The Internet of Things’ “security through obscurity” has been proven once again to not be terribly secure thanks to an angry and possibly inebriated ex-employee. Adam Flanagan, a former radio frequency engineer for a company that manufactures remote meter reading equipment for utilities, was convicted on June 15 in Philadelphia after pleading guilty to two counts of “unauthorized access to a protected computer and thereby recklessly causing damage.” Flanagan admitted that after being fired by his employer, he used information about systems he had worked on to disable meter reading equipment at several water utilities. In at least one case, Flanagan also changed the default password to an obscenity.
Flanagan’s employer was not named in court documents. According to a plea agreement filing, Flanagan worked on a team that installed tower gateway base stations (TGBs)—communications hubs mounted on poles distributed across a utility’s service area to communicate with smart meters. His work was apparently not up to his former employer’s standards, however. In March of 2013, he received a poor annual performance review and was placed on a “performance improvement plan.” He failed to meet expectations and was terminated in November of 2013.
Over the next few months, TGBs that Flanagan’s employer had installed for a number of municipal water departments “developed problems,” the Justice Department’s sentencing memo stated. In December of 2013, employees of the water authority in Kennebec, Maine, found they couldn’t connect to the utility’s TGBs. This was a system Flanagan had installed, but the problems could not be directly attributed to him because the logs for the system weren’t checked until February of 2014. By then, data from December had already been purged.