A small Israel-based security firm, Security Joes, recently spotted a vulnerability in smart irrigation systems. These included around 100 systems that were exposed to the internet allowing anyone to meddle with the settings.
Specifically, what made them vulnerable was a complete lack of a password that exposed the systems wide open to abuse.
According to Ido Naor, cofounder Security Joes, the vulnerable systems appeared online after the city officials installed them without changing default settings. All of these systems were running the ICC PRO, Motorola’s irrigation system for large-scale use, including agriculture, large turfs, and landscape management.
All the vulnerable systems were available on IoT search engines like Shodan. Thus, an adversary merely needed to enter the default username ‘admin’ to enter the settings panel of a target system.
After that, it became possible to alter watering schedule, change water pressure, modify other settings or even lock the systems by removing the users.
Upon discovering the systems, half of which were located in Israel, the researchers informed the CERT Israel. Eventually, CERT Israel alerted the respective vendors and contacted other CERT teams globally to inform them of the vulnerability.
According to Naor, Motorola alerted their customers about the matter. Consequently, the number of exposed irrigation systems started to lower down. However, still, a considerable number of systems await a fix.
This recent incidence of exposed irrigation systems is simply a reminder that merely connecting things to the internet doesn’t make them smart. In fact, without appropriate IoT security measures, it’s pretty unsmart to scale up installations to smart technology.
Therefore, whether it’s about installing smart devices for personal use, or for large-scale set ups, users must always make sure they double check the security settings. In case of any ambiguity, it’s wise to reach out to the vendor for guidance, or consult a cybersecurity expert.