[SMART CITY] Hackers Could Cause Havoc By Pwning Internet-Connected Irrigation Systems

Researchers at the University of Israel have carried out a study in which they highlight the possibility that attackers may compromise a city’s water supply. This piracy would not target critical infrastructures such as water treatment plants or water towers, but rather isolated devices whose piracy can nevertheless prove to be formidable: connected automatic watering. The researchers conducted their study on several connected sprinklers models such as the GreenIQ, Rainmachine and BlueSpray, all of which are connected to the Internet. They noticed that the GreenIQ and BlueSpray devices connect to their servers using unencrypted HTTP connections. Thus, an attacker who has compromised a computer on the same network as the GreenIQ device can intercept commands via a Man InThe Middle attack. In the case of the RainMachine model, the researchers discovered that they could falsify the weather forecasts that the server sends. For example, attackers may send erroneous data indicating that the weather is hot, which would encourage automatic watering to operate regularly. These vulnerabilities would thus allow attackers to remotely activate automatic sprinklers to drain water or cause overflows, for example. Nevertheless, criminals should take control of a large number of automatic sprinklers in order to create overflows. According to researchers’ calculations, to empty an average water tower, the attackers would need a botnet of 1,355 sprinklers.