7. Re:Why does this need Internet by war4peace · · Score: 5, Insightful

      It doesn't. It needs a network-connected web interface, but to most... let's say "not IT companies" such a ski resort, there's no difference. These companies have one network, usually wholly connected to the Internet, and that's it. Default security and whatnot.
      Why does this happen? Simple, really. They see IT as "the cheapest dude we could find to take care of the internet stuff". And so they hire that dude, which let's be honest, won't be someone who dropped $30K on classes and spent 5 years studying networking.

      One thing leads to another and voila, critical systems exposed to the Internet. Could be just a checkmark in config panel, such as "open CP to the Internet", which someone thought it would be a good idea. or a manager asking for it to see the default dashboard.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    8. Re:Why does this need Internet by vtcodger · · Score: 3, Funny

      So, the repair person flies to the nearest large city, drives a rental car 70km at 25kph through a raging blizzard, hangs out for 45 minutes while the ski area finds someone who can open up the ski rental area, finds skis and boots that don't fit too badly, slogs 500 meters through the ongoing blizzard to get to the control shed ... Only to find that someone has changed the standard password. ... and that there is no cellphone service available at the control shed.

      Sounds like a giant leap forward for mankind to me.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    9. Re:Why does this need Internet by Anonymous Coward · · Score: 0

      You're equating a ski lift to a nuclear weapon?

      Your hyperbole needs some work.

    10. Re:Why does this need Internet by Anonymous Coward · · Score: 0

      "Can anyone explain why this is even a story?"

      He just did.

    11. Re:Why does this need Internet by Anonymous Coward · · Score: 1

      I can see the reason behind it. For example, to control this from the managers room in the ski building a few hundred meters away. I imagine the critical controls (on/off) are always on both the top and bottom of the lift within easy reach. I agree it's a bad idea however. Even though doing security right isn't that hard, it is so often done wrong. captcha: develop

    12. Re:Why does this need Internet by Anonymous Coward · · Score: 0

      It's called Ski Lift Simulator - Real Life Edition.

    13. Re:Why does this need Internet by msauve · · Score: 1

      Or the simple "push and water flows for 15 seconds" mechanical ones.

      Of course, you then stuck with one of the electric "blows germs around the room" or "needs batteries to give you towels" things to dry your hands.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    14. Re:Why does this need Internet by rogoshen1 · · Score: 1

      Or you know the boss/director guy saying he wants to be able to connect remotely from home, but doesn't know what a fucking VPN is. (which kind of dovetails into what you just said.)

    15. Re:Why does this need Internet by Anonymous Coward · · Score: 0

      It's the most ridiculous hyperbole of the century!

    16. Re: Why does this need Internet by Anonymous Coward · · Score: 0

      Hello? The panel is online, unplug it's ethernet and plug it into a WAP to get your phone online.

      If it's wireless then you can get service somehow. I'd expect someone working on mountains to have a satellite phone. Hopefully employer provided satellite phone if they are going to send techs up a frozen mountain.

    17. Re:Why does this need Internet by Anonymous Coward · · Score: 0

      Can anyone explain why a ski lift could possibly need Internet-connected settings? What possible benefit is there to being able to control it if you aren't physically there to judge the operating conditions and environment, and to watch the customers?

      Because companies like to say "now with more interwebs".

      And because those companies are incompetent at security.

      And because if you show someone there's an app for them on their phone of course they'll buy it. Or in this case "just configure it with your browser" or something like that.

      Dude, seriously ... have you been paying attention in the last decade? The plebes all want everything on the interwebs. Light bulbs, thermostats, fridges, door, door locks ...

      The problem is neither the consumer nor the vendor know enough or care enough about security. So there isn't any.

      Think about it, this is a ski hill, generally speaking you don't assume there's a "network team", do you? For ease of use, the vendor or the customer just plugged it in ... nobody put it in the DMZ hidden behind a secure login, or anything like that. Surprise, you've been pwn3d.

      Every goddamned internet connected thing is pretty much insecure. And they get put in by people who don't know enough (or more scary do't care enough) to safeguard them.

      I bet the number of control systems on the internet is absolutely appalling.

    18. Re:Why does this need Internet by Anonymous Coward · · Score: 0, Offtopic

      Or the simple "push and water flows for 15 seconds" mechanical ones.

