Hacker Tries to Poison Water Supply

John Lister's picture

A hacker tried to poison a city's water supply using software designed to remotely control computers. Officials in Oldsmar, Florida say that even if the attack hadn't been spotted, it would have been unsuccessful.

The attacker struck a system that treats the water supplied to around 15,000 people. Last Friday, they gained access to a control computer for around three to five minutes through TeamViewer, which appears to have been in place to allow remote work. (Source: independent.co.uk)

100-Fold Lye Increase

The computer controlled the levels of some chemicals in the water including sodium hydroxide, also known as lye. It's used to reduce the acidity of water in a system which reduces the danger of metals such as lead being dissolved and entering the water supply.

The attacker attempted to increase the level of sodium hydroxide by around 100 times from 100 parts per million to 11,100 parts per million. That could have caused skin irritation, burns and scarring as well as damaging eyes.

The good news is that a worker spotted the attempt and immediately reversed it, meaning the sodium hydroxide levels in the public supply didn't change at all.

Safeguards In Place

Officials noted that it would have taken over 24 hours for the change to work through the system and alter the water leaving the plant and going to the public.

They noted other safeguards in the system would have highlighted the increase before this happened. That means there was no danger of the public water supply being contaminated, though it might have been disrupted if not caught earlier. (Source: reuters.com)

It's not yet clear why the attacker picked this particular system or whether they genuinely believed they would be successful in altering the public supply. One possibility is that the attacker was simply trying to learn more about what attacks are possible.

Oldsmar is around 10 miles from the site of Sunday's Super Bowl, but at the moment there's no reason to believe that isn't just coincidence.

Officials have now disabled the use of TeamViewer on the system.

What's Your Opinion?

Do you think this was a genuine attempt to poison the supply? Should control systems such as this be accessible through remote control software? Do you worry about such attacks on infrastructure?

Rate this article: 
Average: 5 (6 votes)

Comments

russoule's picture

I have used TeamViewer for many, many years and have NEVER had an outsider get access. That isn't to say that such access isn't possible. It is. But it would take quite an unfortunate set of circumstances to happen.

Teamviewer has machine assigned per-user IDs with a machine assigned password. each user must be a member of the managed group to get an ID/password. Outside users can access via Teamviewer IF THE RECIPIENT COMPUTER GIVES OUT ITS INFORMATION, but for an outsider to "guess" the info for access is very difficult.

As an example, one of my systems has been assigned id 833820218 (not real, thank you very much) with a password of hg481c. This computer also has been assigned to mutiple workgroups with different names, so invasion would require a workgroup name, a computer ID and a computer password. Can it be done WITHOUT INSIDE INFO? Perhaps, but I am betting against it.

The reality is that even the best VPN cannot GUARANTEE there will never be a hack, only that their process makes a hack most unlikely. The answer is for EVERYONE to be aware of the potential and to do what is needed to prevent these hacks from occurring.

Dennis Faas's picture

Most VPN service companies twist the truth when advertising how VPN's protect users. The fact is, VPN's won't stop you from getting hacked - it only obfuscates your IP address from prying eyes (government) and/or allows you to access geo-restricted content. It does absolutely nothing to protect you from "hackers" or bots.

Teamviewer and all other software programs (Windows OS included) can be hacked through exploits, which means that user names and passwords aren't needed to allow someone / a bot to take remote control of a system. This is why all software - operating systems included - must be patched on a regular basis, which is also why anyone who runs an outdated operating system is begging to be hacked - Windows XP and Windows 7 included.

There are lots of stories like this to verify what I said if you search for it.

https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/

https://thehackernews.com/2020/08/teamviewer-password-hacking.html

russoule's picture

Dennis, I agree that there is NO system that cannot be "hacked" given the right circumstances.

The second link you posted indicates that the vulnerability of TeamViewer was due to the enticement of the user to a malicious site which then allowed the user's system to contact the hacker's system thus giving the hacker the access to the password. This can be avoided by not going to unknown, possible malicious sites.

