New cyberattacks against urban water services possible, warn researchers

August 9, 2018, American Associates, Ben-Gurion University of the Negev

Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously. A botnet is a large network of computers or devices controlled by a command and control server without the owner's knowledge.

Ben Nassi, a researcher at Cyber@BGU, will be presenting "Attacking Smart Irrigation Systems" in Las Vegas at the prestigious Def Con 26 Conference in the IoT Village on August 11.

The researchers analyzed and found vulnerabilities in a number of commercial smart systems, which enable attackers to remotely turn watering systems on and off at will. The researchers tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems.

"By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban tower in an hour and a botnet of 23,866 smart irrigation systems can empty ?ood water reservoir overnight," Nassi says. "We have notified the companies to alert them of the security gaps so they can upgrade their smart system's irrigation system's firmware."

Water production and delivery systems are part of a nation's critical infrastructure and generally are secured to prevent attackers from infecting their systems. "However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don't have the same critical infrastructure security standards."

In the study, the researchers present a new attack against urban water services that doesn't require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack.

The researchers demonstrated how a bot running on a compromised device can (1) detect a smart irrigation system connected to its LAN in less than 15 minutes, and (2) turn on watering via each smart irrigation system using a set of session hijacking and replay .

"Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers," says Nassi, who is also Ph.D. student of Prof. Yuval Elovici's in BGU's Department of Software and Information Systems Engineering and a researcher at the BGU Cyber Security Research Center. Elovici is the Center's director as well as the director of Telekom Innovation Labs at BGU.

The research team also included Ph.D. student Yair Meidan supervised by Dr. Asaf Shabtai, as well as two interns, Moshe Sror and Ido Lavi.

Previous research focused on a new method to detect illicit drone video-filming.

Explore further: Desktop scanners can be hijacked to perpetrate cyberattacks

Related Stories

Desktop scanners can be hijacked to perpetrate cyberattacks

March 28, 2017

A typical office scanner can be infiltrated and a company's network compromised using different light sources, according to a new paper by researchers from Ben-Gurion University of the Negev and the Weizmann Institute of ...

Smart electrical grids more vulnerable to cyber attacks

August 16, 2017

Electricity distribution systems in the USA are gradually being modernized and transposed to smart grids, which make use of two-way communication and computer processing. This is making them increasingly vulnerable to cyber ...

Recommended for you

Permanent, wireless self-charging system using NIR band

October 8, 2018

As wearable devices are emerging, there are numerous studies on wireless charging systems. Here, a KAIST research team has developed a permanent, wireless self-charging platform for low-power wearable electronics by converting ...

Facebook launches AI video-calling device 'Portal'

October 8, 2018

Facebook on Monday launched a range of AI-powered video-calling devices, a strategic revolution for the social network giant which is aiming for a slice of the smart speaker market that is currently dominated by Amazon and ...

Artificial enzymes convert solar energy into hydrogen gas

October 4, 2018

In a new scientific article, researchers at Uppsala University describe how, using a completely new method, they have synthesised an artificial enzyme that functions in the metabolism of living cells. These enzymes can utilize ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.