IE 11 is not supported. For an optimal experience visit our site on another browser.

U.S. Infrastructure Can Be Hacked With Google, Simple Passwords

Authorities worry the hack of a New York dam by Iranians was a test run.
Get more newsLiveon

Authorities say the Iranian computer hack of a New York dam is the symptom of a huge weakness in the U.S. infrastructure –- dams, stadiums, traffic controls and power grids that can be accessed by anyone, including hostile nations or terrorists –- with simple passwords or no passwords at all.

New York U.S. Attorney Preet Bharara said that the 2013 hack of the Bowman Avenue Dam in Rye Brook, N.Y., was a “frightening new frontier” of cybercrime that’s “scary to think about.” The lead investigator of the case said it was a “game-changing event.” U.S. officials believe that hackers were probing for weaknesses in hopes of hitting bigger targets later.

Authorities are worried about these attacks because the threat is growing exponentially, and despite years of warnings America’s private sector has been woefully slow to adapt. About 6.4 billion devices and control systems will be connected to the Internet in 2016, a 30 percent spike over 2015, according to a new report. By 2020, nearly 21 billion will be online.

The rise of what the cyber community calls “the Internet of Things” (IoT) -- the way in which objects, equipment and buildings are now linked to the web and each other and send and receive data – has ushered in a new era of security vulnerabilities. Hackers can remotely seize control of a spectrum of critical public and private infrastructure. Many of these targets are run by Industrial Control Systems that were designed before cybersecurity became crucial.

Hamid Firoozi, the Iranian hacker charged earlier this month with breaking into the control system of a New York dam, reportedly used a simple, legal search engine that surfs for and identifies unguarded control systems online. Firoozi was one of seven men who work for a pair of private Iranian cyber-security firms that do work for the Iranian government, including its elite military unit, the Islamic Revolution Guard Corps, The men were charged with hacking the financial sector as well as the dam.

While foreign nation-state hacking into U.S. infrastructure is common and growing in scope and sophistication, the dam hack is significant because prosecutors say it’s the first time a simple, search engine-driven hack of a piece of U.S. infrastructure has surfaced as the tool of choice. It’s also the first time federal indictment tied a foreign state to the hacking of critical U.S. assets.

“This stuff has been happening undetected for years”

It’s particularly concerning because the so-called “water sector” –- bridges, tunnels, dams –- is one of the most vulnerable sectors of the U.S. economy. If the small Bowman dam had been breached, some homes in a tony New York suburb would have been flooded, but no lives would’ve been lost. Officials were more concerned that the hack was a test run.

Researchers said that many infrastructure systems require just a default username and password (like “admin” and “admin”) to access. Others have no password security at all. With the growing popularity of search engines dedicated to locating exploitable “open ports,” or unprotected access points –- a practice known as “Google dorking” because hackers can use Google to find the ports -- authorities believes cyber-attacks on U.S. infrastructure will continue to increase for some time.

“This stuff has been happening undetected for years, and now this is one of the first time that it’s surfaced publicly,” said former F.B.I. computer crime investigator Mike Bazzell. “We’re getting close to a threshold where something must be done,” he said. “The more this type of activity becomes popular and well-known, it will get worse before it gets better.”

Who Is Vulnerable?

The threat of cyber-attacks spans every sector of the U.S. economy, experts said.

In recent years, independent “white-hat” security researchers have shown they can access cities’ traffic control systems and license plate reader networks, sports stadiums, car washes, a hockey rink in Denmark, a Texas water plant, the particle-accelerating cyclotron at the Lawrence Berkeley National Laboratory, even an Olympic arena.

In 2013, researcher Billy Rios, a former Google cyber-security expert who studies emerging threats to industrial control systems and critical infrastructure, found that the control systems for about a dozen pro and college sports stadiums in the U.S. were easily accessible to hackers. Three years later, he told NBC News, “I’d say 80 percent of my stadiums are still online” and vulnerable.

In 2014, Rios identified an open control system inside Russia’s Sochi Fisht Olympic Stadium and notified authorities. The vulnerability was fixed the day before opening ceremonies for the Winter Games.

John Matherly –- a researcher who built the search engine Shodan to identify unsecured servers online -- recently probed a leading automatic license plate reader system in wide use by law enforcement agencies nationwide. He realized he could tap into a Louisiana town’s LPR system, siphon off tens of thousands of images a week, and even “tell [it] to send the pictures elsewhere.” Fellow researchers subsequently identified unsecured LPR systems in ten U.S. states.

Most leading researchers -- including a group called I Am The Cavalry that was formed to call attention to these dangerous vulnerabilities -- work with federal agencies to contact vulnerable facility or infrastructure owners in both the public and private sectors.

They are also urging private sector leaders to create “bug bounty” programs that explicitly permit hackers to probe their systems for vulnerabilities and rewards those who find flaws.

Private sector companies own 85 percent of U.S. critical infrastructure, said Frank J. Cilluffo, former White House special assistant to the president on homeland security.

Image: 7 Iranians wanted and indicted for cyber attacks in NY dam
The seven Iranian hackers are wanted by the FBI.FBI

Who Are the “Bad Actors”?

Cilluffo, now director of George Washington University’s Center for Cyber and Homeland Security, told Congress last month about the ease with which bad actors are launching cyber-attacks on critical infrastructure. In many cases, he said, “virtually anyone with a measure of skills and a special interest can cause harm.”