My point is that a "hacker" from the local community or from Latvia or from Ukraine or wherever is not very likely to determine both workgroup, computer ID and password of a subject system without that connection in some fashion. Therefore, the best protection is to be aware that such things happen and limit your internet "surfing" to legitimate sites.

as they use to say on Blue Street Blues "Be careful out there!"

davolente_10330's picture

Breached water plant employees used the same TeamViewer password and no firewall
https://arstechnica.com/?p=1741283
Is that not a familiar story? It'll never happen to us!

matt_2058's picture

You'd think the sharing of a password would be a non-existent thing these days, especially in Government circles. I'd bet there's more Government workers who would NOT share a password to preserve their own hide because they know crap will come back to them, a CYA thing.

Too bad we'll never see the results of the investigation. Did the system need an adjustment to start with? Was it a worker who entered an incorrect amount, then the mistake turns into an explanation of being hacked? Did the 'hacking' come from an employee's home (maybe another occupant who decided to see what they could see)? Or from an employee's phone or other potential IP address an employee has access to?

russoule's picture

davolente,

TeamViewer DOES allow a user to create their own password and to automatically "accept" any request to connect. but doesn't that seem ridiculous if the idea is to prevent outsiders from having access?

in my shop, every single system is setup with its own password, even though they are on my private network and it is a pain to remember each one when I need to use TeamViewer. I would never allow my systems to have the same password for network connections because my sons could get to my client's files, lol.

I have a very difficult time believing that a government facility was so lax that they allowed EVERYONE to use the same password. why have a password at all then?

rohnski's picture

I read the same Ars article. It is even worse than anyone has said. From that article:
<snip>
. * hacker accessed the water treatment plant’s SCADA controls via TeamViewer,
. * Teamviewer was installed on one of several computers
. * single teamviewer password shared by everyone
. * All computers used by water plant personnel were connected to the SCADA system
. * All computers used 32-bit Windows 7
. * all computers shared the same password for remote access
. * all computers connected to the Internet without a firewall
</snip>
.
That's a lot of bad I.T. decisions. Looking at it from the outside I'd speculate that it is a small shop with no in house IT, and the city/county is not much better off.
.
They are very LUCKY:
. * the setting the hacker changed takes a long time to flow through the system
. * the hacker picked the wrong time of day to make the change so a user saw suspicious activity
. * they have a good water quality control process that caught the problem before it caused any harm.
.
Now they, the whole county, not just the water plant, needs to improve their IT process.
.
I'd also speculate that the reason they are still using Win7 is 2 fold:

1- They have not updated their desktop computers for a while because the hardware/OS they have is still up to the job
2- There is a good chance that the SCADA software has not been upgraded to run on Win10. So, even if they wanted to, they cannot easily upgrade their old OS and hardware ...

dlhamilton_13391's picture

I see NO reason why a water control system be inked to the internet IN ANY WAY. Water systems or any other public utility system from water to electric, or even industrial control systems should never be connected to the internet. They should have their own pipe if the need is to operate something from a remote location. That pipe should IN NO WAY be on the public internet.
Fiber pipes are not as costly as it once was. Compare the cost of private pipes to the millions or billions in cost of a hacker damaging a utility control system. They didn't have the internet not too long ago as time has passed since control systems had to be ran from the site with real workers controlling equipment with real knobs, switches, and valves.

davolente_10330's picture

Back in the day, before the internet was even a twinkle in Berners Lee's eye, I was a British Telecom (or Post Office Telephones, as it was then, before the lovely Maggie Thatcher sold the family silver) maintenance engineer and we had numerous private circuits connecting various utilities like electricity companies, water towers, reservoirs, etc. for remote monitoring (water levels, etc.) and they were known in the trade as "private wires", which is exactly what they were. Just a pair of wires (or more) within the network, rented out to the companies with their own kit connected either end, with obvious limitations as to what was actually being sent through the cables (maximum voltages, etc.). The only way that anyone could do anything nefarious would be to physically tap into the cable and that was highly unlikely, as most people didn't know they existed and they would have to know what signals or protocols were being used, as they were presumably proprietary to the companies. It seems folly these days to have anything so mission-critical connected through the internet, just ripe to be hacked. I'm a bit out of touch these days but surely utilities should be using encryption for suchlike things?

dlhamilton_13391's picture

Nice well written reply davolente_10330.