Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift’s operational settings.
Control panel let users interact with the ski lift’s settings
On March 16, Schäfers and Neef discovered the Human Machine Interface (HMI) used for controlling Patscherkofelbahn, a ski lift that connects the village of Igls with the Patscherkofel mountain resort, to the south of Innsbruck.
The two were surprised because there wasn’t any login screen to prevent Internet user from accessing and interacting with the HMI panel.
Settings for controlling the ski lift’s speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.
Ski lift shut down on the same day
The two immediately contacted the Computer Emergency and Response Team (CERT) in Austria, who, according to a blog post, sent their Innsbruck contact to alert local Innsbruck authorities on the same day.
Despite not having any evidence of malicious use, the city of Innsbruck decided to shut down the entire Patscherkofelbahn ski lift and undergo a security audit. According to Austrian media [1, 2], the ski lift was still offline this week.
The Innsbruck officials’ severe reaction might have been influenced by an NBC report that came out on the same day, showing footage of a malfunctioning ski lift in the ski resort of Gudauri,…