      Of course, you then stuck with one of the electric "blows germs around the room" or "needs batteries to give you towels" things to dry your hands.

      You know, you have this cool and very useful thing called an immune system. Unless you're a queer and received the Anally Injected Death Sentence (AIDS). Then, I guess not.

      No, really, AIDS does favor gays for physical biological reasons. You see, unlike the self-lubricating vagina, anal sex has a very high chance of causing little lacerations/tears in the anal tissues which makes it much more likely for the virus to enter the body. It's as though nature has a preference. Not to mention that without female inhibitions or the (arguably feminine) demand for monogamy, it's not uncommon for gay men to have as many as hundreds of partners with each one increasing the risk (as the saying goes, you sleep with them AND everyone they've ever been with). Ah well, it's just "alternative" and "different" and I guess nature is discriminatory?

      I guess I can expect down-mods and maybe some token hand-waving. I certainly cannot expect a refutation of facts. No one still here on Slashdot has the guts to actually take on a factual argument anymore. That and you know I'm factually correct so you're starting from a position of weakness. Much easier to dismiss, isn't that right, you weak little men?

    19. Re:Why does this need Internet by war4peace · · Score: 1

      Believe me they know what VPN is. They're just too lazy to use it.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    20. Re:Why does this need Internet by thegarbz · · Score: 1

      Can anyone explain why a ski lift could possibly need Internet-connected settings?

      Not internet connected: Remote settings. Just that remote in this case is likely on an unsecured network connected to the internet by idiots. Why would you need that? Ever notice a ski lift slows down if someone stumbles when getting on at the bottom, and also slows down when someone stumbles getting off at the top? Already you have two different locations you need to control a single system from. Guess what the *cheapest* way of doing that is.

      What possible benefit is there to being able to control it if you aren't physically there to judge the operating conditions and environment, and to watch the customers?

      Not everything is about control. Most of these systems are setup with remote access for data collection and equipment monitoring with control added in as a bonus for someone who needed an additional network based control.

      Some idiot likely ticked every checkbox and turned on everything.

    21. Re:Why does this need Internet by thegarbz · · Score: 1

      Or the simple "push and water flows for 15 seconds" mechanical ones.

      No that one simply is a retarded waste of water, incidentally there were banned in my city when we hit water restrictions 10 years ago.

    22. Re:Why does this need Internet by CaffeinatedBacon · · Score: 1

      It's LITERALLY the most ridiculous hyperbole EVER!

    23. Re:Why does this need Internet by bn-7bc · · Score: 1

      Well WAN is not a problem as long as the WANin question is isolated from public norwoeks (dark finer or at least a dedicated lambda). But if you use wan as a synonuym for Internet, I completly agree

    24. Re:Why does this need Internet by Anonymous Coward · · Score: 0

      "For example, to control this from the managers room in the ski building a few hundred meters away."

      That is the dumbest reason i have ever heard, control of any system that is critical to human safety should never be remote! Any sane human being should understand and not have to be explained this.

      Having worked with automated systems, most of the time remote access is requested so that management can gather statistics with out having to request them from the maintainers. The PHB wants to monitor downtime and through put so that they can show their bosses that they are doing work, often this is the first sign of a micro-manager. If I.T wasnt seen as a lowest cost solution then proper security protocols would require reporting and control to be two completely separate systems, the sad part is that reporting is not even that costly a solution to implement separately from the control systems. For an example an arduino connected to a couple of independent sensors would work out to a couple of hundred dollars per machine, and any decent programmer could tie several of them into a dashboard/reporting system. Unfortunately always hunting the lowest cost will see security traded for convenience every day.

    25. Re:Why does this need Internet by tlhIngan · · Score: 1

      because faucets with foot pedal or that can be activated with elbow don't exist?

      it's a sanitation improvement when the thing doesn't work at all?

      get real anon, stop trying to defend the mental retardation

      Foot pedal controls need installation of something into the floor. If it's mechanical, it means you need to run water to a valve on the floor then to the tap, which is a lot of plumbing. Then you need a shutoff valve so you can service the valve and taps as necessary without turning off building water supply, so it's either more stuff you bury in the floor (often concrete) or you're running pipes everywhere.

      Elbow valves are similar - people just don't want to touch them. They get very adept at kicking the valves. Germophobes can react very strangely.

