Piping Botnet - Turning Green Technology into a Water Disaster

08/06/2018 ∙ by Ben Nassi, et al. ∙ Ben-Gurion University of the Negev 0

The current generation of IoT devices is being used by clients and consumers to regulate resources (such as water and electricity) obtained from critical infrastructure (such as urban water services and smart grids), creating a new attack vector against critical infrastructure. In this research we show that smart irrigation systems, a new type of green technology and IoT device aimed at saving water and money, can be used by attackers as a means of attacking urban water services. We present a distributed attack model that can be used by an attacker to attack urban water services using a botnet of commercial smart irrigation systems. Then, we show how a bot running on a compromised device in a LAN can:(1) detect a connected commercial smart irrigation system (RainMachine, BlueSpray, and GreenIQ) within 15 minutes by analyzing LAN's behavior using a dedicated classification model, and (2) launch watering via a commercial smart irrigation system according to an attacker's wishes using spoofing and replay attacks. In addition, we model the damage that can be caused by performing such an attack and show that a standard water tower can be emptied in an hour using a botnet of 1,355 sprinklers and a flood water reservoir can be emptied overnight using a botnet of 23,866 sprinklers. Finally, we discuss countermeasure methods and hypothesize whether the next generation of plumbers will use Kali Linux instead of a monkey wrench.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 5

page 8

page 10

page 12

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

Abstract

The current generation of IoT devices is being used by clients and consumers to regulate resources (such as water and electricity) obtained from critical infrastructure (such as urban water services and smart grids), creating a new attack vector against critical infrastructure. In this research we show that smart irrigation systems, a new type of green technology and IoT device aimed at saving water and money, can be used by attackers as a means of attacking urban water services. We present a distributed attack model that can be used by an attacker to attack urban water services using a botnet of commercial smart irrigation systems. Then, we show how a bot running on a compromised device in a LAN can: (1) detect a connected commercial smart irrigation system (RainMachine, BlueSpray, and GreenIQ) within 15 minutes by analyzing LAN’s behavior using a dedicated classification model, and (2) launch watering via a commercial smart irrigation system according to an attacker’s wishes using spoofing and replay attacks. In addition, we model the damage that can be caused by performing such an attack and show that a standard water tower can be emptied in an hour using a botnet of 1,355 sprinklers and a flood water reservoir can be emptied overnight using a botnet of 23,866 sprinklers. Finally, we discuss countermeasure methods and hypothesize whether the next generation of plumbers will use Kali Linux instead of a monkey wrench.

1 Introduction

A variety of IoT devices are being deployed across cities around the world as part of the smart city trend. Hundreds of cities in Europe, Asia, Australia, America, and even Africa, have already adopted smart city technologies and use them to obtain information that helps them manage assets and resources efficiently [1, 2]. IoT devices are currently used by consumers and clients to regulate and monitor resources obtained from critical infrastructure including energy, water, etc. The interface between an IoT device with Internet connectivity (which is located on the consumer side) and the cyber-physical system (CPS) of critical infrastructure (which is located on the provider side) necessitates that all of the connected links between the two meet the most rigorous security standards. Cyber attacks targeted at critical infrastructure may result in urban disaster as happened in the cyber attack against Ukraine’s power grid which left 700,000 people without electricity for several hours [3]. In order to prevent attackers from attacking the networks and physical systems of critical infrastructure, various steps are taken to secure these systems, including: (1) buying equipment, hardware, and systems from trusted parties, (2) deploying an= security solution such as IDS/IPS, and (3) physically disconnecting the networks from the Internet (air-gapping their networks). While critical infrastructures minimize any possible attack vector against them, IoT devices with Internet connectivity that are located on the consumer side (e.g., in smart homes, smart cities, etc.) and used to regulate a resource obtained from the critical infrastructure remain the weakest link in this interface. Such IoT devices have created a new attack vector for critical infrastructure and will soon become a prime target for attackers.

In this paper, we show how critical infrastructure that adheres to very strict security standards can be attacked indirectly using a botnet of IoT devices with Internet connectivity. We demonstrate how an attacker can exploit IoT devices, which are deployed across a smart city and used to regulate a resource obtained via the CPS of critical infrastructure, as a means of attacking the critical infrastructure. To make our discussion about this type of attack more concrete, we focus on a new type of IoT device: smart irrigation systems. Considered a green technology, smart irrigation systems are a good target for analysis because: (1) they have already been adopted by smart cities (e.g., Barcelona [4]), agriculture, and the private sector around the world, (2) they regulate water flow for watering and irrigation, a resource which is provided by urban water services (critical infrastructure), and (3) they are considered a key actor in the smart water grid revolution, because they are aimed at automating water irrigation in order to save water and will soon replace most traditional irrigation systems.

