Smart Sprinklers Aren’t Safe From Cyber Attacks
Smart Sprinklers Aren’t Safe From Cyber Attacks
August 9, 2018
Motherboard – Companies who use smart irrigation systems could fall prey to hackers, warn Ben-Gurion University of the Negev cyber security researchers.
In the new academic study, researchers tested three of the most widely used smart irrigation systems. As a result, they found that hackers could turn on the systems remotely and attempt to drain water.
These attacks are innovative, the researchers say, not because of the techniques, but because they don’t rely on targeting a city’s critical infrastructure itself, which is (or should be) protected against hackers. Instead, it attacks weak Internet of Things (IoT) devices connected to that infrastructure.
“It’s an indirect attack,” says Ben Nassi, a BGU Ph.D. student and the main author of the study, “because it uses IoT devices that are much easier to hack and attack.”
Nassi and his colleagues focused on GreenIQ, RainMachine and BlueSpray, which are all internet-connected irrigation controllers. They theorized that hackers could attack them by first taking control of a botnet of computers, then they would scan the network to find out whether any of those smart irrigation systems are connected.
In GreenIQ, the researchers were able to demonstrate an attack that turned on watering by spoofing configurations sent from the GreenIQ’s cloud server. On the RainMachine, they caused the system to schedule watering by creating fake data sent from a weather forecast service. In BlueSpray, they used a reply attack to change water scheduling.
GreenIQ and BlueSpray devices connect to their servers using unencrypted HTTP connections. This means that an attacker who has compromised a computer in the same network as the GreenIQ device can just intercept the commands and replace them in a classic man-in-the-middle attack.
In the case of the RainMachine, the researchers found that they could spoof the weather forecast that the server sends to the RainMachine, tricking it into believing the weather is hot and arid and thus triggering it to irrigate. This attack also relies on the lack of HTTP encryption between the server and the RainMachine weather API.
It’s unclear how dangerous these attacks can really be outside of an academic scenario, but they do demonstrate that the proliferation of IoT devices – many of which are insecure – can have unintended security implications.
Read more on the Motherboard website >>
Stories Like This
