Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities (bleepingcomputer.com)

Posted by BeauHD on from the cause-and-effect dept.

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.

60 comments

  1. Goobers... by KGIII · · Score: 3, Insightful

    I am not even a security professional. Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone - and if they can't be revoked, you change them. (That they can't be revoked is another matter - and probably another stupid fucking idea.) Ideally, you revoke their access before you fire them and when they're unable to access the system by means of physical separation.

    --
    "So long and thanks for all the fish."
    1. Re:Goobers... by captaindomon · · Score: 2

      Policy and practice are two different things. It gets harder when someone has been in a job for years and years and had access to thousands of systems over that time period.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    2. Re:Goobers... by bobbied · · Score: 5, Interesting

      I got laid off about 10 years ago and I was responsible for maintaining firewalls and remote access network equipment for the company's customers around the world. I left them with a document that listed *every* password that I had set on *every* one of the firewalls and VPN endpoints with instructions that said "CHANGE THESE!"

      They called me a year later asking if I knew the passwords for customer "x" firewall and remote access server... Where I remembered what I had set them to, my response was "Didn't you read the document I left for you?" And when they said "No" I quickly responded with "I don't know the passwords and I don't have a copy of the document I gave you, you are on your own."

      NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

      I did offer to help them recover all the passwords at a few hundred dollars an hour plus expenses, with a minimum of 8 hours paid in advance... And they didn't ever call me back, which was fine with me. They were idiots, both for laying me off initially, then refusing to pay the retention bonus and keep me on after the 90 day notice period when they realized their error PLUS not changing such sensitive passwords when I departed then coming back to ask me for them a year later.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Goobers... by Anonymous Coward · · Score: 0

      How do you know it was even him? Circumstantial evidence?

    4. Re:Goobers... by KGIII · · Score: 2

      That's kinda scary. In the few instances we had issues with employees, they were physically separated and access terminated as they were escorted from the building. (That was kinda rare, actually. I had great people working with me.)

      But, yeah... See, I hired smart people to do things I could not - and then I, you know, listened to them because, again, I hired them to do things I could not. If I could have done them, I'd not have had to hire them.

      In your case, was there nobody smart to listen to - or did they just not listen to the people they hired? That's kinda crazy.

      --
      "So long and thanks for all the fish."
    5. Re:Goobers... by KGIII · · Score: 2

      Yeah... They should have someone keep track of that. Maybe they could call them, I don't know, something like a Compliance Officer? Maybe stick Security on the front of it... It'd probably save them some money, at least in the long term and assuming they hire someone capable and listen to them.

      --
      "So long and thanks for all the fish."
    6. Re:Goobers... by Highdude702 · · Score: 1

      at least in the long term and assuming they hire someone capable and listen to them.

      I see 3 things that a lot of companies have never thought about for very long.

    7. Re: Goobers... by Anonymous Coward · · Score: 0

      And the fact he was able to login remotely... And with root access. opsec ftl

    8. Re:Goobers... by bobbied · · Score: 2

      My working theory is they canned me in a cost cutting effort driven by a new department director. She was a nice lady, but I think she misunderstood my perspective when she REQUIRED my presence at a 9 AM breakfast meeting the morning after a 2 AM maintenance window (the third one that week) and then asked us to share what we thought should be changed... Yea, it was stupid to complain about 9 AM mandatory meetings after being up all night working, but at that point I'd had about 2 hours sleep/night for a couple of days and wasn't thinking all that straight. I was a bit grouchy and should have stuffed a doughnut into my mouth and just smiled. So, I think she didn't know what I did for them, given it mostly didn't happen during normal business hours and she didn't think to ask my manager what was up.

      However, it turned out great for me. By the time I departed the company, the 90 day notice turned into 120 days, this gave me another full week of severance pay, almost doubled my retention pay, so I walked away with about 8 months of severance. I started my next job 1 week later with a significant raise and collected 2 paychecks for over half a year. It wasn't until last year that I approached a yearly salary that matched those two taxable years.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    9. Re:Goobers... by Anonymous Coward · · Score: 0

      Well, that is what they get for their way of doing business.

