SoylentNews is people
SoylentNews
Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously.
The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. They tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems.
“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” Ben Nassi, a researcher at Cyber@BGU, says. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”
Water production and delivery systems are part of a nation’s critical infrastructure and generally are secured to prevent attackers from infecting their systems. “However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards.”
In the study, the researchers present a new attack against urban water services that doesn’t require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack.
The researchers demonstrated how a bot running on a compromised device can detect a smart irrigation system connected to its LAN in less than 15 minutes, and turn on watering via each smart irrigation system using a set of session hijacking and replay attacks.
(Score: 2) by Gaaark on Friday August 10 2018, @09:08PM
Whenever there is a flooding situation, just botnet all the sprinklers in the area and drain the flooded area: problem solved.
...
...
...
Right?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Redundant) by requerdanos on Friday August 10 2018, @09:11PM (9 children)
Okay. Here's what happened.
Some security researchers found a way to send commands to so-called "smart" irrigation systems to turn them on or off. So far so good.
Not so fast. A "botnet" is a "network of bots." My reading of the story is that this is just a bunch of dumb sprinklers that the manufacturers call "smart" because the word is trendy as applied to the Internet of Things.
As such, these aren't bots; they don't do anything but turn on and turn off relays or solenoids when someone remotely sends a "turn thyself on" or "turn thyself off" command. So "magic botnets" don't empty water towers and reservoirs, single attackers do, by sending commands to lots of sprinklers to "turn on".
It would coincidentally be possible for a botnet to be programmed to send "turn on" signals to water sprinklers, but that doesn't appear to be in any way what's happening here.
(Score: 2) by Snow on Friday August 10 2018, @10:17PM (1 child)
The botnet is a cloud of IoT devices using swarm technology and machine learning to revolutionize token-based security systems secured using blockchain technology.
Wait, are you saying it's just a light-switch for water. I like my line better.
(Score: 0) by Anonymous Coward on Saturday August 11 2018, @12:15AM
Me too. Where do I invest?
(Score: 2) by DeathMonkey on Friday August 10 2018, @11:23PM (2 children)
Well, obviously you own the sprinkler controllers, not the sprinklers. And the effect of any given controller is minimal but when you get a swarm of them going something happens. So I think it's a fair comparison.
Magic botnets don't DDOS, either, it's just a bunch of individual dumb noise programs turning themselves on and off at the command of a single attacker.
(Score: 2) by requerdanos on Saturday August 11 2018, @04:28AM (1 child)
Now you went and made me go read TFA.
On the one hand,
On the other hand,
("A compromised device" is not a "physical cyber system" in their universe.) So they pwn an unrelated device on the LAN, and install software that responds to commands--a bot--on it that scans for sprinklers and replays their "turn on spray" commands.
I respectfully disagree; without that component of installing the agent software that responds to the commands of the exploiter (the "bot"), then there's no botnet, just relays. Relays aren't botnets. It appears that there are also bots (that don't run on any part of the irrigation systems) such that there is a many-to-one relationship between sprinklers and bots.
Since there is one (or possibly more) bot per LAN full of sprinklers, the article's claims of "botnet of 1,355 smart irrigation systems" and "botnet of 23,866 smart irrigation systems" display a pretty tenuous connection with numbers in reality.
If you say so. Sometimes they mine $WHATEVER_COINS, more to the benefit of the local electric utility than to the exploiter.
(Score: 2) by maxwell demon on Saturday August 11 2018, @06:21AM
What they obviously mean is: It's not necessary to hack into the systems that directly control the water supply to drain it, hacking the irrigation systems suffices.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday August 11 2018, @03:36AM (3 children)
It's called a reduced instruction set competition (RISC). Possibly you've heard about it. All the Cool Kids™ use it and all the others aspire to. Just because these bots don't have complex behavioural patterns like the recent Dota champions doesn't mean they don't pack a punch. Just you wait until your water tap keeps going and going and going and going and going and going and going...
It's gonna be glorious. And very Murrican. Like in California, where they water their front "lawns" and fill their pools while farms are struggling to keep a crop and desertification is creeping in like it's the fucking Sahara. Let the stupid bots win!
USA! USA! USA!
(Score: 2) by requerdanos on Saturday August 11 2018, @04:13AM
One of the instructions is "Spray water" and the other is "Don't spray water". That's pretty reduced all right.
(Score: 2) by realDonaldTrump on Saturday August 11 2018, @04:34AM (1 child)
California wildfires are being magnified & made SO MUCH WORSE by the bad environmental laws which aren't allowing massive amount of readily available water to be properly utilized. It is being diverted into the Pacific Ocean. Must also TREE CLEAR to stop fire spreading!!!!
(Score: 2) by istartedi on Saturday August 11 2018, @07:49AM
The Pacific Ocean is highly flammable. If we didn't release that water the whole thing would go up. As it is, we can barely keep the Ring of Fire around the edge from smoldering, and sometimes it starts burning right in the middle, like in Hawaii. We need to keep that water coming to control the fires in the Pacific.
Appended to the end of comments you post. Max: 120 chars.
(Score: -1, Troll) by Anonymous Coward on Saturday August 11 2018, @12:19AM (3 children)
Wow! jew cyber security researchers researched something that was obvious to everyone.
Next time the khazar filth will research water and find that it is wet.
Real research is beyond them so they do bogus research. Real art is beyond them so they scribble lines (like a toddler) and call it abstract art.
You just need to observe them for a while to see the rot inside.
(Score: 1, Touché) by Anonymous Coward on Saturday August 11 2018, @01:37AM
Tone it down; you're overselling it. They'll start to catch on.
(Score: 0) by Anonymous Coward on Saturday August 11 2018, @03:40AM
Sounds like an awesome line of action figures. I want two, please.
(Score: 0, Troll) by Ethanol-fueled on Saturday August 11 2018, @04:11AM
Now this is finally something I can agree with the Jews with.
O' please activate as many North American systems as you can at once!
(Score: 2) by darkfeline on Tuesday August 14 2018, @04:28AM
I think the researchers are being awfully optimistic here. They're not considering the effect of poor software quality at all.
Do you honestly think you can just hack into tens of thousands of smart irrigation systems and turn them on? When half of them are going to dump core if you look at them funny, and the rest are going to brick because they were in a middle of an HTTP GET update process that should not be interrupted under any circumstances?
They would be better off hacking into the manufacturer and pushing a stability patch OTA first.
Join the SDF Public Access UNIX System today!