      As for battery powered faucets, they are fine. If yours are constantly running out of battery, then the building manager needs to change them more often. They can last a surprisingly long time before the batteries actually need to be replaced even with near-constant use.

    26. Re:Why does this need Internet by iggymanz · · Score: 1

      No! for foot activated the valve can be in exactly the same place, only extra mechanical things are needed. and you're going to need another shutoff valve regardless of type of faucet, look under the sink in your home sometime!

      elbow activated valves are widely used, they've stood the test of time unlike malfunctioning battery operated valves which are not fine and always having problems.

      god, the level of mental retardation people have defending unnecessary tech is truly astounding.

    27. Re:Why does this need Internet by iggymanz · · Score: 1

      actually that "blow germs around the room" thing is a falsehood created by one of Dyson's competitors, they used sewage water on hands for testing to claim Dyson sprayed germs around the room. Soup cleaned hands being dried have a different result.

      The piles of waste paper in a bin from paper towel hand drying are more problematic.....

    28. Re:Why does this need Internet by iggymanz · · Score: 1

      hey don't deride those that fuck the sewer pipe and wonder why pathogens are causing them to have horrible diseases, it's not nice

    29. Re:Why does this need Internet by msauve · · Score: 1

      2018 study

      There's my authority, published Feb 2018. AFAIK, Dyson's aren't heated, and that study dealt with "hot air hand dryers." Doesn't make sense that it would be funded by a Dyson competitor.

      But feel free to provide your proof that the study was funded by a Dyson competitor.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    30. Re: Why does this need Internet by nnull · · Score: 1

      Many reasons. With the advent of more use with Ethernet/IP and Modbus/TCP, LAN communication is more convenient and much easier to control. Even I use it for my equipment and all the various software I made to communicate with said equipment. Of course I care about security and have this entire network isolated and separated. I don't trust any device manufacturer. Even my ABB speed drives for some reason want to talk an send data to the Internet, wtf ABB? Blocked

      Then comes the support. Many manufacturers or builders of these control panels give themselves remote access to these panel. They always request internet access if you want technical support. Of course none of these people give a crap about security on both sides, the person buying the equipment and the manufacturers providing the equipment. And this isn't chump change here, we're talking about equipment ranging from 100K to millions.

      You would be surprised how many power stations, manufacturing places, etc I've been at that have full access from the internet (wide open ports) to teamviewer installed on all their HMIs with the key and password fully visible if you walk by the station.

      I always get moron naysayers that this is not true when we have a public case of it right here.

    31. Re: Why does this need Internet by nnull · · Score: 1

      Anyone that knows about PLC controls and these systems, there is no tick box. This was just laziness. These ports were deliberately opened for technical support. This is more common in the industry than anyone thinks. None of these people give a damn about security.

      If they can't get the ports opened, download teamviewer on a pc with the required software, there you go.

    32. Re: Why does this need Internet by nnull · · Score: 1

      It's strange to me as a person that buys expensive equipment like this, that none of the manufacturers of this equipment take any precautions against this. They sell DIN rail mounted network switches with firewalls now. Most of them the size of the typical DIN rail mounted network switches. They will not spend the extra $600 to secure their internal stuff, even when the machine costs millions of dollars and they're getting great returns for selling it.

    33. Re: Why does this need Internet by nnull · · Score: 1

      Most places don't even hire the cheapest IT dude.

      They don't even hire IT at all, ever!

      Most places it's always a one time thing, they have the guy install the system and that's it, gone. Many places are like this. My neighbors place is still all Cisco 100M switches and connections done way back years ago. The firewall is probably just as old.

    34. Re: Why does this need Internet by thegarbz · · Score: 1

      Anyone that knows about PLC controls and these systems, there is no tick box.

      Errr who said anything about PLC controls and these systems? The tick box exercise is done entirely at the procurement stage where some project manager likely decreed they want everything, for flexibility of course and because it's cheaper to specify the most flexible solution up front rather than risk a late stage variation order. We can program PLCs and networks to do whatever customers want.

      This was just laziness.

      Nope. This was incompetence, an important distinction that applies regardless if these ports were there for some functional reason, maintenance reason, or otherwise.

  2. Re:Should have used apps! by Anonymous Coward · · Score: 0

    This is the patrician /. meme

  3. open wide? by Anonymous Coward · · Score: 0

    Sounds like a goatse.cx thing. The correction translation is, left WIDE OPEN!

