Internet-connected irrigation systems suffer
from security gaps that could be exploited by attackers aiming, for example, to
deplete a city’s water reserves, researchers warn
Security researchers have warned of a
potential attack that – using a “piping botnet” of
internet-connected irrigation systems that water simultaneously – could impact
a city’s water system to the point of actually draining its reserves.
A team of six academics from Ben-Gurion
University of Negev, Israel, identified and analyzed security flaws in the
firmware of several commercial irrigation systems that are connected to the
internet. They focused on three commonly sold smart irrigation systems –
GreenIQ, BlueSpray, and RainMachine – and found that they suffer from
vulnerabilities that enable attackers to remotely turn watering systems on and
off at will.
Some devices were found to be prone to Man-in-The-Middle
(MiTM) attacks, while others can be tricked into initiating the watering
process by manipulating its sensors or spoofing weather data.
In essence, the attack would leverage
poorly-secured Internet-of-Things (IoT) devices that are connected to a
city’s critical infrastructure. Compared to infecting the physical
cyber-systems of urban water services directly, however, undertaking the attack
through an “army” of internet-connected irrigation controllers is much easier,
noted the researchers.
“[W]hile previous attacks against critical
infrastructure required the attacker to compromise the systems of critical
infrastructure, we present an attack against critical infrastructure that does
not necessitate compromising the infrastructure itself and is done indirectly
by attacking client infrastructure that is not under the control of the
critical infrastructure provider,” reads the paper.
“Municipalities and local government entities
have adopted new green technology using IoT smart irrigation systems to replace
traditional sprinkler systems, and they don’t have the same critical
infrastructure security standards,” wrote the researchers, who revealed their findings
in a paper called “Piping Botnet – Turning Green Technology into a Water Disaster”.
Their research was also presented at the Def Con 26 Conference in Las Vegas
earlier this month and summed up in this video.
“By simultaneously applying a distributed
attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation
systems can empty an urban water tower in an hour and a botnet of 23,866 smart
irrigation systems can empty a flood water reservoir overnight,” one of the
researchers, Ben Nassi, is quoted
as saying on the university’s website. The attack would first involve
taking control of a botnet of computers with an eye to detecting smart
irrigation systems on local networks.
“The researchers demonstrated how a bot running
on a compromised device can (1) detect a smart irrigation system connected to
its LAN in less than 15 minutes, and (2) turn on watering via each smart
irrigation system using a set of session hijacking and replay attacks,”
according to the press release.
The researchers said that they have disclosed
the vulnerabilities to the vendors so they can upgrade the firmware.