SoylentNews is people
SoylentNews
Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously.
The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. They tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems.
“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” Ben Nassi, a researcher at Cyber@BGU, says. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”
Water production and delivery systems are part of a nation’s critical infrastructure and generally are secured to prevent attackers from infecting their systems. “However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards.”
In the study, the researchers present a new attack against urban water services that doesn’t require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack.
The researchers demonstrated how a bot running on a compromised device can detect a smart irrigation system connected to its LAN in less than 15 minutes, and turn on watering via each smart irrigation system using a set of session hijacking and replay attacks.
(Score: 2) by requerdanos on Saturday August 11 2018, @04:28AM (1 child)
Now you went and made me go read TFA.
On the one hand,
On the other hand,
("A compromised device" is not a "physical cyber system" in their universe.) So they pwn an unrelated device on the LAN, and install software that responds to commands--a bot--on it that scans for sprinklers and replays their "turn on spray" commands.
I respectfully disagree; without that component of installing the agent software that responds to the commands of the exploiter (the "bot"), then there's no botnet, just relays. Relays aren't botnets. It appears that there are also bots (that don't run on any part of the irrigation systems) such that there is a many-to-one relationship between sprinklers and bots.
Since there is one (or possibly more) bot per LAN full of sprinklers, the article's claims of "botnet of 1,355 smart irrigation systems" and "botnet of 23,866 smart irrigation systems" display a pretty tenuous connection with numbers in reality.
If you say so. Sometimes they mine $WHATEVER_COINS, more to the benefit of the local electric utility than to the exploiter.
(Score: 2) by maxwell demon on Saturday August 11 2018, @06:21AM
What they obviously mean is: It's not necessary to hack into the systems that directly control the water supply to drain it, hacking the irrigation systems suffices.
The Tao of math: The numbers you can count are not the real numbers.