Edition ZDNet reports that the specialists of a small Israeli information security company Security Joes discovered that “smart” irrigation systems are freely available online, which they forgot to protect with passwords. As a result, anyone can get access to them and interfere in their work, causing a failure in the irrigation of crops, tree plantations, cities and residential complexes.
All vulnerable irrigators used ICC PRO, an intelligent irrigation system developed by Motorola engineers for agricultural and landscape management applications. As it turned out, private companies and city authorities often install ICC PRO systems without changing the factory settings, and by default there is no password for the account.
The researchers say that finding such smart irrigation systems is not difficult with any IoT search engine, including Shodan. Then attackers only need to enter the default administrator login and press Enter, which guarantees them access to the irrigation control panel.
In the control panel, attackers can pause or stop irrigation altogether, change settings, control the amount of water and the pressure at which water is supplied to pumps, or completely block irrigation systems by removing all users.
According to Security Joes, more than 100 unsecured irrigation systems were available online, and most of them were located in Israel.
After discovering the problem, the experts immediately contacted the Israeli CERT, which, in turn, notified the affected companies, the supplier (Motorola), and also informed the CERT colleagues in other countries about the breach. As a result, the number of ICC PRO systems available via the Internet began to gradually decrease. So, at the beginning of this week, the number of freely available systems dropped to 78.
The researchers emphasize that this problem is not related to recent attacks on Israeli water systems.