- The FBI has issued an alert highlighting some of the security issues found after investigating the recent Oldsmar water hack in Florida.
- As part of that hack, someone was able to access the local water treatment plant’s computer systems and increase the amount of sodium hydroxide in the water supply. Luckily, an employee caught them and stopped the intrusion.
- The FBI alert pointed to the use of TeamViewer on computers running Windows 7, which is now very outdated, along with the sharing of passwords, as all contributing to this hack.
The Oldsmar water plant hack that was thwarted in recent days — sparing the town of some 15,000 people near Tampa, Florida, from having their water supply poisoned — has, no surprise, caught the attention of the FBI. Earlier this week, in fact, the bureau reportedly sent out an alert called a Private Industry Notification, or FBI PIN, warning about issues that led to the near-catastrophe in the Florida town of Oldsmar, where a hacker was able to gain access to the computer network controlling the town’s water treatment plant. It was, needless to say, a security incident that caught the intention of security professionals, the national security community, as well as the White House.
According to law enforcement officials, this hacker or group of hackers used a program called TeamViewer, which allows for remote access of networks, to increase the amount of sodium hydroxide (also known as lye) in the local water supply. At small levels, that chemical controls the water’s acidity, but it can be dangerous and toxic at higher levels. Luckily, an employee of the water plant saw this occurring in real-time, was able to shut it down, and also informed local authorities. But while this sounds like the kind of dramatic computer hack you’d expect to see in a big-budget Hollywood film, the FBI PIN flagged three very prosaic issues that compounded the danger here.
The bureau urged private companies, as well as government entities, to review their systems, especially outdated Windows 7 systems, and also any that use TeamViewer — which allows for remote desktop sharing. Poor password security is another issue that was flagged, which is a massive problem all by itself.
One of the big problems in the Oldsmar water hack, as you can see below, was password-sharing, which is a huge security red flag. Passwords should always be complex and long for any system, including a mix of numbers, letters, special characters, and lower-case and capital-case, and they should never be re-used.
It wasn’t just the use of 32-bit Windows 7. The Oldsmar plant workers used the same shared password on TeamViewer and there was apptly no firewall, according to advisory that Mass. DEP posted. https://t.co/93pAnwcU6r
— Frank Bajak (@fbajak) February 11, 2021
Per ZDNet, meanwhile, the FBI PIN says, of the TeamViewer software: “Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to typical RATs.”
The FBI’s alert also flagged the use of Windows 7, which Microsoft stopped supporting more than a year ago and which has already been the subject of previous FBI warnings. And here’s a new warning from Massachusetts government officials along these same lines, cautioning public water suppliers to take heed of what happened in the Florida hack: “The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.
“All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”