What Is “Google Dorking,” and How Did It Help an Iranian Hacker Compromise a U.S. Dam?

87131447
An empty control room JUST WAITING TO BE HACKED.

On Thursday, a New York grand jury brought hacking charges against seven Iranian men who allegedly carried out large-scale cyberattacks on 46 U.S. financial institutions. The government says the hackers worked for two tech companies that were contracting with the Iranian government to carry out state-sponsored attacks from late 2011 to mid-2013. It’s a big case for the Department of Justice as it is. But one of the hackers was working on an additional project.

Beyond the group work, hacker Hamid Firoozi is also charged with gaining unauthorized access to the Bowman Avenue Dam in Rye Brook, New York. Firoozi certainly had to hack into the dam system—he didn’t just walk in through the front door—but he targeted the dam because he discovered that it had a vulnerability he could exploit. And how did he find the dam? The same way anybody finds anything these days: He Googled it.

Search engine algorithms index everything they can find, and if you know the right way to query them, you can surface a lot of information that wouldn’t normally come up in a “how tall is Chris Rock”-type search. When you’re using Google’s advanced search functions, it’s called “Google dorking,” and it’s been around for more than 10 years. (You can also dork on Bing or other search engines.)

Not all dorking is bad. The approach can be used by anyone—for example, to search one site for a particular keyword or type of file. Security experts use dorking to check whether organizations have inadvertently published data or information that could leave them vulnerable to attack. Not surprisingly, then, hackers know about dorking, too.

In July 2014, the Department of Homeland Security and FBI jointly released a warning about Google dorking. “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities,” the agencies wrote. They added that “freely available online tools can run automated scans using multiple dork queries.”

Sources close to the DOJ investigation told the Wall Street Journal over the weekend that Firoozi used dorking to find an unguarded computer on the Bowman Avenue Dam’s network. With that as his goal, he hacked the network to gain access to it. The indictment notes that the computer he was after controlled the dam’s sluice gates, but they had been taken offline for maintenance. If the gates had been functioning normally, Firoozi could have done serious damage to the dam.

Infrastructure systems like the Bowman Avenue Dam often use a type of remote monitoring system called Supervisory Control and Data Acquisition, or SCADA. These types of systems are used in critical infrastructure because they are robust, stable, and reliable—important qualities for any vital system that can’t casually go offline for updates or maintenance. The problem, though, is that many SCADA systems are proprietary and don’t have robust security or a built-in ability to easily patch vulnerabilities. “Often they do not feature mechanisms to avoid unauthorized access or to cope with the evolving security threats originating from external or internal networks,” Remote magazine wrote in 2014.

For years, SCADA vulnerabilities have been enabling attacks on critical infrastructure like Firoozi’s attack on the dam. Industrial security company Tofino Security calls it “a serious security crisis” and explains, “Many of these products are decades old and were never designed with security in mind.” Between Google dorking and infrastructure’s digital weaknesses, bad actors can browse targets and choose the easiest ones to hit before investing time and resources in devising and executing an actual hack.

U.S. Attorney Preet Bharara said in a statement about the Iranian hackers that “Confronting these types of cyber-attacks cannot be the job of just law enforcement. The charges announced today should serve as a wake-up call for everyone responsible for the security of our financial markets and for guarding our infrastructure. Our future security depends on heeding this call.”

It may sound a little dramatic, but if a hacker can Google Madonna’s favorite food and his next attack target in one sitting, we clearly have a problem.