For a few months after he got sacked, ex-smart water meter techie Adam Flanagan was bitter, likely drunk on more than one occasion, and in a perfect position to demonstrate, once again, that security in the Internet of Things can be about as strong as soggy tissue paper.
And as of last week, Flanagan is now in the position of being in jail.
A Pennsylvania judge has sentenced Flanagan, 42, of Bala Cynwyd, Pennsylvania, to one year and one day in jail (minus time already served), three years of supervised release (during which, the court suggested, he should probably stay away from alcohol), and a fine of $40,000.
He could have faced a sentence of up to 90 years. The charges for which he was convicted: intentionally accessing a protected computer without authorization – a felony – and as a result, recklessly causing damage.
The original indictment of Flanagan totaled nine counts, including incidents with three other water authorities in Aliquippa and New Kensington, Pennsylvania, and Egg Harbor City, New Jersey. All but the two counts of unauthorized access for the Kennebec and Spotswood intrusions were dropped as part of the plea agreement, but Flanagan was linked to them by his IP address.
One of those intrusions was particularly colorful:
On April 3, 22, 24, and 28 2014, there were multiple intrusions into one of the Aliquippa WaterAuthority’s TGBs. All the intrusions were made from [the IP address linked to Flanagan’s Clearwire cellular modem]. On one of the intrusions on April 22, the intruder changed the radio frequency for communications. He also changed the code for a computer script to the lyrics of a Pink Floyd song.
According to court documents, between November 2007 and November 2013, Flanagan worked as a radio frequency field engineer with a company that put up towers to wirelessly monitor water use in people’s homes. The company wasn’t named in court filings, but it also produces smart electric and gas readers.
Either Flanagan wasn’t very good at what he did, or there was something to his claims that he was a victim of infighting at the company. Either way, he got fired. His last day was November 16 2013. And like so many disgruntled ex-employee stories tend to go, within months, a number of municipalities along the US east coast began to experience “problems”.
The first such was when the water district in Kennebec, Maine found it couldn’t connect to what’s called a Tower Gateway Base station (TGB). The way the technology works: a TGB is mounted on a pole and receives radio signals from residential water meters. That allows for the district to bill a customer without having to send a meter reader into their home.
Flanagan had installed that particular TGB in June 2013. Nobody checked the device logs in time, so the IP address of the intruder was lost. Nobody could figure out who messed with the Kennebec TGB.
But then came another attack on that same TGB in March 2014. Flanagan was the attacker in that one: his IP address gave him away. He got in by using the default root password.
This is where it gets IoT feeble security head-desk-bangy: when the company – called Company A in court filings – installed TGBs, there was a “not particularly complicated” default password. Sure, customers were supposed to change the default password, but of course they didn’t always do that. Count the Kennebec Water District in that group.
Flanagan hit Kennebec again in April, again using that default password. Once in, he changed the radio frequency and disabled the tower. He circled back to the Kennebec tower again on May 4. This time, he changed the default password.
Gosh, that would have been a security-strengthening move – one that should have, of course, been done from the start… By an employee, not a disgruntled ex-employee who chose to change the default password to “f*ckyou”.
With the help of an IP address that belonged to Flanagan’s WiMax modem, the FBI began chatting with the ex-radio frequency field engineer on September 4 2015. He was away from home, so FBI agents met him at the airport. Here’s an excerpt of how the chat went down, from the government’s plea memorandum:
FBI Special Agent Andrew Pelczar: All right. So from your home computer you would dial in…
Flanagan: Well I worked from home. So I would…
Pelczar: So you were always there.
Flanagan: It was always there… so I had… It was on my computer so when they let me go. It was still there.
Pelczar: I mean I have had other cases like this and what will happen guys will have a couple of beers…
FBI Special Agent Darin Murphy: That’s…
Pelczar: Get a little loose
Flanagan: Pretty much.
Pelczar: You got pissed and had a couple.
Flanagan: Pretty much yeah.
The agents and Flanagan ultimately agreed on a few other things, such as Flanagan not being a master hacker.
Flanagan: I am not at all a master hacker.
Murphy: But that’s why we are here, because you look on paper and here’s somebody who’s…
Pelczar: You have skills…
Murphy: Methodically logging in…
Flanagan: Not really. No I don’t.
Pelczar: On paper you do.
Flanagan: That’s not. That’s absolutely not true.
Pelczar: So. All right.
Flanagan: I’m an RF guy. I know rudimentary… ah… logon. A couple of VI scripts. I knew the entrance screen was to do a VI. You know you can do a VI and it gave you a welcome message. So a couple of times I changed the root welcome message to say ‘Ha. Ha’.
Flanagan changed the welcome message to a few other things, but his memory is, understandably, a bit foggy, given that he was admittedly a little angry and under the influence. Maybe he changed it to “like obscenities or something,” maybe ASCII pictures. Maybe a pirate picture. “Um.”
The lessons to be learned: change default passwords. Revoke access rights when you fire somebody. Like, instantly.
And if you’re really intent on being one of those disgruntled, nightmare, “FU” types of ex-employees, remember that leaving your public IP address all over your cyber-vandalism like a bunch of greasy fingerprints will get you a personal thank-you from the FBI.
After all, that’s just the kind of thing that makes their jobs easy!