Hackers could use botnets to cause water shortages

News by Rene Millman

Vulnerabilities in smart irrigation systems could result in water consumption rocketing, with hackers potentially causing water shortages by taking over connected systems.

Hackers could cause water shortages by taking over smart irrigation systems, according to security researchers.

In a research paper, scientists from Ben-Gurion University of Negev said that hackers could make smart irrigation systems output much more water than necessary, leading to potential water shortages.

The researchers looked at smart irrigation systems from GreenIQ, BlueSpray, and RainMachine. They found that these systems had several vulnerabilities that could enable an attacker to empty public water supplies. Instead of infecting systems, a bot could be used to attack water supplies.

Rather than relying on weaknesses within a city’s critical infrastructure, the attack goes after internet of things devices that connect to critical infrastructure. Hackers could attack smart irrigation systems by taking control of a botnet then use this to scan for any smart irrigation systems connected.

The research found that hackers could turn on watering by using session hijacking and replay attacks against the smart irrigation systems.

"We model the damage that can be caused by performing such an attack and show that a standard water tower can be emptied in an hour using a botnet of 1,355 sprinklers and a flood water reservoir can be emptied overnight using a botnet of 23,866 sprinklers," said researchers.

Researchers said that a distributed attack launched from smart irrigation systems can be detected by deploying a model that monitors unusual water consumption in urban water services.
"However, even if such an attack can be detected by an urban watering service, its ability to react to such an attack is very limited. The only thing that an urban watering service can do when such an attack is detected is stop water distribution," said researchers.

They noted that this would only prevent an attacker from wasting any more water and also prevent people from obtaining water which is the aim of the attacker.

"Preventing people from obtaining a resource from critical infrastructure can even be considered a national disaster, as was the case in the cyber-attack against the Ukrainian power grid," said researchers. "Preventing a bot from impersonating a party that a smart irrigation system interfaces with can be done by upgrading HTTP communication to HTTPS communication."

Researchers added that doing so would prevent the attacker from spoofing TCP packets. "In addition, SSH communication is not needed in order to communicate with a smart irrigation system when a cloud serves as a mediator, so disabling SSH communication will prevent attackers from executing a code on smart irrigation systems by detecting weak passwords."

The research scientists said that the proposed IoT botnet can also be used to attack other types of critical infrastructure as well, such as attacking a smart grid that uses smart homes to produce electricity to implement a DoS attack on power distribution services (another critical infrastructure) in a neighbourhood, as opposed to performing an attack directly on the regional electricity company.

The researchers said they had disclosed their findings to GreenIQ, RainMachine, and BlueSpray in June of this year and received confirmation of them.

James Lyne, head of research and development at SANS Institute told SC Media UK that the issues being reported by this research are somewhat classic in the IoT space, including poorly secured APIs, trust boundaries, openness to older attacks like spoofing.

"To truly achieve better security and resilience of these devices requires vendors to make more fundamental changes to their products, enhancing their processes and software to prevent such attacks. As we have learned with other connected device manufacturers, this can take time (if not met with outright resistance) and therefore many users will need to rely on isolation as a security strategy in the interim. By limiting the connectivity of said devices to prevent attackers being able to reach them the risk can be controlled, but fundamentally the devices will need to be updated," he said.

In emailed comments to SC Media UK on the report, Martin Jartelius, CSO of Outpost24, noted: "The security within the components is generally sub par at its best, and in many cases very poor. Due to a priority on availability and integrity, confidentiality is a low priority. But also integrity often get down-prioritised in favour of availability, with backdoors, insecure implementations and in many cases, poorly implemented or non existent authentication and authorisation for administration and changes. The most common solution to the problem is isolation - using VPN for administration, enforce encryption and use signed updates. Those devices do not belong on guest networks, networks with clients or other servers, or – worst of all sins – on the internet."

He also added that: "A very common issue is that many of those systems are deployed and forgotten," but also observed that, "...most systems also run leak detection and if a section of the water supply is draining, the segments affected may get shutoff completely, at least in countries with a matured secure infrastructure."

Avishay Zawoznik, security researcher at Imperva, said: "The threat described in the research assumes the existence of a botnet of high wattage IoT devices, which hasn’t been proven to be found in the wild yet. Nevertheless, the "MadIoT" idea might become a tangible threat in the near future.

"There’s no doubt that the insecurity of IoTs should be addressed properly. In light of these findings, it’s interesting to see how this is not only a concern for the IoT device owners or sites who might be DDoSed by them, but also for power grids, thus making it a global concern. Hopefully, this research will be a wake-up call for protection against the security threats that IoTs are exposed to, and are exposing others to."

Jake Moore, security specialist at ESET, adds: "Businesses need to make training an even more integral part of the company culture as humans remain the focus in cyber-attacks. Trust is a difficult game in business but verifying could save the company a lot of pain and expense. 

"Power grids and water supplies will naturally always be a lucrative target to a hacker so they must endure even more immense defence mechanisms. However, reacting to and defending a botnet attack is unfortunately limited. These large companies can also make their communications more secure by utilising HTTPS which can help prevent spoofing."

Rene Millman recommends

Read more

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews