Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT Technology

Over 100 Irrigation Systems Left Exposed Online Without a Password (zdnet.com) 29

More than 100 smart irrigation systems were left exposed online without a password last month, allowing anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes. From a report: The exposed irrigation systems were discovered by Security Joes, a small boutique security firm based in Israel. All were running ICC PRO, a top-shelf smart irrigation system designed by Motorola for use with agricultural, turf, and landscape management. Security Joes co-founder Ido Naor told ZDNet last month that companies and city officials had installed ICC PRO systems without changing default factory settings, which don't include a password for the default account. Naor says the systems could be easily identified online with the help of IoT search engines like Shodan. Once attackers locate an internet-accessible ICC PRO system, Naor says all they have to do is type in the default admin username and press Enter to access a smart irrigation control panel. Here, Naor says attackers can pause or stop watering events, change settings, control the water quantity and pressure delivered to pumps, or lock irrigation systems by deleting users.
This discussion has been archived. No new comments can be posted.

Over 100 Irrigation Systems Left Exposed Online Without a Password

Comments Filter:
  • by Midnight_Falcon ( 2432802 ) on Monday October 26, 2020 @01:21PM (#60651098)
    What is up with these small security firms that run scans of the internet, and convince some journalist to write up what they find?

    When I was a teenage hacker in the 90s, we used to find all kinds of servers with default or no passwords -- such as mail servers for universities, etc. Not much has changed in 20+ years of the internet.

    I think most security people know you'd expect to find results like this just doing scanning of internet IPs, and I'm not sure what a surprise that yet another IoT etc device is exposed to the internet. Join the club.

    • by Striek ( 1811980 ) on Monday October 26, 2020 @02:00PM (#60651218)

      What is up with these small security firms that run scans of the internet, and convince some journalist to write up what they find?

      It's free publicity, plain and simple.

    • When I was a teenage hacker in the 90s ...

      This isn't the 1990s. Online threats today are more common and more serious.

      People are stupid. So products should not ship with default passwords or should require a password reset during the installation process.

    • by Miser ( 36591 )

      In the old days, that's how I solved my access drought in the early 90's.

      Local Telenet/SprintNet dialup (X.25) had some open hosts that let you telnet anywhere. Used that for a few years until I was able to secure more reliable access.

      You didn't dare share it with anyone for fear of it be abused, discovered, and the hole "plugged."

      Those were the days. ;)

      -Miser

  • "attackers can pause or stop watering events, change settings, control the water quantity and pressure delivered to pumps, or lock irrigation systems by deleting users."

    Obviously they'd start the irrigation full on Friday evening, after everyone's gone home and flood the neighborhood.

    • by PPH ( 736903 )

      Start irrigation just before a cold snap. And turn the sidewalks and streets into skating rinks.

      • Start irrigation just before a cold snap. And turn the sidewalks and streets into skating rinks.

        If you haven't blown out and winterized the watering system before freezing season then you deserve what you get.

        • by NFN_NLN ( 633283 )

          1. Don't winterize your irrigation system
          2. Leave it open to the internet so hackers can destroy it
          3. ???
          4. Get a new tax payer funded irrigation system

          I think step 3 involves "cost plus", "no bid contracts" and possibly "Hunter B."

    • Obviously they'd start the irrigation full on Friday evening, after everyone's gone home and flood the neighborhood.

      Friend of mine was arrested for irrigating a wall on Friday evening after a bit too much to drink, so this can have serious consequences.

  • Just write a script that shuts the gates, people notice instantly when the water stops flowing. Most farmers check at a least once a day to see if they are getting their fair share of water. Keep shutting the gates until they implement more secure protocols.

    • Since I didn't lock my door at my house then I deserve, no, obligated to have my stuff stolen.

      • Since I didn't lock my door at my house then I deserve, no, obligated to have my stuff stolen.

        When you don't lock your door you're pretty much risking only you, your family, and your possessions. When the people responsible for these systems didn't lock their doors, they exposed people beyond their families to the possibility of significant hardship. And by 'people responsible', I mean both the purchasers who didn't set new passwords, and the manufacturer who allowed the equipment to function without the default password first being changed.

    • There are surely a dozen simple solutions. If only there weren't hundreds of ways for employees to be lazy, overworked, shortsighted, stupid, arrogant, mismanaged, and/or incompetent.

      • I've worked with water districts before, I'm pretty sure the top two employee characteristics are incompetent and lazy

  • Using a medium sized bowl, mix 3 cups global connectivity with 3 cups mundane tasks, blending to a smooth consistency. Stir in 3 teaspoons clueless end users. Voila - hilarity.
  • I wonder if they gave those manufacturers a heads up first that they were going to publish this.
    Well that is irresponsible of security Joes from Israel if they did not attempt proper disclosure.

    • RTFA "Naor notified CERT Israel last month, which then contacted the affected companies, the vendor (Motorola), and also shared the findings with other CERT teams in other countries."

      Really sloppy summary too.

  • What is this, 1990? In this day and age, all devices with a password system should have a randomly generated password for each device, and that password should be printed on a sticker applied to the bottom of the device.

  • Is 100 a lot? (Score:4, Informative)

    by fph il quozientatore ( 971015 ) on Monday October 26, 2020 @02:35PM (#60651380)
    Is 100 a lot? That seems like a ridiculously low amount, to me. If the world's IoT security problem amount to 100 unpatched irrigation systems, it feels like we are in a good spot.
  • ... an irrigation system into an irritation system?

    • Every cloud has a silver lining, but only the networked kind gives golden showers. In other words, their security was piss poor.
  • Is your dick free today? My pussy yes Write me here and better call =>>> https://is.gd/profile9256 [is.gd]
  • The Netherlands (EU) have computer-controlled flood gates. Ooops... I shouldn't give anyone ideas...

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...