Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities (bleepingcomputer.com)

Posted by BeauHD on from the cause-and-effect dept.

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.

12 of 60 comments (clear)

  1. Goobers... by KGIII · · Score: 3, Insightful

    I am not even a security professional. Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone - and if they can't be revoked, you change them. (That they can't be revoked is another matter - and probably another stupid fucking idea.) Ideally, you revoke their access before you fire them and when they're unable to access the system by means of physical separation.

    --
    "So long and thanks for all the fish."
    1. Re:Goobers... by captaindomon · · Score: 2

      Policy and practice are two different things. It gets harder when someone has been in a job for years and years and had access to thousands of systems over that time period.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    2. Re:Goobers... by bobbied · · Score: 5, Interesting

      I got laid off about 10 years ago and I was responsible for maintaining firewalls and remote access network equipment for the company's customers around the world. I left them with a document that listed *every* password that I had set on *every* one of the firewalls and VPN endpoints with instructions that said "CHANGE THESE!"

      They called me a year later asking if I knew the passwords for customer "x" firewall and remote access server... Where I remembered what I had set them to, my response was "Didn't you read the document I left for you?" And when they said "No" I quickly responded with "I don't know the passwords and I don't have a copy of the document I gave you, you are on your own."

      NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

      I did offer to help them recover all the passwords at a few hundred dollars an hour plus expenses, with a minimum of 8 hours paid in advance... And they didn't ever call me back, which was fine with me. They were idiots, both for laying me off initially, then refusing to pay the retention bonus and keep me on after the 90 day notice period when they realized their error PLUS not changing such sensitive passwords when I departed then coming back to ask me for them a year later.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Goobers... by KGIII · · Score: 2

      That's kinda scary. In the few instances we had issues with employees, they were physically separated and access terminated as they were escorted from the building. (That was kinda rare, actually. I had great people working with me.)

      But, yeah... See, I hired smart people to do things I could not - and then I, you know, listened to them because, again, I hired them to do things I could not. If I could have done them, I'd not have had to hire them.

      In your case, was there nobody smart to listen to - or did they just not listen to the people they hired? That's kinda crazy.

      --
      "So long and thanks for all the fish."
    4. Re:Goobers... by KGIII · · Score: 2

      Yeah... They should have someone keep track of that. Maybe they could call them, I don't know, something like a Compliance Officer? Maybe stick Security on the front of it... It'd probably save them some money, at least in the long term and assuming they hire someone capable and listen to them.

      --
      "So long and thanks for all the fish."
    5. Re:Goobers... by bobbied · · Score: 2

      My working theory is they canned me in a cost cutting effort driven by a new department director. She was a nice lady, but I think she misunderstood my perspective when she REQUIRED my presence at a 9 AM breakfast meeting the morning after a 2 AM maintenance window (the third one that week) and then asked us to share what we thought should be changed... Yea, it was stupid to complain about 9 AM mandatory meetings after being up all night working, but at that point I'd had about 2 hours sleep/night for a couple of days and wasn't thinking all that straight. I was a bit grouchy and should have stuffed a doughnut into my mouth and just smiled. So, I think she didn't know what I did for them, given it mostly didn't happen during normal business hours and she didn't think to ask my manager what was up.

      However, it turned out great for me. By the time I departed the company, the 90 day notice turned into 120 days, this gave me another full week of severance pay, almost doubled my retention pay, so I walked away with about 8 months of severance. I started my next job 1 week later with a significant raise and collected 2 paychecks for over half a year. It wasn't until last year that I approached a yearly salary that matched those two taxable years.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  2. Hacked? by chuckugly · · Score: 4, Insightful

    In what universe is accessing a system using the device password you were issued "hacking"? Attack, yes, unauthorized access, yes, hack? Not so much.

  3. Re:Eh? by pr0fessor · · Score: 2

    I live in town and have no water rights on my own land... I can't dig a well or have a rain barrel.

  4. Aaron Swartz by Rockoon · · Score: 2, Insightful

    Consider, Aaron Swartz faced less jail time.

    This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

    This pretty well backs up my theory that Aaron may have never had to serve any time as a member of the general population of a federal prison, and even if he did it would not have been anything even close to the maximum.

    --
    "His name was James Damore."
    1. Re:Aaron Swartz by Reverend+Green · · Score: 2

      This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

      Mad dog court system, drunk on power, crazed with bloodlust.

  5. If he has been smart ... by Alain+Williams · · Score: 3, Insightful

    he could have made a lot of money. Quietly kept his root access, put in a few logging scripts that would have searched and told him where water usage had dropped in for a couple of days ... probably a good sign that people are away on holiday ... sold this information on to his friend Burglar Bill who could have paid the properties an uninvited visit; very hard to trace this back to leaked water readings [pardon the pun]. This is why accepting smart meters into your house that allow real time water/electric/... usage is a huge security risk.

    The utilities all claim that it is perfectly safe - something that this story shows is a lie -- or at best wildly optimistic. The reason that they want to do this is to increase their profits - but the cost is your household security; but they don't care about that.

  6. You can't fire the person with root access by Visarga · · Score: 3, Funny

    We all know you can't fire the person with root access to your devices. These companies never learn. /s