      All modern companies feels like they despise their own employees (and their own customers too), specially the ones that keep the business runing, instead of making them part of the organization's succeess most administrators see them as bonus leeches; The funny thing is that business owners see everyone else like profit leeches too.

    10. Re:Goobers... by Anonymous Coward · · Score: 0

      "Circumstantial evidence?"
      Because the FBI traced him back to his house. Evidently he wasn't familiar with the concept of logs. They pinpointed the date and time of the device changes using the device logs. The logs would have included both the target and originating IP addresses. The logins and device changes were logged normally which pointed to someone using admin credentials as the most likely cause of the problem. Round up and interview all those who would have access to the admin credentials. Determine if a disgruntled employee that had access to these credentials had been terminated recently. The guy probably posted his actions on his Facebook page.

    11. Re:Goobers... by Lumpy · · Score: 1

      Problem is companies that make smart meters, for all of the utilities only employ really low IQ types for their programmers, there is a LOT of hardcoded backdoors and admin passwords in them that can notbe changed. They simply rely on obscurity for their security.

      This is the problem companies are not liable for their crap-tastic security. until they are you will not see them putting in place anything that has any semblance of security.

      --
      Do not look at laser with remaining good eye.
    12. Re:Goobers... by Anonymous Coward · · Score: 1

      NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

      Yeah, but you just admitted to it here. All they have to do is subpoena your /. account history, and you're fucked.

    13. Re:Goobers... by bobbied · · Score: 1

      I never touched any of the systems after my departure and this was over 15 years ago at this point so I think the statute of limitations has run out. Not to mention, they are now out of business... Trust me, I'm golden.

      The reason I didn't admit to remembering is three fold.. 1. I told them the passwords already in the document I left with them... 2. I didn't want to leave them the impression that I maintained a backdoor or had accessed any of these systems had they experienced a security problem... 3. I wanted them to leave me alone as they'd called multiple times asking for bits of design information and project history and I was getting tired of them being dependent on me and not paying me anything.

      Not sure what I would have done if they took me up on my consultant contract offer though....

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    14. Re:Goobers... by thegarbz · · Score: 1

      Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone

      You're on Slashdot. That puts you head and shoulders above most of the people managing such devices. You talk about password revocation and password changing. How about something simple like making the password not "password" or the name of the company you work for.

      Baby steps.

    15. Re:Goobers... by Anonymous Coward · · Score: 0

      And then what happens when your fire that person? Same story.

  2. Hacked? by chuckugly · · Score: 4, Insightful

    In what universe is accessing a system using the device password you were issued "hacking"? Attack, yes, unauthorized access, yes, hack? Not so much.

    1. Re:Hacked? by Anonymous Coward · · Score: 0

      It's that 4chan guy again! I saw it on the news!

    2. Re: Hacked? by Anonymous Coward · · Score: 0

      Responding as ac because I'm too lazy to hack in to my slash account.

    3. Re:Hacked? by Anonymous Coward · · Score: 0

      The only hacks here are the slashdot editors.

    4. Re: Hacked? by Anonymous Coward · · Score: 0

      Its called accessing a system you are NOT authorized to access.

      Think before you troll noobsauce.

    5. Re: Hacked? by coryhamma · · Score: 1

      Even Webster's says "a person who illegally gains access to and sometimes tampers with information in a computer system." The guy had the password, so he did not illegally *gain* access to anything. He used his legally obtained access to maliciously disable computer systems, so they would probably charge him with "intentionally accessing and exceeding authorized access to a computer." News sites that describe this activity as "hacking" are misusing the term.

    6. Re:Hacked? by Anonymous Coward · · Score: 0

      Arguing about the choice of word used to describe something? I bet you use GNU/Linux too.

