— Justin Beans (@JJ12880) April 19, 2018
Horrified looking at the featured image? No, that’s not what actually happened in this case, but we used the image to give you an idea how bad the situation could have been had the vulnerability been found by hackers with malicious intentions.
Thankfully, in this case, the serious problem – with the potential to seriously affect the lift operating in the ski area of Patscherkofel (Austria) – was first noticed by white-hat hackers Sebastian Neef and Tim Philipp Schäfers.
Basically, the security researcher duo was able to remotely access the control unit of the ski lift system through the Internet (apparently by hacking the system’s website). While they didn’t actually test anything out, they said the control unit access offered them the ability to start/stop/reverse the lifts as well as play with the safety distance between lifts.
“The control of the Patscherkofelbahn was accessible via a web interface unencrypted and without the need for authentication via the Internet,” said Schäfers in an interview.
“However, we do not have a corresponding check on the effect that a click on a button within the web interface would have had, since such access would be illegal under current law and, in our opinion, dangerous,” the researcher added.
The lift was manufactured by the Doppelmayr/Garaventa group. Their website claims they are the “world’s leading manufacturer of ropeways, cable cars and ski lifts.” The group also claims “superlative safety level” for their products, but clearly that’s not the case.
If you compare, the screenshot of the control system (shown above) shared by the researchers is similar to the one shown by the company on its website (see below).
Presumably due to the seriousness of the vulnerability, the researchers shared the information about it with the manufacturer, who acted quickly to fix the loop hole. The company also acknowledged their mistake.
“That was a mistake on our part and we changed that immediately when the operator informed us,” said a company representative. “It is important that the safety of passengers at no time was compromised.”
The researchers also informed Austria’s National Computer Emergency Response Team, which said the lift won’t be allowed to operate until a better security system is at place.
While Internet connectivity is proving to be a lot useful in this day and age, incidents like these show that when not done/handled properly, it poses serious threats as well. What’s good is that no one was harmed in this case, unlike the incident depicted in the featured image, which was a manual error – take a look at the tweet below how bad it was.
Stay connected with us on Twitter (@PiunikaWeb) to hear about all related developments as and when they occur