Supermarket freezers and other food storage could have been hacked following flaws discovery

News
By published

Security researchers found 10 flaws in popular electronic control systems

World Password Day
(Image credit: Shutterstock)
  • Ten bugs were found in E2 and E3 Copeland controllers
  • Copeland released a fix with a firmware update
  • When combined, the flaws can lead to remote code execution

Two Copeland controllers, electronic control systems used in refrigerators and HVAC applications, were carrying almost a dozen vulnerabilities that could have been exploited for privilege escalation and remote code execution (RCE), putting thousands of companies at all sorts of risks.

E2 and E3 Copeland controllers are designed to manage temperature, energy use, and system performance. They’re commonly found in supermarkets, convenience stores, and foodservice operations and apparently, they are quite popular in the United States.

Recently, security researchers from the operational technology security firm Armis found a total of 10 vulnerabilities, and collectively named them Frostbyte10. They reported their findings to Copeland, which issued a firmware update to address the flaws and mitigate potential risks.

According to The Register, Copeland has a presence in more than 40 countries, with giants such as Kroger, Albertsons, and Whole Foods, being among its customers. It reported $4.75 billion in revenue in 2024.

Firmware update

Of the two controllers, E2 reached end-of-life in October, the publication added, but Copeland still issued a firmware update. Users are advised to upgrade to the newest model - E3 - and to make sure they’re running firmware version 2.31F01, at least.

The US Cybersecurity and Infrastructure Security Agency (CISA) is expected to issue an advisory about these flaws as well, but it wasn’t published by press time. Still, CISA said combining the problems “can result in unauthenticated remote code execution with root privileges,” The Register noted.

So far, Armis seems to be the first one to discover the flaws, as there is no evidence that any of them had been abused in the wild before. However, if businesses don’t patch their devices up, they will remain vulnerable to widely known, publicized flaws. Many threat actors intentionally wait for someone else to discover the flaws, betting that most firms don’t apply the fixes on time.

Via The Register

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.