Page 1043 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1043
passwords because they are unaware of the risks. Many end users
benefit from security training to educate them.
It’s also important to change default passwords. While IT
professionals know this for computers, this knowledge hasn’t extended
well to embedded systems. An embedded system is any device with a
dedicated function and includes a computing system to perform that
function. As an example, consider an embedded system that operates a
network and collects data from customer’s water meters. If the default
password isn’t changed, anyone who knows the password can log in
and cause problems.
Dangers of Failing to Change Default Password
Adam Flanagan was sentenced to jail for attacking and damaging
IT networks of several water utility providers. He was fired on
November 16, 2013, and later pleaded guilty for six attacks that
occurred between March 1, 2014, and May 19, 2014.
These attacks prevented the water utility providers in at least six
cities from connecting to water meters remotely. He also changed
passwords on some systems to obscenities. Court documents
indicate that he attacked systems that he installed.
Flanagan later admitted to FBI agents that he used telnet to log
onto remote systems from his home computer. While court
documents aren’t clear, it appears that the embedded systems were
running Linux, and the organization used the same password for
the root account when installing systems. In several attacks,
investigators discovered that he had logged in using the default
root password of the remote system.
He plead guilty on March 7, 2017, and was sentenced to a year and
one day in prison on June 14, 2017. This is just one of many
examples. Many are making their way through the court system,
and the final results may not be known for a year or more.
