Frostbyte10 Bugs Put Thousands of Refrigerators At Major Grocery Chains At Risk (theregister.com)
- Reference: 0178980542
- News link: https://it.slashdot.org/story/25/09/02/209250/frostbyte10-bugs-put-thousands-of-refrigerators-at-major-grocery-chains-at-risk
- Source link: https://www.theregister.com/2025/09/02/frostbyte10_copeland_controller_bugs/
> Ten vulnerabilities in Copeland controllers, which are found in thousands of devices used by the world's largest supermarket chains and cold storage companies, could have [1]allowed miscreants to manipulate temperatures and spoil food and medicine , leading to massive supply-chain disruptions. The flaws, collectively called Frostbyte10, affect Copeland E2 and E3 controllers, used to manage critical building and refrigeration systems, such as compressor groups, condensers, walk-in units, HVAC, and lighting systems. Three received critical-severity ratings. Operational technology security firm Armis found and reported the 10 bugs to Copeland, which has since issued firmware updates that fix the flaws in both the E3 and the E2 controllers. The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform. Upgrading to Copeland firmware version 2.31F01 mitigates all the security issues detailed here, and the vendor recommends patching promptly.
>
> In addition to the Copeland updates, the US Cybersecurity and Infrastructure Security Agency (CISA) is also scheduled to release advisories today, urging any organization that uses vulnerable controllers to patch immediately. Prior to these publications, Copeland and Armis execs spoke exclusively to The Register about Frostbyte10, and allowed us to preview an Armis report about the security issues. "When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges," it noted. [...] To be clear: there is no indication that any of these vulnerabilities were found and exploited in the wild before Copeland issued fixes. However, the manufacturer's ubiquitous reach across retail and cold storage makes it a prime target for all manner of miscreants, from nation-state attackers looking to disrupt the food supply chain to ransomware gangs looking for victims who will quickly pay extortion demands to avoid operational downtime and food spoilage.
[1] https://www.theregister.com/2025/09/02/frostbyte10_copeland_controller_bugs/
About 30 years ago (Score:2)
A film called "Hackers" was released in 1995. It depicted devices and infrastructure being manipulated, despite that at the time the movie was made, most of the things shown were not typically connected to the Internet. That broke my suspension of disbelief at the time, and among my friends we mocked it for just being another example of Hollywood being, well, Hollywood. Nowadays though, all sorts of things that shouldn't be connected to the internet, are.
Whoever thought it would be a good idea to connect
Re: (Score:2)
I agree, it is a frickin thermostat. Why connect it to the internet? Hype? Buzzwords? At most it should be read only for monitoring, and maybe a local LAN for control, at most. Really, there should just be a temp control next to the freezer with up down buttons and a display.
Re: (Score:2)
> Whoever thought it would be a good idea to connect commercial refrigeration to the internet should be forced to watch that movie on repeat until they get the message.
What message is that going to send? Make your life more complicated and less automated on the off chance that a hacker may identify a vulnerability and mess with your infrastructure.
Did you read the news today? It's about bugs identified that could allow hackers to gain access. That is, detection, pre-announcing, giving people the opportunity to assess risk and take action. Any actual problem postulated in this case was a theoretical what-if scenario. The news today was not "10s of thousands of refrigerator
Re: (Score:2)
> Humans make poor judgement on rare risk events. Getting people to watch hackers won't change their behaviour because it remains a rare risk event.
I'm no expert, and bad news is often over-reported. So I'm going to pose this as a question rather than as a statement: Given that we hear so much news about major hacks and data breaches, are we really talking about "a rare risk event"?
Re: (Score:2)
And here we are today with AI. We program guardrails, or so we think, but AI knows more than any one of us.
Here it comes (Score:4, Interesting)
WW3, where superpowers go to war, will not be nuclear. It will begin with the swift destruction of one country's infrastructure via the internet. Likely so crippling that the response is delayed, blunted, and ineffectual. Even if the military systems are largely unaffected, the civilian damage will surpass Hiroshima, since it will cover the country rather than a city or two. Looking at a picture of Xi, Putin, and Kim, I have a very bad feeling about this. Maybe I should move to New Zealand.
Re: (Score:2)
> Maybe I should move to New Zealand.
TIL New Zealand is safe from hackers.
solution (Score:1)
If connected to the internet, wouldn't the below stop 99% of these issues:
Auth1: restrict connections by source IPv4 or IPv6 of the vendor (if vendor managed). The customer could add their own HQ IPv4 or IPv6 source addresses.
Auth2: require a legit client certificate when connecting to them that's signed by the vendor (if vendor managed). The customer could also add their own client cert from their internal CA.
Auth3: require username\password
Only if all 3 auth layers pass can you connect.
Stupidity is often painful (Score:2)
Chillers do not need remote controls, They worked just fine before the internet.
People wanting such vulns should be fired and blacklisted for negligent thinking. If they work for anyone reading this, shitcan them because stupidity never gets better. Human problems are easily solved by removing the problem human.
Re: (Score:2)
No, not negligent at all.
A typical supermarket may have about 60 or so refrigerators and freezers. In that number, chances are pretty good that, on occasion, one of them will malfunction. Manually checking each one is labor-intensive. Many grocery stores employ teenagers or people with disabilities, providing them with much-needed money and self-respect. These people aren't necessarily the most adept at carefully monitoring dozens of machines.
As with anything a business does, it's cost/benefit. It costs les
I can't see how food storage can be 100% automated (Score:4, Insightful)
There should always be at least a few people on-site at any of these locations. So why are these things on the internet?
Re: (Score:2)
> There should always be at least a few people on-site at any of these locations. So why are these things on the internet?
The person on-site at a grocery store at 2 in the morning is the security guard. The security guard is not likely to be tasked with monitoring the freezer temperatures, and wouldn't have the slightest notion what to do if the temperature is wrong.
Re: (Score:2)
Let me see:
Step 1: Go look at the thermostat on a refrigerator with a numeric ID.
Step 2: Look at the piece of paper that has the ID and the temperature it should be at
Step 3: If there is a mismatch, notify management
Step 4: Look at the next refrigerator.
I think the security guard can handle that duty. Also, depending where you are, some areas have 24 hour grocery stores. I used to live in such an area and loved the fact that I could go get groceries at 12:30 at night and go right up to the cashier w
Re: (Score:3)
A couple of my relatives work at grocery stores. At least at their stores, overnight is when re-stocking of the shelves and freezer cases happens (plus some, like Winco and Walmart, are actually open 24/7).
Re: (Score:1)
> The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform.
When you have to worry about patching your refrigerator you are very nearly at peak stupidity.
Re: (Score:2)
Errr no, food storage facilities do not have 24/7 staffing. Heck critical medicine storage facilities do not have 24/7 staffing. You're also right, they can't be 100% automated. 85% automated on the other hand is perfectly fine to cover work hours.
Re: (Score:2)
> obviously the way to remote manage this is to have the controller pc list the temps on a display and then a camera pointed at that display reads the characters and relays changes to the people monitoring. literal airgap
> whats great is half of you will take this as over the top sarcastic and the other half deadly serious
Personally, I think that you're serious about the basic idea, and over-the-top about the implementation.
There's no reason to point cameras at a display - simply take the figures that are or would be on the display, and send them via der interwebs as data. Then emergency interventions can be relegated to local on-call techs who respond to out-of-range alarms. Alternatively - or additionally - a very limited range of remote temperature control could be hard coded into the controller, to allow for remote adjus
Re: (Score:2)
On tweaking - the thermometer that reports the temperature on the internet could be completely separate from the thermostat controlling the refrigeration system.