"An employee left the default admin PIN for the equipment on a Post-it note attached to one of the treadmills. This allowed a hotel guest to log into the control panel and queue up '80s music videos."
"Fortunately, the 'attacker' didn't do any real damage, but if someone more enterprising had gained control of these machines, they could have potentially used them for command-and-control attacks."
"JC said that he has taken the incident as a learning opportunity. Now his team isolates all consoles on a guest VLAN, changes the default passwords, and even disables USB ports on fitness equipment."
"Merritt Maxim, VP and research director at Forrester Research, said he would also restrict outgoing access at the firewall level so that the gym machines could only send and receive data from Netflix."
A gym equipment installation incident revealed the dangers of leaving default security credentials unsecured. An employee left a default admin PIN on a Post-it note, allowing a hotel guest to access the control panel and play music videos. Although no significant damage occurred, the situation highlighted potential vulnerabilities. In response, the company implemented measures such as isolating consoles on a guest VLAN, changing default passwords, and disabling USB ports. Recommendations also included restricting outgoing access at the firewall level to enhance security.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]