More than 100 smart-irrigation systems deployed across the globe were installed without changing the factory’s default, passwordless setting, leaving them vulnerable to malicious attacks, according to recent findings from Israeli security research firm Security Joes.
The researchers immediately alerted CERT Israel, the affected companies and the irrigation system vendor,
Mottech Water Management, which did not immediately respond to a request for comment from Threatpost.
Mottech’s system allows for real-time control and monitoring of irrigation for both agricultural and turf/landscaping installations, via desktop and mobile phone. Sensor networks allow for the flexible and real-time allocation of water and fertilizer to different valves in the system. Access to the network could result in an attacker being able to flood fields or over-deliver fertilizer, for instance.
Security Joes regularly scans for Israeli open devices on the internet to check for vulnerabilities, the firm’s co-founder Ido Naor told Threatpost. Recently, its researchers discovered that 55 irrigation systems within Israel were visible on the open internet without password protections. After expanding their search, they found 50 others scattered around the world in countries including France, South Korea, Switzerland and the U.S.
“We’re talking about full-fledged irrigation systems, they could be entire cities,” Naor said. “We don’t look closely at what’s behind the address, because we don’t want to cause any trouble.”
Naor said that at last check, only about 20 percent of the identified vulnerable irrigation devices have had mitigation efforts taken to protect them so far.
threatpost.com