  3. Hacking? by Anonymous Coward · · Score: 0

    It was definitely an illegal intrusion of a computer system, but is it really "hacking" if all he did was use root passwords he had while he was on the job?

  4. that's not how this works. that's not how any of by Thud457 · · Score: 1

    that's not hacking.
    meh. Against stupidity even the gods themselves contend in vain.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  5. Eh? by TechyImmigrant · · Score: 1

    Free water?! It's not like the stuff just falls out of the sky for free. Oh wait...

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Eh? by pr0fessor · · Score: 2

      I live in town and have no water rights on my own land... I can't dig a well or have a rain barrel.

    2. Re:Eh? by Anonymous Coward · · Score: 0

      Digging a well I understand...but no rain barrel? Heck, they encourage that where I am (California).

  6. Plaintext passwords? by Pascoea · · Score: 1
    Probably a dumb question, but per the second (twitter link):

    ..defendant...remotely accessed a TGB...and and changed the password to "fuckyou."

    Wouldn't that imply that the passwords on these internet connected devices are being stored in plaintext somewhere? I'm no security expert, but that seems like it's a bad idea.

    1. Re:Plaintext passwords? by Spy+Handler · · Score: 1

      Maybe it was md5 hashed. Nearly the same thing as plaintext.

    2. Re:Plaintext passwords? by Anonymous Coward · · Score: 1

      I believe they used the much stronger ROT26

    3. Re:Plaintext passwords? by Anonymous Coward · · Score: 0

      These things are usually Unix boxes, just gateways to collect the data and transfer to the data collection and billing applications.

    4. Re:Plaintext passwords? by toonces33 · · Score: 1

      Well, that is the sort of thing that one might easily crack using a dictionary. For all I know it is in amongst the "common" passwords somewhere.

  7. Meter-readers by Anonymous Coward · · Score: 0

    "This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings."

    But that's the way water meters have ALWAYS worked.

    Did the water rates go down when the new meters were installed? No? Then where are the supposed "damages?"

    1. Re:Meter-readers by DontBeAMoran · · Score: 1

      The damages are "less profits" because they had to, you know, hire people and pay them a wage.

      --
      #DeleteFacebook
    2. Re:Meter-readers by Anonymous Coward · · Score: 0

      Yeah, city owned municipal water systems generate tons of profit.

  8. confused by Anonymous Coward · · Score: 0

    Wouldn't it be easier to turn them back on rather than take monthly readings manually?

    Surely the issue becomes apparent pretty quickly.

  9. Re:The police are forcing me to bake a cake by Anonymous Coward · · Score: 0

    I don't bake cakes for people who covet their neighbor's goods.

  10. You might be surprised.... by King_TJ · · Score: 1

    In many smaller cities and towns, the water treatment plants are older (circa 1970's or so) and expensive to maintain. I live in one such city, along the Potomac River, and our water bills are combined with sewer and trash pickup. We're billed once every 3 months, and the typical bill is easily in excess of $350. Trash collection is only once per week here, with no yard waste pickup - so it really only amounts to $80 or so of the total bill. The rest is sewer and water, which go hand-in-hand.

    If you have a small water leak, such as a toilet that keeps running after you flush it and you don't catch and correct it immediately? It can easily run the water bill up to the $600-800 range.

    So yeah.... there is actually some incentive for a dishonest person to hack the system in some way, if possible.

  11. Re:The police are forcing me to bake a cake by Anonymous Coward · · Score: 0

    I don't bake cakes for people who look at porn (I don't do much baking).

  12. Re:The police are forcing me to bake a cake by Anonymous Coward · · Score: 0

    That's nothing - the government is cancelling all health insurance and planning to kill 22 BILLION people. I heard it on Hillary Clinton's Twitter feed.

  13. Aaron Swartz by Rockoon · · Score: 2, Insightful

    Consider, Aaron Swartz faced less jail time.

    This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

    This pretty well backs up my theory that Aaron may have never had to serve any time as a member of the general population of a federal prison, and even if he did it would not have been anything even close to the maximum.

