The most important hack of the past weeks had nothing to do with government actors or advanced technology. Instead, it’s the potential physical consequences that made it stand out.
On February 5th, an unknown attacker gained access to a Florida town’s water treatment system and proceeded to instruct the system to increase the levels of lye in the water to 100 times their normal value.
In low concentrations lye is not dangerous to humans and has many positive properties that lead to it’s common use in foods and household chemicals. However in higher concentrations it’s high basicicity make it both poisonous for humans and dangerous to infrastructure. Under certain conditions, high concentrations of lye can do anything from corrode to explode.
Since the levels of lye used under normal conditions cannot be determined by us at this point in time, it is hard to tell if a 100x increase would have had any of these consequences. However it is relatively safe to assume that the attacker at least intended to cause havoc or even death through the increased lye concentration.
Interestingly, this does not appear to have been the work of a high-level saboteur or state actor. Instead, the attackers logged into “TeamViewer”. A software commonly used to remotely connect to computer systems. As the Covid-19 pandemic took off, it was often hastily installed on systems to allow users to work remotely. Worse yet, often the free “personal” version of TeamViewer was installed since it does not require any licensing or fees. In addition to breaching the terms of service, this also greatly increases risk, since the personal version lacks many of the features required for secure authentication of multiple users.
At this point in time, no new vulnerability in TeamViewer has been revealed. This leaves us with two main possibilities:
A user’s password was stolen or taken from a leak and then abused by 3rd party attackers to log in
A current or former employee accessed the system to perform what’s known as an “insider attack”
Both scenarios are disturbing in their own right.
The thought that infrastructure of vital importance is sometimes protected by shared, reused or trivial passwords implies that attacking such systems is not the exclusive domain of well funded state actors. Low level criminals or hacktivists could easily look up leaked passwords or even bribe employees.
And while this time around the change was immediately noticed and reversed, the same can not be guaranteed for future cases. The question is not if, but when we will see the first death from the direct consequences of a critical infrastructure cyber attack. Most likely this attack will not come from a highly advanced adversary exploiting a highly technical vulnerability. Instead, human fatalities from such a cyber attack will be attributed to sloppy policy or weak passwords.
The only way to protect against such scenarios is to make sure that all staff members are well aware of the risks and well trained to detect and prevent them. You can buy the best firewall in the world. But if your staff sets up TeamViewer with the password “12345678”, it won’t be able to save you.