Hackers wanting to sabotage the US power grid or other critical infrastructure can do so with a simple Internet search, primarily because some critical systems are outdated and lack even password protection, an NBC News investigation has found.
The shocking findings mean that dams, traffic controls, stadiums and America’s electricity are in far greater peril than previously thought.
The weakness was underscored when it was discovered that Hamid Firoozi, an Iranian hacker working for the Islamic Revolution Guard Corps, was able to gain access to a dam in New York with a legal search engine, the network found. Firoozi has been charged with hacking the Bowman Avenue Dam in New York in 2013.
It is believed he and his fellow hackers were experimenting with the system to plan for something far bigger.
“This stuff has been happening undetected for years, and now this is one of the first times that it’s surfaced publicly,” former F.B.I. computer crime investigator Mike Bazzel said. “We’re getting close to a threshold where something must be done. The more this type of activity becomes popular and well-known, it will get worse before it gets better.”
Private cybersecurity experts have been able to take control of traffic lights, police license plate reader networks and water plants.
Additionally, former Google cybersecurity expert Billy Rios found that control systems at a dozen major stadiums in the US were vulnerable to hackers – meaning they could create panic and stampedes in the venues.
So, how do the hackers do it? In a practice called Google dorking, hackers use Internet searches to find unsecured ports that can let them into critical infrastructure. The biggest problem is that much of the computer systems behind America’s infrastructure was built long ago, before cybersecurity was a need – and those systems are now going online.
Some of the infrastructure still contains the default username and password – such as “admin” and “admin.” And some of it has no password at all.
The water sector, which includes dams, tunnels, bridges and water supply systems, is one of the most vulnerable to hacking.
Experts estimate that around 6.4 billion devices will be connected to the Internet by the end of this year. By 2020, 21 billion devices could be connected.
Last month, Apple CEO Tim Cook said a simple iPhone could be used to hack and shut down the electric power grid.
“You have these big control systems that have a straight shot to the Internet – that’s the fundamental security flaw,” security researcher Tod Beardsley told NBC.
Some of the current cybercrime laws actually make it illegal for the good guys, or white-hat hackers, to search for and expose security flaws.
“Fear of civil or criminal prosecution under these vague laws can have a chilling effect on the kind of services we could provide,” security researcher Joshua Corman told NBC.
Do you believe America is prepared for a major cyberattack? Share your thoughts in the section below: