Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities (bleepingcomputer.com)

Posted by BeauHD on from the cause-and-effect dept.

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.

4 of 60 comments (clear)

  1. Goobers... by KGIII · · Score: 3, Insightful

    I am not even a security professional. Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone - and if they can't be revoked, you change them. (That they can't be revoked is another matter - and probably another stupid fucking idea.) Ideally, you revoke their access before you fire them and when they're unable to access the system by means of physical separation.

    --
    "So long and thanks for all the fish."
  2. Hacked? by chuckugly · · Score: 4, Insightful

    In what universe is accessing a system using the device password you were issued "hacking"? Attack, yes, unauthorized access, yes, hack? Not so much.

  3. Aaron Swartz by Rockoon · · Score: 2, Insightful

    Consider, Aaron Swartz faced less jail time.

    This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

    This pretty well backs up my theory that Aaron may have never had to serve any time as a member of the general population of a federal prison, and even if he did it would not have been anything even close to the maximum.

    --
    "His name was James Damore."
  4. If he has been smart ... by Alain+Williams · · Score: 3, Insightful

    he could have made a lot of money. Quietly kept his root access, put in a few logging scripts that would have searched and told him where water usage had dropped in for a couple of days ... probably a good sign that people are away on holiday ... sold this information on to his friend Burglar Bill who could have paid the properties an uninvited visit; very hard to trace this back to leaked water readings [pardon the pun]. This is why accepting smart meters into your house that allow real time water/electric/... usage is a huge security risk.

    The utilities all claim that it is perfectly safe - something that this story shows is a lie -- or at best wildly optimistic. The reason that they want to do this is to increase their profits - but the cost is your household security; but they don't care about that.