  4. probably the tip of the iceberg. by pezpunk · · Score: 1

    great, now every time i get on a roller coaster, elevator, or subway train i'm just going to be wondering about whether there are online control systems for those things, and if i trust that company to properly secure it. it's a problem likely to become more widespread over time.

    --
    i could live a little longer in this prison
    1. Re:probably the tip of the iceberg. by Anonymous Coward · · Score: 0

      An elevator at DEFCON a few years ago was hacked to keep going to the top and bottom floors and never opening. They called the LVFD.

    2. Re:probably the tip of the iceberg. by Anonymous Coward · · Score: 0

      Amazing that anything at a DEFCON venue works at all

  5. They say by Tablizer · · Score: 4, Funny

    I hear it got infected by the S0nnyB0n0 virus.

    --
    Table-ized A.I.
    1. Re:They say by Anonymous Coward · · Score: 2, Funny

      I hear it got infected by the S0nnyB0n0 virus.

      Thanks for Cher-ing that.

    2. Re:They say by Tablizer · · Score: 1

      No problem, I got you, babe.

      --
      Table-ized A.I.
  6. Re: Should have used apps! by Anonymous Coward · · Score: 0

    Nah, just having proper host file management would have deflected all appy apps.

    SKI

  7. Re:Hold people accountable by Anonymous Coward · · Score: 0

    Trump doesn't approve, he likes it in there the way it is, just him and Hillary.

  8. Sounds like ready for a new James Bond movie by Anonymous Coward · · Score: 0

    The evil villain tries to kill Bond on ski-lift via the Internet.

  9. If only APK hostfiles worked by Anonymous Coward · · Score: 1

    They could have protected themselves with APK's hosts files.

    But alas, that dumb bitch doesn't know how to sign software he expect you to run as administrator.

    ZIP - so much winning...

    1. Re:If only APK hostfiles worked by Anonymous Coward · · Score: 0

      You can't forget that it stops inbound connections and does port filtering. I know because I once saw an APK post where he said it does those things. APK is the master of all things infosec

  10. I don't undestand by Anonymous Coward · · Score: 0

    I thought we arrested people for doing this kind of thing.

    Why aren't they in prison for endangering lives?

    I mean the "researchers" aka hackers.

  11. That’s how they filmed by donstenk · · Score: 1

    Kingsmen!! The second one which was brilliant if odd.

    --
    Dennis Onstenk
  12. Insane by AndyKron · · Score: 1

    Why the hell does a ski lift control panel need to be online? Insane.

  13. In the future dumb tv plots will be believed by Anonymous Coward · · Score: 0

    You know how you see all these tv shows with hackers making the coffee machine spew hot coffee at a person, or someone hacking the garage door to fall on someone breaking their neck ? 5 years ago those plots were ludicrous, now they may become fact thanks to the connect everything mantra.
    Don't blame the engineers either, we just do what were told.
    Marketing : Make a blue tooth enabled carving knife !
    Engineer: Why ? couldn't that harm someone trying to enable it and use it at the same time ? What would be the point ?
    CEO: How much more can we charge for each SKU ?
    Engineer: But how do you use it while holding your phone ?
    Marketing: It will say bluetooth on the box, people will love it
    Engineer: You also have to have an app for it and what would you put in the app ? battery and on/off ? we could do that with a single led instead.
    Marketing : But then it wouldn't have bluetooth !
    CEO: Genius, we do bluetooth with an app and battery and on/off, add the led too just like the engineer suggested
    Engineer: wait, I said it doesn't make sense to .....
    Marketing: Can we add wifi support with alexa too ?
    CEO: Alexa support too, this will be a game changer, get right on it ! Oh and set the pairing code to 1234, can't have people calling our help lines for a code only the owner will need.
    Engineer: sigh, I'll get right on the alexa, bluetooth , carving knife sir

  14. Shodan Safari by Anonymous Coward · · Score: 0

    As an infosec pro, this stuff sickens me, and it happens WAY more often then people who don't live this stuff think:

    https://twitter.com/hashtag/shodansafari?lang=en

  15. He's a stable genius by Anonymous Coward · · Score: 0

    APK truly is a batch file genius

    ZIP