Ben-Gurion University of the Negev (BGU) cybersecurity researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously. A botnet is a large network of computers or devices controlled by a command-and-control server without the owner’s knowledge.
Researchers analyzed and found vulnerabilities in a number of successful commercial smart irrigation systems, including GreenIQ, BlueSpray, and RainMachine, which all enable attackers to remotely turn watering systems on and off at will.
“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” researcher Ben Nassi said. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”
In the study, the researchers present a new attack against urban water services that doesn’t require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack. Water production and delivery systems are part of a nation’s critical infrastructure and generally are secured to prevent attackers from infecting their systems.
The researchers demonstrated how a bot running on a compromised device can (1) detect a smart irrigation system connected to its LAN in less than 15 minutes, and (2) turn on watering via each smart irrigation system using a set of session hijacking and replay attacks.