Cybersecurity researchers from Ben-Gurion University of the Negev (BGU) have found the potential for a distributed attack against urban water services. They cite the use of a botnet that could attack smart irrigation systems.
A botnet is a large network of computers and devices that are controlled by a command and control server without the owner’s knowledge.
The researchers analyzed smart irrigation systems and found many vulnerable areas that could allow hackers to turn the water systems on and off. The potential hack was tested on three widely sold systems.
"By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty water reservoir overnight," Nassi says. "We have notified the companies to alert them of the security gaps so they can upgrade their smart system's irrigation system's firmware. Municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don't have the same critical infrastructure security standards."
The researchers have shown how the new attack against water systems can operate without having to physically infect the system. The attack can be applied with a botnet of smart systems, eliminating the need for physical interfering of any kind. The team demonstrated a bot running on a compromised device that can connect to the smart irrigation system, which is in turn connected to a LAN. The system can turn on the watering system via hijacking and replay attacks.
"Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers," says Nassi, who is also a Ph.D. student of Prof. Yuval Elovici's in BGU's Department of Software and Information Systems Engineering and a researcher at the BGU Cyber Security Research Center. Elovici is the Center's director as well as the director of Telekom Innovation Labs at BGU.
The paper is currently published on the Cornell University website.