Security News > 2021 > November > UK Ministry of Justice secures HVAC systems 'protected' by passwordless Wi-Fi after Register tipoff

UK Ministry of Justice secures HVAC systems 'protected' by passwordless Wi-Fi after Register tipoff
2021-11-23 10:15

The Ministry of Justice has secured a set of Wi-Fi access points that potentially gave admin access to industrial control equipment after a tipoff by The Register.

Four unsecured wireless networks named "Boiler Pump 1" to "Boiler Pump 4" were freely accessible in the Royal Courts of Justice until The Register told officials what was happening.

A malicious person who connected to the unsecured access point and viewed the pumps' login portal branding could easily have put two and two together and gained admin access to the pumps.

Her Majesty's Courts and Tribunals Service spokesman Jake Conneely told The Register: "Staff took immediate action to ensure these facilities cannot be accessed and maintain security across the courts."

A knowledgeable source from a pentesting company, whom The Register is not naming because they were not speaking on behalf of their employer, confirmed to us that HVAC system components tend to be provisioned with a Wi-Fi access point for local access by maintenance contractors.

The existence of the vulnerability is surprising: as the country's biggest and highest-profile civil court, the RCJ complex is a public space, meaning those in charge of the RCJ HVAC systems should have foreseen others being able to see the unsecured wireless access points.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/11/23/unsecured_rcj_hvac_wifi_routers/