How a Hacker almost Poisoned 15,000 people

In this article, we will be going over a potentially devastating cyberattack that occurred recently in the town of Oldsmar, Florida.

This hack is of particular interest to us, as it is one that had physical implications i.e. the hack could cause physical harm to its targets.

Let’s begin.

The Attack

In the past few weeks a hacker tried to poison approximately 15,000 people in the town of Oldsmar, Florida.

The hacker’s plan was simple, break into the system and increase the levels of Sodium Hydroxide (Lye) from 100 parts per million to 11,000 parts per million.

A 110x increase of the acceptable levels!

With levels this high, anyone who drank the water would have suffered a severe corrosive injury to their internal organs from the high concentrations of the chemical.

In addition, the victim could expect vomiting and severe abdominal pains.

A truly gruesome fate for anyone.

Luckily, there was an observant plant operator who immediately changed the values back to normal when they noticed a rise in chemical concentrations.

Attack Methods

You are probably expecting the hacker to have used some sophisticated cyber-attack method or an incomprehensible tool that could evade government-grade sensors.

The truth however is more mundane which makes the situation even scarier.

The hacker obtained the system passwords from a public forum (that we will not link to) which hosts passwords from database breaches.

In addition this same password was shared across the plants computers.

Also, this same password was shared across the plant’s computers.

Keep in mind, this is not the first time a Florida government entity has shared passwords amongst computers.

The hacker used the publically accessible password to log into TeamViewer (remote access software) on one of the computers which controlled the water treatment plant’s mechanisms.

Potential Solutions

What makes this attack particularly maddening is it could have been avoided with preventative cyber-protection strategies like continuous penetration testing.

Also, basic information security protocols like banning credential sharing and having a network firewall in-place could have prevented this horrible situation from happening.

This attack should illustrate that there needs to be a basic standard of security when dealing with devices that can impact you physically.

Conclusions

We just covered the process a hacker used to breach a Florida city’s water treatment system and as you found out, it was extremely easy.

As can imagine, if an obvious vulnerability in this critical system exists, what other hidden vulnerabilities might there be?

These are the thing we will need to think about as we venture into the future.

We are going to be entrusting more and more critical infrastructure into the hands of smart devices.

With these smart devices, there will need to be established controls and protocols to make sure breaches can be detected early or even try to identify potential breach points before hackers can.

Ready to Try Simius?

Read More

Neil Okikiolu

Neil Okikiolu

Neil is a Computer Scientist, Roboticist, and the founder of Simius Technologies Inc.