First, we present a distributed attack model that can be used by an attacker to attack urban water services using a botnet of commercial smart irrigation systems (Section 4). Then we show how a bot running on a compromised device in a LAN can: (1) detect a connected commercial smart irrigation system (RainMachine [5], BlueSpray [6], and GreenIQ [7]) within 15 minutes by analyzing LAN’s traffic behavior using a dedicated classification model (Section 6), and (2) launch watering via a commercial smart irrigation system according to an attacker’s wishes using spoofing and replay attacks (Sections 7 and 8). In addition, we model the damage that can be caused by performing such an attack (Section 9) and show that a standard water tower can be emptied in an hour using a botnet of 1,355 sprinklers and a flood water reservoir can be emptied overnight using a botnet of 23,866 sprinklers. We also discuss countermeasure methods.

In this research, we make the following contributions: (1) while previous attacks against critical infrastructure required the attacker to compromise the systems of critical infrastructure, we present an attack against critical infrastructure that does not necessitate compromising the infrastructure itself and is done indirectly by attacking attacking client infrastructure that is not under the control of the critical infrastructure provider. In addition, we show that a bot running on a compromised device can (2) detect a smart irrigation system connected to its LAN in less than 15 minutes, and (3) launch watering via the smart irrigation system using various methods.

2 Related Work

In this section we describe related work on attacks against critical infrastructure and provide an overview of DDoS attacks using IoT devices. Critical infrastructure has been defined by the European Commission as an "asset or system which is essential for the maintenance of vital societal functions" [8]. The Department of Homeland Security identifies 16 sectors as critical infrastructure including water/wastewater systems, energy, nuclear reactors, chemical, dams, emergency services, etc. [9]. Some of these sectors provide 24/7 services, while others regulate continuous real-time processes using dedicated cyber-physical systems such as controllers, sensors, etc. Definitions mentioned in the literature for a CPS include a networked/distributed control system (NCS/DCS), sensor actuator network (SAN), wireless industrial sensor network (WISN), industrial control system (ICS), and supervisory control and data acquisition (SCADA) networks [10]. In the remainder of this article we will refer to such systems as CPSs.

The interest of adversaries in attacking a CPS of critical infrastructure began three and a half decades ago. The first known cyber attack was launched in 1982 by intruders who planted a Trojan in the SCADA system that controls the Siberian pipeline and caused an explosion equivalent to three kilotons of TNT [11]. In recent years there has been a significant increase in the number of cyber attacks against critical infrastructure [12] which can even result in death [11]. Two famous cyber attacks against critical infrastructure that were launched during the last 10 years and resulted in a large amount of damage are the cyber attack against Ukraine’s power grid which left 700,000 people without electricity for several hours [3], and Stuxnet which was targeted at Iran’s nuclear plant and caused a large number of centrifuges to be taken offline [13].

Air-gapping (isolating the networks from the Internet) is typically applied to systems of critical infrastructures in order to prevent attackers from compromising CPSs via the Internet. Air-gapping requires the attackers to physically compromise the critical infrastructure in order to attack it. However, motivated attackers use various attack vectors to compromise critical infrastructures using: (1) supply chain attacks [14], (2) innocent or malicious insiders, and (3) social engineering. Many methods [15, 16] to detect and mitigate cyber attacks against the CPSs of critical infrastructure have been suggested over the years, and security tools such as IDSs/IPSs are used for this purpose. Recently, several studies raised concerns regarding the cyber security of existing and future critical infrastructure (e.g., the smart grid) [17, 18, 19, 20], while other studies have specifically discussed using IoT devices as an attack vector to disrupt the operation of critical infrastructure [21, 22, 23, 24].

DDoS attacks are DoS attacks that are usually launched from a group of compromised devices (botnet); each device (bot) in the botnet is infected with a malicious agent. A wide range of studies have been published on this subject, demonstrating different types of DDoS attacks [25] and related detection [26] and defense [27] techniques. DDoS attacks are considered one of the major threats and most challenging problems of today’s cyber security world [28]. In this overview we focus specifically on distributed attacks that rely on IoT devices as bots or targets. The earliest known IoT botnet is Linux/Hydra [29, 30], which was released in 2008, and specifically aimed at routing devices based on MIPS architecture [30]. Since 2008, many types of IoT botnets have appeared in the wild [30]

. Probably the most famous IoT botnet is Mirai, which turned a large number of IP cameras running the Linux OS into remote controlled bots that were used to launch a massive DDoS attack in 2016

[31, 32]. Variants of the Mirai botnet were found to be used in attacks against different targets during 2017 [32].

Fig. 1: Smart irrigation systems regulate watering by consuming water from the urban water service and interface with various sensors, weather forecast services, C&C devices, and dedicated cloud servers.

Usually, IoT botnets exploit vulnerabilities in operating systems and protocols in order to compromise devices and launch their attack [30]. Recently new kinds of DDoS attacks have been introduced. A recent study [33] described a TDoS (telephony denial of service) attack against 911 emergency services in which many calls to the service were triggered simultaneously. The TV was used twice as a means of launching a distributed attack on smart assistants’ servers, intentionally via a Burger King advertisement [34] and accidentally via a daily news program [35]. In both cases, a voice command that was produced from the TV triggered many smart assistants to launch a large number of requests to their servers at the same time.

To the best of our knowledge, we are the first to (1) present a distributed attack against critical infrastructure that does not require compromising its systems, and (2) create a botnet that uses smart irrigation systems connected to the Internet as means of attacking critical infrastructure.

3 Smart Irrigation Systems

Smart irrigation systems refer to advanced irrigation systems that incorporate various sensors and network components for better efficiency [36]. Smart irrigation systems, a new type of green technology and IoT device, are equipped with Internet connectivity that facilitates communication with sensors, weather forecast services, C&C devices, and dedicated cloud servers. The prime motive behind the advent of smart irrigation systems is to enhance the overall water efficiency of irrigation systems, with minimal user effort. Internet connectivity is designed to provide remote access capabilities via any device (mobile, personal computer, etc.) and automatic adjustment of water consumption based on data that is retrieved from weather forecast services, without any manual interaction.

Smart irrigation systems use Internet connectivity for various operations (e.g., automatic watering regulation, remote C&C, etc.). Most smart irrigation systems provide Wi-Fi communication via an integrated NIC, however there are some smart irrigation systems that provide GSM communication via a GSM dongle with a SIM card (as can be seen in Shodan’s results when performing a search for the word "BlueSpray"111 https://www.shodan.io/search?query=bluespray). Smart irrigation systems are physically connected to a set of valves that are connected to the main water line on one end and to pipelines/sprinklers on the other end. The valves are controlled by the smart irrigation system and used to adjust the water flow from the main water line to sprinklers and droppers. The valves that smart irrigation systems can control independently are called zones, and the number of zones varies from 4 to 24 in most typical systems.

Smart irrigation systems were first introduced in 2013, and in the next few years they will replace most traditional irrigation systems around the world because (1) they are inexpensive (their price starts at $100) and designed to save money and water, (2) they provide a convenient remote HMI for C&C via smartphones, smart assistants, and computers, in contrast to traditional irrigation systems which have a dedicated display, and (3) they monitor water consumption and present the watering history. In addition to all of the abovementioned reasons, smart irrigation systems will replace traditional irrigation systems, because they were identified by [37, 38, 39] as a key actor in the future smart water grid architecture, which is referred to as a real-time two-way network equipped with sensors and devices for continuous and remote monitoring of the water distribution system [40].

Smart irrigation systems are designed to support the following functionality: (1) provide remote HMI communication (for purposes of scheduling a watering plan, presenting the watering history, etc.) over the Internet to C&C devices (using a dedicated application for smartphones, a Web user interface for browsers, and a voice interface for smart assistants), (2) monitor water consumption, and (3) automatically adapt the watering plan according to data that is obtained from weather forecast services (e.g., precipitation forecast for the next few days) and sensors (e.g., obtain information regarding soil moisture).

Fig. 2: The adversarial attack model.

Figure 1 outlines the entire smart irrigation system ecosystem. As can be seen in Figure 1, smart irrigation systems typically interface with the following entities:

1) Weather Forecast Service - There are many weather forecast services on the Internet [41, 42, 43, 44, 45, 46, 47] that provide a REST API in which a request that contains the location of the desired weather forecast is sent from a client and followed by a response from the weather forecast service that contains the weather forecast (temperature, humidity, wind direction, wind speed, pressure, cloudiness, etc.) for each hour/part of day for the upcoming days/week. Smart irrigation systems use weather forecasts in order to adjust their watering plan and typically launch a few requests a day to obtain updates.

