A recent report by the ICS-Cert advisory states that the Midas and Midas black gas detectors made by Honeywell are vulnerable to attack. The hack allows people to modify the settings of the device without proper authentication.
There are two major issues with these products.
The web server allows the authentication process to be bypassed which could allow unauthorised configuration changes to the device as well as initiation of calibration or test processes. This issue has been given a high common vulnerability score, according to v3 (CVSS) base score, of 8.6.
In addition, users' passwords are not being encrypted during transmission, meaning anyone could get access to these details by intercepting them. This has been given a CVSS v3 score of 9.4.
According to the ICS report, these vulnerabilities are easily exploitable and could potentially be done with ease by a low skill hacker. However, the report said there are no known exploits to this issue.
Invited to comment on this article, Honeywell declined, directing us instead to a statement advising customers to download a security patch or isolate the devices from external networks.
