2 min read

Smart Sprinklers Are Also Part of the IoT: And They’re Vulnerable

Ionut ILASCU

August 27, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Smart Sprinklers Are Also Part of the IoT: And They’re Vulnerable

Modern homes have adopted a wide variety of Internet-of-Things products to regulate various resources, such as water or electricity. Vulnerabilities in these devices could spell disaster for the regular user, who can incur increased costs and potentially contribute to wasting the city’s supplies.

But consumer IoT devices are not confined to the home.

A research paper published this month presents a distributed attack model aimed at smart irrigation systems that automate watering of gardens or lawns. Researchers at Ben Gurion University analyzed three smart sprinklers and found vulnerabilities that let an attacker control the water flow.

After studying how GreenIQ and BlueSpray smart sprinklers work, the researchers observed that their connection to the cloud server was not encrypted. This allows an attacker on the same network to intercept the traffic and alter commands to the irrigation system, in what is called a man-in-the-middle attack.

Getting on the local network is far from difficult; the researchers posit that an attacker could rent botnet services to create a network of infected devices that search for smart sprinklers on their network. “If no connected smart irrigation systems are found, the bot destroys itself in order to cover its tracks,” adds the research paper.

The Rainmachine smart sprinkler can adjust its watering operations automatically according to data received from the Norwegian Meteorological Institute weather forecast services. After looking into its firmware, the researchers were able to spoof the forecast information because the service delivered the information via an unencrypted connection.

Targets were detected on the local network by analyzing traffic information for connections to the cloud service of any of the three irrigation systems. This was possible because the sprinkler manufacturers don’t make other IoT products. The entire process took 15 minutes from the moment the compromised devices initiated the search.

The researchers say that attacking automated consumer watering systems could impact a city’s water supply. According to their calculations, a botnet of 1,355 sprinklers could empty a standard water tower in less than an hour; 23,866 working for six hours would empty a small flood water reservoir.

However, the impact is on the consumer rather than a water company, which uses control mechanisms to measure and control the flow specifically to make sure they don’t dry up.

GreenIQ sprinklers currently encrypt communication with the cloud server and closed the SSH port that could be used by an attacker to run malicious code. Norwegian Meteorological Institute also ran an upgrade that encrypts the traffic with the clients.

Image credit: Ben Gurion University

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read
Mozilla Says Many Health and Prayer Apps Are Pose Security Risks Mozilla Says Many Health and Prayer Apps Are Pose Security Risks
Silviu STAHIE

May 09, 2022

2 min read
$5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees $5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees
Silviu STAHIE

May 05, 2022

1 min read