As part of his work at the SafetyDetective Research Lab, Israeli hacker and activist Noam Rotem has recently uncovered a major security breach in the system of JDECo, the Jerusalem District Electricity Company.
Established in 1956, the company provides power to tens of thousands of customers in Jerusalem, Bethlehem, Ramallah, and Jericho. Private households and local businesses make up a large percentage of the company’s customer base.
From the JDECo Facebook page
Sensitive Data Exposed
As the JDECo system was fully exposed, the hacker was able to easily gain access to customer data – from full names, addresses, and telephone numbers, to photos of ID cards and other private information.
The database contained tens of thousands of ID cards:
In addition to this personal data, it was also very easy to find information regarding bills, payment history, power malfunctions, service calls, and so on.
Here, we can see a list of open service calls.
The system is hosted on the Israel Electric Company IP range:
Anyone Can Be an Admin
Security measures on the servers were so poor, the hacker was even able to obtain admin access.
Some of the admin files do not check for permissions or any kind of authentication, meaning they could be accessed and opened by anyone, no username or password necessary.
Specifically, the file adduser.aspx allows adding new users and granting them with admin permissions.
Once this file was accessed, all the hackers had to do was fill out this form to create a new user:
Once the user was created and titled “Admin,” full access to the system was granted. In addition to customer billing info and payment history, a user with admin permissions can view employee information, devices, and much more.
With admin access come full editing permissions, so employees could be added and deleted, and all their personal information could be viewed and modified.
As for customer information, the billing status of accounts could be changed, and debts could be “cleared” with a click of a mouse.
When attending to power malfunctions and other issues, company employees sometimes take photos of meters. Those were accessible as well:
As were photos of specific malfunctions.
Ethical Hacking in the Middle East
In the midst of this region of conflict, an Israeli hacker – the same one who warned us all about Bibi’s bots – immediately reached out to JDECo, a company supplying power to 30% of the households in the West Bank and East Jerusalem, to alert them of the severe security breach in their system.
In this day and age, ethical hacking has the power to bridge between communities.
Our security experts were happy to provide guidance and information on how to fix all the problems. We suggested securing the web server, transferring to proper MVC architecture, checking all scripts, implementing proper protocols, using a proper API key, and performing regular security checks.
We’re glad to report that JDECo took our suggestions to heart and resolved most security issues.
SafetyDetective.com is the world’s largest antivirus review website. The Safety Detective research lab is a pro bono service that aims to help the online community defend itself against cyber threats, while educating organizations on protecting their users’ data.
You may be interested in reading about a major security breach found in hospital and supermarket refrigeration systems, and how Anonymous hackers took down over one million pages on hundreds of corporate websites.