, Over 100 irrigation systems left exposed online without a password

Image: Michael Bourgault

More than 100 smart irrigation systems were left exposed online without a password last month, allowing anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes.

The exposed irrigation systems were discovered by Security Joes, a small boutique security firm based in Israel.

All were running ICC PRO, a top-shelf smart irrigation system designed by Motorola for use with agricultural, turf, and landscape management.

Security Joes co-founder Ido Naor told ZDNet last month that companies and city officials had installed ICC PRO systems without changing default factory settings, which don’t include a password for the default account.

Naor says the systems could be easily identified online with the help of IoT search engines like Shodan.

Once attackers locate an internet-accessible ICC PRO system, Naor says all they have to do is type in the default admin username and press Enter to access a smart irrigation control panel.

Here, Naor says attackers can pause or stop watering events, change settings, control the water quantity and pressure delivered to pumps, or lock irrigation systems by deleting users.

, Over 100 irrigation systems left exposed online without a password
, Over 100 irrigation systems left exposed online without a password
, Over 100 irrigation systems left exposed online without a password

More than 100 ICC PRO irrigation systems were left exposed online without a password last month when Naor first spotted this issue.

The security researcher said that more than half of the exposed systems were located across Israel, with the rest being spread across the entire globe.

Naor notified CERT Israel last month, which then contacted the affected companies, the vendor (Motorola), and also shared the findings with other CERT teams in other countries.

The exposure started getting better last week. Naor credited Motorola with this development after the company sent a letter to customers about the dangers of leaving irrigation systems exposed online.

As a result of these notifications, the number of internet-accessible ICC PRO instances started going down to 94 last week and to 78 today, as companies started putting their irrigation systems behind firewalls or on private networks.

However, while the situation improved, a large chunk of the systems that are still exposed online today still don’t have a password set up for the default account.

Not related to the April cyberattacks

Naor’s findings come after earlier this year the Israeli government said that Iranian hackers breached water management systems across Israel and tried to alter water levels. Luckily, the breached systems managed only agricultural pumps, most likely linked to irrigation systems.

Following these intrusions, the Israeli cyber-security agency INCD sent out a nationwide alert asking water supply and water treatment facilities to change passwords for their web-based management systems.

Naor said the irrigation systems he discovered last month were not linked to this April’s incidents.

“These systems were found by our monitoring rules that search for open administrative panels in Israel,” Naor told ZDNet.

“Security Joes are constantly on the lookout for emerging threats, trying to be one step ahead of the attackers. One of our missions is to search for administrative interfaces in-the-wild to ensure their resilience to drive-by attackers. We urge organizations and security firms to do the same,” he added.

A 2018 research paperA 2018 research paper, authored by an Israeli research team, argued that water irrigation systems could be targeted with botnet-like coordinated attacks to create water shortages in a certain area by emptying water reserves.