Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System

In an e-mail interview with Threatpost, the hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long to protect the system, making it easy picking for a remote attack.

SCADAIn an e-mail interview with Threatpost, the hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long to protect the system, making it easy picking for a remote attack.

The hacker, using the handle “pr0f” took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems used by South Houston, a community in Harris County, Texas. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.

“This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote in an e-mail to Threatpost.

“I’m sorry this ain’t a tale of advanced persistent threats and stuff, but frankly most compromises I’ve seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”

In a public post accompanied by screenshots taken from the HMI software, the hacker said he carried out the attack after becoming frustrated with reports about an unrelated incident in which an Illinois disaster response agency issued a report claiming that a cyber attack damaged a pump used as part of the town’s water distribution system.

A report by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10 described the incident, in which remote attackers hacked into and compromised SCADA software in use by the water utility company. The hackers leveraged the unauthorized access to pilfer client user names and passwords from the SCADA manufacturer. Those credentials were used to compromise the water utility’s industrial control systems, according to Joe Weiss, a security expert at Applied Control Solutions, who described the incident on ControlGlobal.com’s Unfettered Blog.

“You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com.

The system that was compromised was protected by a three character password, pr0f claimed – though not neccessarily the default password for the device.

Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers. The company warned about a password vulnerability affecting Simatic programmable logic controllers that could allow a remote attacker to intercept and decipher passwords, or change the configuration of the devices.

In July, Siemens advised customers to restrict physical and logical access to its Simatic Industrial Automation products. The company warned that attackers with access to the product or the control system link could decipher the product’s password and potentially make unauthorized changes to the Simatic product.

At the Black Hat Briefings in August, security researcher Dillon Beresford Dillon Beresford unveiled a string of other software vulnerabilities affecting Siemens industrial controllers, including a serious remotely exploitable denial of service vulnerability, the use of hard-coded administrative passwords, and an easter egg program buried in the code that runs industrial machinery around the globe.

 

Suggested articles

Discussion

  • Anonymous on

    anyone wanna take bets on the password being H M I ?

  • on

    Bahahahaha. That's so ridiculous it's funny.
  • Anonymous on

    While a weak lock is no excuse for committing burglary, it's surprising how negligent tax dollars seem to be spent in this case.
  • Anonymous on

    While a weak lock is no excuse for committing burglary, it's surprising how negligent tax dollars seem to be spent in this case.
  • Anonymous on

    I bet it was L O L

  • pretty on

    The bet is 50/50 on "HMI" or "pwd" ...unfortunately there is no law that describes from which point a system is open or protected. That security sounds more like a open system.
  • Anonymous on

    asd

  • Anonymous on

    H2O...

    is another candidate...

  • Anonymous on

    H2O...

    is another candidate...

  • Anonymous on

    D U M

  • Anonymous on

    POO

  • Anonymous on

    or ass

  • Anonymous on

    Ha, I'll bet afterward, when they saw what happened, they changed it to 'WTF' ??
  • Anonymous on

    123
  • Anonymous on

    We're screwed. We have lazy dumbasses running important infrastructure. "Think about how stupid the average person is, then realize that 50% are stupider than that" -George Carlin
  • Anonymous on

    I am liking H2O, but I would also go for IMH... because backwards is obviously 'safer'

  • Anonymous on

    aaa

  • Anonymous on

    The password might have been "sex"

  • Chris on

    No one here watched Hackers?

    The password was clearly god.

  • F1Mikal on

    How about G O D.
  • Anonymous on

    this makes me have sad face. The county really is phucked and DHS is helping with all the downplay BS. 

  • Anonymous on

    According to "Hackers" (the movie) it must have been GOD.

  • Anonymous on

    "common SCADA product"...?

    Uh, as far as we (as systems integrators, who, by the way, recommend our customers to keep their systems OFF the internet!) have been seeing, Siemens SCADA software is not the most common.  It's either Rockwell or GE.

    When are people going to learn?  Unless your integrator needs access, unplug the $%$^ SCADA network from the internet!

  • Anonymous on

    I'm guessing it was: ...

  • Anonymous on

    password:  bad

  • Anonymous on

    OH SNAP  xD

  • Anonymous on

    In the meantime, 1.5million accounts leaked, and more coming :(

    http://dazzlepod.com/disclosure/

  • Anonymous on

    If I know Springfield, Illinois, the password was WLP, ABE, SIM or QWE.

  • Another thought... on

    I'll pay to find out what town it was ,please.

  • Anonymous on

    If you ABSOLUTELY MUST have your SCADA system remotely accessable (for SI access for instance) the MINIMAL acceptable solution is to have it on a network segment only accessable via VPN and authenticated by two factor authentication.  For goodness sake most corporate LANs have at least this level of protection, the drinking water system deserves at least as good as a corporate lan, donchya think?

    Air gap is best, always.

     

  • Anonymous on

    "GOD" is the first that comes to mind right after se... *gg* oh btw, pastebin IS NOT a filesharing site..!
  • Anonymous on

    that's the code to my luggage!

  • Anonymous on

    someone above forgot "SPI" which is a common one for Springfield

  • Anonymous on

    Pastebin is NOT a filesharing website, please clarify that in your article it is quite simply a 'paste site' where text can be pasted and shared, originally for programming purposes.

  • Anonymous on

    For a Romanian, that hacker writes English very well. And he/she seems to have a real interest in seeing that security is improved. Sometimes the most serious threats come from misplaced trust.

  • Anonymous on

    Well, someone's got "egg" on there face over this one.  That's my p/w vote.

  • Anonymous on

    "EGG"... as in egg on their face.

  • Anonymous on

    I really hope he /she knows what they are doing and covered the tracks very well otherwise there is a bad day coming. TOR will not be enough 

  • water guy on

    One guess would be TIA from the TIA Portal Siemens uses in scada systems.

  • Anonymous on

    djlakdjkdljakldaj

  • Anonymous on

    We end users in Industry need to take more ownership and refrain from throwing vendors under the bus. Siemens clearly spells out changing the default password in bold letters in their set up guide and discusses two factor authentication.

    Note
    The password "---" and all web permissions are set by default for the user entitled "Administrator". Change this default password during commissioning to suit your requirements.
    permissions. If necessary, you can protect the Control Panel against unauthorized access.

     

    So it's like setting up a Linksys wireless router at home and never changing the default, that's not Linksys's fault NOR is it Siemens!!

  • Anonymous on

    Deer Applikant,

    You have bin turned down fer that innernet pozishun. My nephew is alreddy doin a reel good job. He is Microsoft sertified, too.

    Sinceerly,

    Right Hon. Cletus J. "Coach" Heiferhumper

    Distrikt 5 Kommishunner

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.