He said the private sector has been overwhelmed by the growth of cyber-attacks.

“It’s not that they’re necessarily ignoring” their security vulnerabilities, Cilluffo said. “It’s the fact that they’ve got a whole lot of vulnerabilities they are going to need to backfill before they can get to all of them.”

Most nation-states have far more sophisticated cyber capabilities than those required for the search engine hacking to gain control of vulnerable U.S. infrastructure targets. Individual hackers without any ties to groups are capable of these simple hacks.

While authorities believe nation states have mounted numerous attacks on infrastructure and thousands of “dry run” drills in the past, these intrusions can be hard to detect in real time and often go unreported by their targets. Investigators just happened to notice the dam intrusion while monitoring for cyber-attacks in the financial sector.

But in his testimony, and in an interview with NBC News, Cilluffo said that at least four countries are major players in hacking, or supporting hacks, of U.S. targets -- China, Iran, North Korea and Russia, with Russia the source of the most sophisticated intrusions.

Eighty percent of worldwide cybercrime emanates from Eastern Europe, according to Europol Director Robert Wainwright. In 2009, cyber-criminals from Russia or China breached the U.S. electric grid, leaving software programs behind, according to the Wall Street Journal. Experts say some hacks may be conducted by Russian organized crime at the behest of the state security service, the FSB.

China is believed to have been responsible in December, 2014 for the largest breach of U.S. federal employee data -- compromising personal data on 4 million current and former employees, according to U.S. officials. The increasing sophistication and capabilities have prompted authorities to charge that Chinese cyber-espionage has risen to the level of a strategic threat to the U.S. national interest.

In January, 2013, Iran launched a concerted series of cyber-attacks against American financial institutions, including Bank of America, J.P. Morgan Chase and others. Cilluffo cites a 2015 British tech research firm study which says that under President Hassan Rouhani, Iran’s cyber budget has grown twelve-fold.The recent indictment of the alleged Iranian dam and financial industry hackers made pointed reference to their apparent ties to various Iranian state agencies.

While North Korea is not known for U.S. infrastructure attacks, it has been accused of hacking power plants, banks and news organizations in South Korea, whose minister of defense said last year that North Korea has a force of “about 6,000 cyber-agents.”

While Cilluffo said foreign terrorist organizations have yet to demonstrate a capacity for the sort of sophisticated attacks believed to have been launched by the nation-states above, he notes that the growing "arms bazaar of cyber weapons" available for purchase or rental, the obvious social media savvy of groups like ISIS/ISIL, makes it likely only a matter of time before they are capable of launching potentially devastating attacks on U.S. assets.

Image: Bowman Avenue Dam in Rye, NY
Bowman Avenue Dam on Feb. 13, 2012.City of Rye

“Straight Shot to the Internet”

The age of the IoT has created a new generation of “connected” devices that communicate over the Internet - like “smart homes” whose appliances can be controlled remotely with an app. The term also applies to businesses and municipalities which are increasingly taking their operations online. As aging infrastructure moves from old radio and satellite systems to 4G cellular networks, hundreds of thousands of systems worldwide are suddenly visible - and hackable.

Unlike computer software flaws, there is often no easy way to universally patch vulnerabilities in complex Industrial Control Systems or effectively warn customers.

“You have these big control systems that have a straight shot to the Internet – that’s the fundamental security flaw,” said researcher Tod Beardsley.

The legal landscape can be confusing and remains largely untested in U.S. courts. White hat researchers said they never actually breach vulnerable systems – they stop at the open doors. They also use proprietary software to further identify the types of facility they are seeing.

Yet they contend that both the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) are broadly written and afford prosecutors wide latitude in how to interpret them.

A poster for the movie "The Interview" is carried away by a worker after being pulled from a display case at a Carmike Cinemas movie theater, on Dec. 17, 2014 in Atlanta. Georgia-based Carmike Cinemas has decided to cancel its planned showings of "The Interview" in the wake of threats against theatergoers by the Sony hackers.
A poster for the movie "The Interview" is carried away by a worker after being pulled from a display case at a Carmike Cinemas movie theater, on Dec. 17, 2014 in Atlanta. Georgia-based Carmike Cinemas has decided to cancel its planned showings of "The Interview" in the wake of threats against theatergoers by the Sony hackers.David Goldman / AP

“Fear of civil or criminal prosecution under these vague laws can have a chilling effect on the kind of services we could provide,” said researcher Joshua Corman.

Having worked for years to identify these vulnerabilities, these experts don’t want to be the ones who end up testing case law by drawing the wrong kind of attention.

“We have this coming tsunami of IoT devices that are password defaulted, and it can be technically illegal to point them out!” Beardsley said.

That could soon change.

At a conference in February, Corman and colleagues urged federal prosecutors and all 50 state attorney generals to better protect altruistic researchers from prosecution.

They are also urging private sector leaders to create “bug bounty” programs that explicitly permit hackers to probe their systems for vulnerabilities and rewards those who find flaws.

Both General Motors and the Pentagon recently announced bug bounty programs.

“We do need to carve out some immunity for white hat hackers who, as long as their intent is pure, warrant a re-examination of the ways [the laws] are written,” Cilluffo agreed.

Corman is hopeful.

“We’re really ready and willing to help, if we’re allowed to.”