Ski lift

Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift's operational settings.

The two researchers are Tim Philipp Schäfers and Sebastian Neef, both with InternetWache.org, an IT security-focused organization.

Control panel let users interact with the ski lift's settings

On March 16, Schäfers and Neef discovered the Human Machine Interface (HMI) used for controlling Patscherkofelbahn, a ski lift that connects the village of Igls with the Patscherkofel mountain resort, to the south of Innsbruck.

The two were surprised because there wasn't any login screen to prevent Internet user from accessing and interacting with the HMI panel.

Settings for controlling the ski lift's speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.

Ski lift HMI interface

Ski lift HMI interface

Ski lift HMI panel

Ski lift shut down on the same day

The two immediately contacted the Computer Emergency and Response Team (CERT) in Austria, who, according to a blog post, sent their Innsbruck contact to alert local Innsbruck authorities on the same day.

Despite not having any evidence of malicious use, the city of Innsbruck decided to shut down the entire Patscherkofelbahn ski lift and undergo a security audit. According to Austrian media [1, 2], the ski lift was still offline this week.

The Innsbruck officials' severe reaction might have been influenced by an NBC report that came out on the same day, showing footage of a malfunctioning ski lift in the ski resort of Gudauri, Georgia.

A mechanical malfunction was at the heart of the Gudauri incident, but the video did go viral among skiing enthusiasts and was most likely seen by Austrian authorities.

Coincidences don't stop here, as both the Patscherkofelbahn and Gudauri ski lifts were from the same vendor, local Austrian firm Doppelmayr.

Control panel also ran outdated firmware

In a private conversation with Bleeping Computer, Schäfers, one of the researchers, said he wasn't aware of the ski lift incident in Georgia when he found the HMI of the Austrian ski lift.

"It was a coincidence," Schäfers told us. "We have done Internet-wide scanning for human-machine interfaces (HMIs) several times in the past. We use the method as explained in our blogpost and are looking for specific vendor IDs."

The reason Schäfers was looking for Doppelmayr Garaventa vendor IDs was because he previously found HTTP Header Injection and cross-site scripting (XSS) flaws in an earlier version of the ski lift's HMI software.

"We reported this issues to the manufacturer of the software, and it was fixed," Schäfers told us, also revealing that the Patscherkofelbahn ski lift was running an older version of the HMI software, still vulnerable to the flaws he reported.

XSS flaw in ski lift HMI

Furthermore, Schäfers also told Bleeping Computer that the ski lift control panel was also using a non-encrypted HTTP connection.

Researchers have found other sensitive equipment online

Schäfers and Neef also made it clear that they did not interact with the ski lift's panel at the time of the discovery, fearing they might put passengers at risk, as the ski lift was in use. Instead, they opted for the safe route and reported the issues to CERT Austria.

Now, according to CERT Austria, all these issues are being corrected and Innsbruck officials are taking extreme care to roll out a secure system before the summer season opens and tourists start flooding in.

As for Schäfers and Neef, the two said they'll continue to scan the Internet for unprotected systems. "It's like finding a 'needle in the haystack' and makes a lot of fun," Schäfers told us,

"In the past, we also found the building control panel of a clinic in Switzerland, the control panel of mobile traffic lights in Germany, control panels of wind farms across the world, and three waterworks in Germany."

"We had direct control over the Industrial Control Systems (ICSs) and would have been able to turn off the water for thousands of people, in the case of the waterworks systems, or do other harm," Schäfers said.

Schäfers and Neef's work for the InternetWache project has been so instrumental in the past that they've often been cited in official reports published by BSI, Germany's Federal Office for Information Security.

Image credits: Doppelmayr, Tim Philipp Schäfers

Related Articles:

Remote Code Execution Flaws Found in FreeRTOS - Popular OS for Embedded Systems

Bushido-Powered DDoS Service Whipped Up from Leaked Code

DHS Warns of Cybersecurity Threats to Agriculture Industry

New Iot Botnet Torii Uses Six Methods for Persistence, Has No Clear Purpose