Oldsmar Water Hack: One Weak TeamViewer Password Controlled the Plant

An attacker reached the Oldsmar water treatment plant’s operator workstation through TeamViewer using only a weak shared password. From that single foothold they adjusted the sodium hydroxide feed rate from 100 parts per million to 11,100 before an operator watching the screen reversed the change. No second factor stood between the exposed remote desktop and direct control of the treatment process.

The Oldsmar water treatment plant relied on a single shared password to control a TeamViewer session that reached the SCADA workstation. Anyone who obtained that password could view live sensor readings and change chemical setpoints directly. CISA advisory AA21-042A later confirmed the remote connection required no additional factor and accepted the same credentials used by regular operators.

How a Shared Password Opened the Plant

The facility kept TeamViewer installed on the same Windows machine used for daily chemical dosing adjustments. Multiple staff members knew the password and could reuse it from any location. Once the attacker supplied the correct string, the session granted full mouse and keyboard control over the operator interface. No device check, hardware token, or second prompt existed to distinguish the connection from a legitimate one.

The intruder remained active for roughly five hours, raising the sodium hydroxide feed to 11,100 parts per million before an on-site operator noticed the live setpoint change and reversed it. The workstation treated the password as sufficient proof for full operational access.

Why a Single Credential Was Enough

TeamViewer in this setup acted as an always-on remote desktop that performed only one authentication step. The password traveled in clear text over an internet-exposed port and could be guessed, reused, or observed. Once accepted, the session carried identical privileges to any local operator with no further verification required.

Even a time-based OTP or push notification would not have stopped this attack. Those factors can be intercepted or obtained through the same channel that delivered the password. However, a device-bound credential tied to specific hardware would have required the attacker to possess the enrolled machine itself, which is not possible without physical presence. But more about that later.

The absence of any second factor meant the initial access phase succeeded with a single weak credential. No later stage of the attack required fresh authentication because the remote session already granted full workstation control.

Direct Operational Impact With No Intermediate Controls

Raising lye levels to the observed concentration would have produced water far outside normal drinking standards. The operator who spotted the anomaly acted within minutes, yet the margin for error was measured in keystrokes rather than layered checks. The plant later removed TeamViewer from the SCADA workstation and restricted remote access methods.

This incident shows how critical infrastructure environments still rely on remote tools that authenticate only once and then hand over the same rights granted to trusted staff. When that single check is weak or shared, the attacker effectively becomes the operator for the duration of the session.

The full technical breakdown of what actually works is at mfa2point0.com.

FAQ

Could any form of legacy MFA have blocked the Oldsmar TeamViewer access?

No. The workstation accepted remote connections after a single password check. Standard OTP or push methods would still have relied on a factor that travels over the same exposed channel and can be captured or reused.

What exactly did the attacker reach once inside?

They reached the live operator workstation that controlled chemical dosing, pump speeds, and alarm thresholds. The session carried the same permissions used by on-site staff during normal operations.

Did the breach involve stolen tokens or later lateral movement?

No. The attacker never needed to steal session cookies or SAML assertions. Direct remote desktop access with the shared password was sufficient to reach the control interface.

How long did the unauthorized session last?

CISA reporting indicates roughly five hours of active interaction before the operator on duty noticed the altered setpoints and reversed them.

What changed after the incident?

The plant removed the exposed TeamViewer installation from the SCADA workstation and limited remote access methods, confirming that the prior configuration had relied solely on a weak shared password for operational control.