Latest infrastructure hack proves inadequacy of passwords

A hacker who claims to have accessed SCADA systems belonging to a Texan water authority accuses the infrastructure operators of running inadequate security

A hacker who claims responsibility for the recent compromise of a control system used by a water authority in Texas has stated that the controls were protected only by a three-letter password.

The hacker, who goes by the name 'pr0f', released a statement on free publishing site Pastebin explaining that he had done no damage to the system, but criticised operators for the inadequacy of their security measures.

"I'm not going to expose the details of the box. No damage was done to any of the machinery; I don't really like mindless vandalism. It's stupid and silly," said pr0f.

"On the other hand, so is connecting interfaces from your SCADA [Supervisory Control and Data Acquisition] machinery to the internet. I wouldn't even call this a hack. This required almost no skill and could be reproduced by a two-year-old," the hacker added.

The hack exposes two problems with the security of the system. First, that the interface software used to control the system was unnecessarily publicly available on the web and, secondly, that it was secured only by a single authentication method, and an especially weak one at that.

Speaking to security firm Kaspersky Lab's news service Threatpost, pr0f stated that the password that was cracked was only three characters long.

The Siemens Simatic system used to control the water authority's system is a popular SCADA product, and one which has been the object of multiple warnings from various security researchers.

In July, Siemens warned its customers about a potential password weakness in its Simatic controller, while in August security researcher Sillon Beresford revealed a number of serious security flaws in the product.