Latest infrastructure hack proves inadequacy of passwords

By Stuart Sumner
22 Nov 2011 View Comments
Siemens Scada system

A hacker who claims responsibility for the recent compromise of a control system used by a water authority in Texas has stated that the controls were protected only by a three-letter password.

The hacker, who goes by the name 'pr0f', released a statement on free publishing site Pastebin explaining that he had done no damage to the system, but criticised operators for the inadequacy of their security measures.

Further reading

"I'm not going to expose the details of the box. No damage was done to any of the machinery; I don't really like mindless vandalism. It's stupid and silly," said pr0f.

"On the other hand, so is connecting interfaces from your SCADA [Supervisory Control and Data Acquisition] machinery to the internet. I wouldn't even call this a hack. This required almost no skill and could be reproduced by a two-year-old," the hacker added.

The hack exposes two problems with the security of the system. First, that the interface software used to control the system was unnecessarily publicly available on the web and, secondly, that it was secured only by a single authentication method, and an especially weak one at that.

Speaking to security firm Kaspersky Lab's news service Threatpost, pr0f stated that the password that was cracked was only three characters long.

The Siemens Simatic system used to control the water authority's system is a popular SCADA product, and one which has been the object of multiple warnings from various security researchers.

In July, Siemens warned its customers about a potential password weakness in its Simatic controller, while in August security researcher Sillon Beresford revealed a number of serious security flaws in the product.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

56 %
15 %
7 %
20 %
2 %