    --
    "His name was James Damore."
    1. Re:Aaron Swartz by Anonymous Coward · · Score: 0

      How about you look up the charges against Aaron Swartz and see what the sentencing guidelines are?

    2. Re:Aaron Swartz by Reverend+Green · · Score: 2

      This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

      Mad dog court system, drunk on power, crazed with bloodlust.

  14. If he has been smart ... by Alain+Williams · · Score: 3, Insightful

    he could have made a lot of money. Quietly kept his root access, put in a few logging scripts that would have searched and told him where water usage had dropped in for a couple of days ... probably a good sign that people are away on holiday ... sold this information on to his friend Burglar Bill who could have paid the properties an uninvited visit; very hard to trace this back to leaked water readings [pardon the pun]. This is why accepting smart meters into your house that allow real time water/electric/... usage is a huge security risk.

    The utilities all claim that it is perfectly safe - something that this story shows is a lie -- or at best wildly optimistic. The reason that they want to do this is to increase their profits - but the cost is your household security; but they don't care about that.

    1. Re:If he has been smart ... by Anonymous Coward · · Score: 1

      You don't need TGB access to do that. Just get an antenna and use RTL-SDR, most of these transmissions aren't encrypted. You don't get the range of data the TGB has, but the TGB doesn't have the address or anything either, just a meter number and usage, and a few flags as data.

    2. Re:If he has been smart ... by Sir+Lurkalot · · Score: 1

      Wish I could mod you up...

    3. Re:If he has been smart ... by Anonymous Coward · · Score: 0

      This is ridiculous fear-mongering. If Burglar Bill is dumb enough to base his home-robberies on water usage alone, he's going to have a complicated life after he robs an occupied home early in his career. If you're planning on doing some organized home-burglarizing (of which the vast, vast majority of home robberies are NOT), you're going to monitor the actual activity of the place rather than hope a trend in water usage implies something.

      There are far, far better risk factors to look at if you are worried about break-ins, troglodyte.

  15. A conundrum by Anonymous Coward · · Score: 0

    The police are forcing me to bake a cake for a gay couple's wedding. But Jesus told me that gay buttsex is against God's law. Whatever should I do?

    This is indeed a conundrum.

    The only way out of it is to have gay buttsex with Jesus in the hope that it will change his opinion. But you need to make it REALLY GOOD for the plan to work, so I suggest practicing on your dog first. That way, if you get caught, you can claim that you're dyslectic and have difficulty distinguishing between "god" and "dog".

  16. Man goes to prison for disabling IoT devices by Anonymous Coward · · Score: 1

    "What do you mean I have to get out of my car? Send him to prison!"

  17. The company should be liable by Anonymous Coward · · Score: 0

    For being a bunch of idiots. This guy doesn't deserve jail time for idiot decisions by management. The fact that this sort of crap makes it through our legal system is an immense sign of failure.

  18. Re:The police are forcing me to bake a cake by Anonymous Coward · · Score: 0

    You should do what your moral code tells you to, but you should also be prepared for the consequences.

  19. ICS-CERT by Anonymous Coward · · Score: 0

    In case anyone is interested, the Department of Homeland Security has a well-regarded CERT that is dedicated to Industrial Control Systems. It even offers free classroom training and free assessments of the information security posture of utilities and other organizations.

  20. You can't fire the person with root access by Visarga · · Score: 3, Funny

    We all know you can't fire the person with root access to your devices. These companies never learn. /s

  21. damage = company had to send out employees by Anonymous Coward · · Score: 0

    Oh noes. Someone had to use employees.

  22. Re: by Anonymous Coward · · Score: 0

    But that's the way water meters have ALWAYS worked.
    Did the water rates go down when the new meters were installed? No?

    Yes. Yes they did. Any other questions?

  23. Arrested in 2014 by Anonymous Coward · · Score: 0

    Slashdot story in 2017.