Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities (bleepingcomputer.com)

Posted by BeauHD on from the cause-and-effect dept.

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.

29 of 60 comments (clear)

  1. Goobers... by KGIII · · Score: 3, Insightful

    I am not even a security professional. Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone - and if they can't be revoked, you change them. (That they can't be revoked is another matter - and probably another stupid fucking idea.) Ideally, you revoke their access before you fire them and when they're unable to access the system by means of physical separation.

    --
    "So long and thanks for all the fish."
    1. Re:Goobers... by captaindomon · · Score: 2

      Policy and practice are two different things. It gets harder when someone has been in a job for years and years and had access to thousands of systems over that time period.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    2. Re:Goobers... by bobbied · · Score: 5, Interesting

      I got laid off about 10 years ago and I was responsible for maintaining firewalls and remote access network equipment for the company's customers around the world. I left them with a document that listed *every* password that I had set on *every* one of the firewalls and VPN endpoints with instructions that said "CHANGE THESE!"

      They called me a year later asking if I knew the passwords for customer "x" firewall and remote access server... Where I remembered what I had set them to, my response was "Didn't you read the document I left for you?" And when they said "No" I quickly responded with "I don't know the passwords and I don't have a copy of the document I gave you, you are on your own."

      NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

      I did offer to help them recover all the passwords at a few hundred dollars an hour plus expenses, with a minimum of 8 hours paid in advance... And they didn't ever call me back, which was fine with me. They were idiots, both for laying me off initially, then refusing to pay the retention bonus and keep me on after the 90 day notice period when they realized their error PLUS not changing such sensitive passwords when I departed then coming back to ask me for them a year later.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Goobers... by KGIII · · Score: 2

      That's kinda scary. In the few instances we had issues with employees, they were physically separated and access terminated as they were escorted from the building. (That was kinda rare, actually. I had great people working with me.)

      But, yeah... See, I hired smart people to do things I could not - and then I, you know, listened to them because, again, I hired them to do things I could not. If I could have done them, I'd not have had to hire them.

      In your case, was there nobody smart to listen to - or did they just not listen to the people they hired? That's kinda crazy.

      --
      "So long and thanks for all the fish."
    4. Re:Goobers... by KGIII · · Score: 2

      Yeah... They should have someone keep track of that. Maybe they could call them, I don't know, something like a Compliance Officer? Maybe stick Security on the front of it... It'd probably save them some money, at least in the long term and assuming they hire someone capable and listen to them.

      --
      "So long and thanks for all the fish."
    5. Re:Goobers... by Highdude702 · · Score: 1

      at least in the long term and assuming they hire someone capable and listen to them.

      I see 3 things that a lot of companies have never thought about for very long.

    6. Re:Goobers... by bobbied · · Score: 2

      My working theory is they canned me in a cost cutting effort driven by a new department director. She was a nice lady, but I think she misunderstood my perspective when she REQUIRED my presence at a 9 AM breakfast meeting the morning after a 2 AM maintenance window (the third one that week) and then asked us to share what we thought should be changed... Yea, it was stupid to complain about 9 AM mandatory meetings after being up all night working, but at that point I'd had about 2 hours sleep/night for a couple of days and wasn't thinking all that straight. I was a bit grouchy and should have stuffed a doughnut into my mouth and just smiled. So, I think she didn't know what I did for them, given it mostly didn't happen during normal business hours and she didn't think to ask my manager what was up.

      However, it turned out great for me. By the time I departed the company, the 90 day notice turned into 120 days, this gave me another full week of severance pay, almost doubled my retention pay, so I walked away with about 8 months of severance. I started my next job 1 week later with a significant raise and collected 2 paychecks for over half a year. It wasn't until last year that I approached a yearly salary that matched those two taxable years.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    7. Re:Goobers... by Lumpy · · Score: 1

      Problem is companies that make smart meters, for all of the utilities only employ really low IQ types for their programmers, there is a LOT of hardcoded backdoors and admin passwords in them that can notbe changed. They simply rely on obscurity for their security.

      This is the problem companies are not liable for their crap-tastic security. until they are you will not see them putting in place anything that has any semblance of security.

      --
      Do not look at laser with remaining good eye.
    8. Re:Goobers... by Anonymous Coward · · Score: 1

      NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

      Yeah, but you just admitted to it here. All they have to do is subpoena your /. account history, and you're fucked.

    9. Re:Goobers... by bobbied · · Score: 1

      I never touched any of the systems after my departure and this was over 15 years ago at this point so I think the statute of limitations has run out. Not to mention, they are now out of business... Trust me, I'm golden.

      The reason I didn't admit to remembering is three fold.. 1. I told them the passwords already in the document I left with them... 2. I didn't want to leave them the impression that I maintained a backdoor or had accessed any of these systems had they experienced a security problem... 3. I wanted them to leave me alone as they'd called multiple times asking for bits of design information and project history and I was getting tired of them being dependent on me and not paying me anything.

