Hackers Could Cause Havoc By Pwning Internet-Connected Irrigation Systems

Hackers could mess with a city’s water supplies without attacking its critical infrastructure directly, but instead targeting its weakest link: internet-connected sprinklers, researchers warn in a new academic study.

The researchers studied three different Internet of Things devices that help control irrigation and found flaws that would allow malicious hackers to turn them on remotely in an attempt to drain water. The attacks don’t rely on fancy hacking techniques or hard to find vulnerabilities, but to make a real, negative impact on a city’s water reserves, the hackers would need to take control of a lot of sprinklers. According to the researcher’s math, to empty an average water tower, hackers would need a botnet of 1,355 sprinklers; to empty a flood water reservoir, hackers would need a botnet of 23,866 sprinklers.

The researchers say their attacks are innovative not because of the techniques, but because they don’t rely on targeting a city’s critical infrastructure itself, which is (or should be) hardened against hackers. Instead, it attacks weak Internet of Things devices connected to that infrastructure.

It’s an “indirect attack,” Ben Nassi, a Ph.D student at Ben Gurion University and the main author of the study, told me in an email, “using IoT devices that are much easier to hack and attack.”

Nassi and his colleagues focused on the GreenIQ, Rainmachine, and BlueSpray, which are all internet-connected irrigation controllers. They theorized that hackers could attack them by first taking control of a botnet of computers, and then scanning it to find whether there’s any of those smart irrigation systems connected.

The researchers found that GreenIQ and BlueSpray devices connect to their servers using unencrypted HTTP connections. So an attacker who has compromised a computer in the same network as the GreenIQ device can just intercept the commands and replace them in a classic Man In The Middle attack.

In the case of the RainMachine, the researchers found that they could spoof the weather forecast that the server sends to the RainMachine, tricking it into believing the weather is hot and arid and thus triggering it to irrigate. This attack also relies on the lack of HTTPS encryption between the server and the RainMachine weather API, according to the researchers.

GreenIQ, Rainmachine, and BlueSpray did not respond to a request for comment. The researchers said that GreenIQ added encryption after they reported the issue.

It’s unclear how dangerous these attacks can really be outside of an academic scenario, but they do demonstrate that the proliferation of internet of things devices—many of which are insecure—can have unintended security implications.

Cesar Cerrudo, the chief technology officer at IOActive, and a security researcher who has studied smart cities, said that the attacks laid out by the Ben Gurion researchers are “not a cool hack,” because they rely on tried and tested techniques.

“These are just weak systems that are not externally exposed nor using wireless communications, then you need internal network access, non encrypted communications and other vulnerabilities to hack them,” Cerrudo told me in an email.

Robert Lee, the CEO of infrastructure security startup Dragos, told me that the impact of this attack is likely “hyped” because in the real world “a water company would see an increase flow and cut it off until they determined what was wrong—wouldn’t just let it drain all the water.”

In other words, yes, we need to think about internet of things security, and cool proof-of-concept hacks like this are instrumental in showing these weaknesses. But we aren’t likely to see a hacker draining a town’s water supply doing this anytime soon..

Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.