Turns out that Florida water treatment facility left the doors wide open for hackers

By now, you’ve probably heard the theoretically scary story of how hackers managed to infiltrate the computer systems at a water treatment plant in Oldsmar, Florida and remotely control the chemical levels — but it turns out that description gives the hackers far, far too much credit.

The reality? The water treatment plant itself left off-the-shelf remote control software on these critical computers — and apparently never, ever bothered to change the password.

An official cybersecurity advisory about the incident from the state of Massachusetts (via Ars Technica) explains that the SCADA control system was accessed via TeamViewer, the kind of remote desktop application an IT administrator might roll out to remotely troubleshoot computers — not something you’d generally want hooked up to a critical system. More importantly, and here I will just quote the Massachusetts report verbatim:

Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.

Yes, just like Florida’s Department of Health, this Florida water treatment plant apparently didn’t bother to issue individual passwords for software that could give anyone complete access to any of their computers and their water treatment system.

In other words, any employee could adjust the entire town’s water supply on a whim from anywhere in the world. Which is probably what happened: former US cybersecurity czar Christopher Krebs testified earlier today that it was “very likely” an insider, possibly a disgruntled employee. Someone who would already have access, which wouldn’t make this much of a “hack” at all.

It’s not like the water treatment plant was even using that software, by the way: Pinellas County Sheriff Bob Gualtieri said the plant had actually stopped using TeamViewer six months ago, according to The Wall Street Journal.

It should probably go without saying that you shouldn’t leave critical public infrastructure easily accessible from anywhere in the world, but the FBI is saying it anyhow, according to ZDNet; the agency sent out an alert today warning against TeamViewer, bad passwords and Windows 7, which Microsoft no longer supports with security updates but the water treatment plant still had installed.

Sadly, reports at Vice and Cyberscoop suggest that lax security (including TeamViewer specifically) and aging infrastructure are all too common at small public utilities, which may not have the budget, expertise or even the ability to control their own security systems, which are often farmed out to third parties.

The good news is that a plant operator quickly noticed the intrusion, reversed it, and it seems no one was harmed.

Originally posted: Source link


Leave a Reply

Subscribe to our newsletter

Join our monthly newsletter and never miss out on new stories and promotions.
Techhnews will use the information you provide on this form to be in touch with you and to provide updates and marketing.

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at newsletter@techhnews.com. We will treat your information with respect.

%d bloggers like this: