In an e-mail interview with Threatpost, the hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long to protect the system, making it easy picking for a remote attack.
The hacker, using the handle “pr0f” took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems used by South Houston, a community in Harris County, Texas. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.
“This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote in an e-mail to Threatpost.
“I’m sorry this ain’t a tale of advanced persistent threats and stuff, but frankly most compromises I’ve seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”
In a public post accompanied by screenshots taken from the HMI software, the hacker said he carried out the attack after becoming frustrated with reports about an unrelated incident in which an Illinois disaster response agency issued a report claiming that a cyber attack damaged a pump used as part of the town’s water distribution system.
A report by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10 described the incident, in which remote attackers hacked into and compromised SCADA software in use by the water utility company. The hackers leveraged the unauthorized access to pilfer client user names and passwords from the SCADA manufacturer. Those credentials were used to compromise the water utility’s industrial control systems, according to Joe Weiss, a security expert at Applied Control Solutions, who described the incident on ControlGlobal.com’s Unfettered Blog.
“You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com.
The system that was compromised was protected by a three character password, pr0f claimed – though not neccessarily the default password for the device.
Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers. The company warned about a password vulnerability affecting Simatic programmable logic controllers that could allow a remote attacker to intercept and decipher passwords, or change the configuration of the devices.
In July, Siemens advised customers to restrict physical and logical access to its Simatic Industrial Automation products. The company warned that attackers with access to the product or the control system link could decipher the product’s password and potentially make unauthorized changes to the Simatic product.
At the Black Hat Briefings in August, security researcher Dillon Beresford Dillon Beresford unveiled a string of other software vulnerabilities affecting Siemens industrial controllers, including a serious remotely exploitable denial of service vulnerability, the use of hard-coded administrative passwords, and an easter egg program buried in the code that runs industrial machinery around the globe.