Security researchers have discovered that more than 100 smart irrigation systems in Israel were accessible online, without any protection, not even a simple password.
While IoT also includes cool devices with fun commercial applications, the bulk of the hardware is invisible and integrated into various industries. Whether it’s about remote sensors or origination systems, it seems that the reputation for lousy security that IoT devices have garnered over time is true across all sectors.
Researchers from Security Joes discovered that over 100 irrigation systems running a proprietary operating system named ICC PRO from Motorola were deployed with default credentials and no passwords. Unlike other situations, when hackers have exploited IoT hardware via vulnerabilities, this case was pure negligence. It turns out that whoever deployed the systems did so by leaving them with factory settings, which means no passwords. Anyone could have logged in using the default user name.
It doesn’t seem like a big deal, but the irrigation systems are in Israel, a geographical zone not known for its precipitation. Bad actors could have found the systems and dumped all the water, destroying crops and generating a potential food crisis or water shortage.
According to a ZDNet report, the researchers informed CERT Israel, which contacted the systems’ owners. Motorola sent a bulletin informing clients to set up credentials for the purchased hardware. Even so, a few dozen irrigation systems are still unsecured.
Not surprisingly, Israel already had problems with cyberattacks on its water systems. A Ynet report from April revealed that hackers recently hit two water facilities in the Upper Galilee and the Judean headquarters, but the Water Authority said they didn’t register any damages.
Because the water industry relevancies so important in that area, it’s likely that more attacks will be deployed in the future. And having a bunch of unsecure irrigation systems is not healthy from a cybersecurity point of view.