      Not sure what I would have done if they took me up on my consultant contract offer though....

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    10. Re:Goobers... by thegarbz · · Score: 1

      Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone

      You're on Slashdot. That puts you head and shoulders above most of the people managing such devices. You talk about password revocation and password changing. How about something simple like making the password not "password" or the name of the company you work for.

      Baby steps.

  2. Hacked? by chuckugly · · Score: 4, Insightful

    In what universe is accessing a system using the device password you were issued "hacking"? Attack, yes, unauthorized access, yes, hack? Not so much.

    1. Re: Hacked? by coryhamma · · Score: 1

      Even Webster's says "a person who illegally gains access to and sometimes tampers with information in a computer system." The guy had the password, so he did not illegally *gain* access to anything. He used his legally obtained access to maliciously disable computer systems, so they would probably charge him with "intentionally accessing and exceeding authorized access to a computer." News sites that describe this activity as "hacking" are misusing the term.

  3. that's not how this works. that's not how any of by Thud457 · · Score: 1

    that's not hacking.
    meh. Against stupidity even the gods themselves contend in vain.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  4. Eh? by TechyImmigrant · · Score: 1

    Free water?! It's not like the stuff just falls out of the sky for free. Oh wait...

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Eh? by pr0fessor · · Score: 2

      I live in town and have no water rights on my own land... I can't dig a well or have a rain barrel.

  5. Plaintext passwords? by Pascoea · · Score: 1
    Probably a dumb question, but per the second (twitter link):

    ..defendant...remotely accessed a TGB...and and changed the password to "fuckyou."

    Wouldn't that imply that the passwords on these internet connected devices are being stored in plaintext somewhere? I'm no security expert, but that seems like it's a bad idea.

    1. Re:Plaintext passwords? by Spy+Handler · · Score: 1

      Maybe it was md5 hashed. Nearly the same thing as plaintext.

    2. Re:Plaintext passwords? by Anonymous Coward · · Score: 1

      I believe they used the much stronger ROT26

    3. Re:Plaintext passwords? by toonces33 · · Score: 1

      Well, that is the sort of thing that one might easily crack using a dictionary. For all I know it is in amongst the "common" passwords somewhere.

  6. Re:Meter-readers by DontBeAMoran · · Score: 1

    The damages are "less profits" because they had to, you know, hire people and pay them a wage.

    --
    #DeleteFacebook
  7. You might be surprised.... by King_TJ · · Score: 1

    In many smaller cities and towns, the water treatment plants are older (circa 1970's or so) and expensive to maintain. I live in one such city, along the Potomac River, and our water bills are combined with sewer and trash pickup. We're billed once every 3 months, and the typical bill is easily in excess of $350. Trash collection is only once per week here, with no yard waste pickup - so it really only amounts to $80 or so of the total bill. The rest is sewer and water, which go hand-in-hand.

    If you have a small water leak, such as a toilet that keeps running after you flush it and you don't catch and correct it immediately? It can easily run the water bill up to the $600-800 range.

    So yeah.... there is actually some incentive for a dishonest person to hack the system in some way, if possible.

  8. Aaron Swartz by Rockoon · · Score: 2, Insightful

    Consider, Aaron Swartz faced less jail time.

    This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

    This pretty well backs up my theory that Aaron may have never had to serve any time as a member of the general population of a federal prison, and even if he did it would not have been anything even close to the maximum.

    --
    "His name was James Damore."
    1. Re:Aaron Swartz by Reverend+Green · · Score: 2

      This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

      Mad dog court system, drunk on power, crazed with bloodlust.

  9. If he has been smart ... by Alain+Williams · · Score: 3, Insightful

    he could have made a lot of money. Quietly kept his root access, put in a few logging scripts that would have searched and told him where water usage had dropped in for a couple of days ... probably a good sign that people are away on holiday ... sold this information on to his friend Burglar Bill who could have paid the properties an uninvited visit; very hard to trace this back to leaked water readings [pardon the pun]. This is why accepting smart meters into your house that allow real time water/electric/... usage is a huge security risk.

    The utilities all claim that it is perfectly safe - something that this story shows is a lie -- or at best wildly optimistic. The reason that they want to do this is to increase their profits - but the cost is your household security; but they don't care about that.

    1. Re:If he has been smart ... by Anonymous Coward · · Score: 1

      You don't need TGB access to do that. Just get an antenna and use RTL-SDR, most of these transmissions aren't encrypted. You don't get the range of data the TGB has, but the TGB doesn't have the address or anything either, just a meter number and usage, and a few flags as data.

    2. Re:If he has been smart ... by Sir+Lurkalot · · Score: 1

      Wish I could mod you up...

  10. Man goes to prison for disabling IoT devices by Anonymous Coward · · Score: 1

    "What do you mean I have to get out of my car? Send him to prison!"

  11. You can't fire the person with root access by Visarga · · Score: 3, Funny

    We all know you can't fire the person with root access to your devices. These companies never learn. /s