Insecure permissions in Glen Dimplex Deutschland GmbH implementation of Carel pCOWeb configuration tool exposes brine-to-water heat pumps to remote attackers.

About Carel pCOWeb

The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP.

The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and allows a browser to be used for remote system management.

The embedded LINUX operating system allows applications (plug-ins) to be added, developed directly by users to meet their own requirements.

Dimplex brine-to-water heat pumps.

Dimplex brine-to-water heat pumps utilize free energy which is transferred via a heat exchanger to a mixture of anti-freeze and water, the so-called brine.

Unauthenticated access to Dimplex pCOWeb web interface

An attacker can scan the ports 10000 or 10001 of a suspected Dimplex pCOWeb device and try to retrieve the http banner. If the banner looks like this:

Then the pCOWeb service is enabled on either of the 2 ports. By typing in a web browser the http://<target ip>:10000 you will we redirected to the http://<target ip>:10000/http/index/j_index.html and receive full unauthenticated access to the configuration and service interface.

Dimplex pCOWeb configuration web interface

The password for the service modem is hard-coded with the value 1234.

Directory listing and source code disclosure

By crawling the pCOWeb web interface other sensitive directories like script can be accessed:

And the files inside the script directory are disclosing the source code like in the example below:

Attack surface

Using Shodan a number of 54 vulnerable heat pumps were discovered, most of them in UK. Using Shodan’s ability to retrieve parts of the HTML code during a scan, one can look up for the following syntax to identify vulnerable devices:

<title>Carel pCOWeb Home Page</title>
<meta http-equiv="refresh" content="0;url=./http/index.html">
<H1>Carel pCOWeb Home Page</h1>
<h2>This page will be redirected <a href "./http/index.html">here...</a></h2>
<script language="JavaScript">

Remedy and risk mitigation

Since in the version v12 of the web interface there was no way to enable user authentication, the only recommendations are to deny any access to ports 10000 and 10001 from WAN (if port-forwarding is enabled to allow remote configuration, then is a good idea to disable port-forwarding to the heat pumps). Even if during a scan the <target ip> doesn’t reply to ping requests there are other scanning techniques that can be used to identify a vulnerable heat pump (as shown above).