2) C&C Device - Smart irrigation systems provide an HMI for C&C that is based on a Web browser, mobile/tablet application, and smart assistants. The HMI provides smart irrigation system users with various capabilities to remotely control and monitor the operation of smart irrigation systems from anywhere around the world (e.g., to schedule a watering program, to visualize weekly aggregated watering consumption data) using a cloud server that mediates between the C&C device and the smart irrigation system. This is a very convenient interface compared to that of traditional irrigation systems which don’t provide a remote or visual HMI for C&C.

3) Cloud Server - Each smart irrigation system communicates with its own cloud server. The primary role of the cloud server is to mediate between the C&C device and the smart irrigation system. In addition, the cloud server also provides a firmware update, stores the smart irrigation system’s configuration, and stores the watering history. Smart irrigation systems typically launch an update request that contains their identifier to the cloud server once a minute in order to verify whether new updates have been sent from the user.

4) Sensors - Smart irrigation systems provide a wired/wireless interface for sensors (e.g., precipitation, soil moisture, temperature, and water flow sensors). Based on the data that is obtained from the connected sensors, smart irrigation systems adjust the watering plan and regulate their operation.

In this research we analyzed three commercial smart irrigation systems: RainMachine [5], BlueSpray [6], and GreenIQ [7] that were identified as three of the 10 most advanced smart irrigation systems by [48] and [49]. They contain up to 24 valves, and they are able to communicate with sensors (e.g., precipitation sensor) and weather forecast services.

4 Adversarial Attack Model

In this section we describe the attacker’s threat model. We consider an attacker, a malicious entity, that applies a distributed attack on the urban water service using a botnet of smart irrigation systems in order to cause harm to society. The attacker’s objective can be any one of the following:

1) To Waste Water - usually, water is purified in a treatment plant after it has been pumped from a natural water source (e.g., groundwater). From the treatment plant, the water is distributed to urban/areal reservoirs and tanks that distribute water for residents in the entire distribution area. In some places, areal reservoirs and water tanks are not physically connected to a treatment plant using pipelines due to physical limitations. Instead, areal reservoirs are filled with water shipped to the reservoir on a weekly/monthly basis or when the reservoir is nearly empty. Applying an attack that wastes water and empties the urban water reservoir may result in the inability to provide water to residents until the local water reservoir can be refilled. In addition, in many places around the world, there is a serious water shortage [50], so wasting water is even more dangerous.

2) Financial Damage - attacking smart irrigation systems increases water consumption and causes financial loss to cities that use irrigation systems to water parks and private households that use irrigation systems for watering their yard/garden. In many places around the world, water is expensive. For example, the average combined water tariff in Portland, Oregon is $8.00 per cubic meter of water [51].

3) Reducing Water Flow - by applying a distributed attack against many smart irrigation systems that are connected by the same pipeline to the urban water service, the attacker can also reduce water flow in all of the households connected to the pipeline.

We do not consider a targeted attack against a specific smart irrigation system (e.g., attacking a neighbor) a dangerous attack, because the result of such an attack is limited to financial damage to one user (as a result of wasting water). In contrast, we consider an attack that is directed at an urban/local water service a very dangerous attack, because preventing people from accessing a resource from critical infrastructure can be a disaster [3], depending on the number of clients affected and prevented from accessing the resource. Attacking urban water services requires the attacker to use many smart irrigation systems. Figure 2 presents the attacker’s threat model. A botnet is used by the attacker to launch massive water consumption by many smart irrigation systems simultaneously. The attack consists of three stages:

Stage 1 - infection: the attacker builds a botnet of smart irrigation systems. The attacker can rent botnet services [52, 53] which are traded for bitcoin on the darknet. Alternatively, the attacker can infect devices that are connected to the Internet (e.g., laptop, smartphone, router, etc.) with malware using common infection vectors (e.g., email attachments, compromised websites, malvertising campaigns, and supply chain attacks), as can be seen in Figure 2a.

Stage 2 - reconnaissance: each bot searches for smart irrigation systems that are connected to its LAN. If no connected smart irrigation systems are found, the bot destroys itself in order to cover its tracks. In Section 6 we show that a smart irrigation system can be detected in a LAN within 15 minutes by a bot running on a device connected to the same LAN by analyzing outgoing traffic.

Stage 3 - attack: at the appropriate time, the attacker signals the botnet to apply a distributed attack that results in massive water consumption of the urban water service. The attacker uses the bots to attack the smart irrigation systems connected to their LANs using various attack vectors (we describe them in Sections 7 and 8) that cause high water consumption, as can be seen in Figure 2b.

In order to coordinate the DDoS attack, the attacker communicates with the bots using a C&C server. A common C&C approach is based on managing bots via one or more C&C servers located somewhere on the Internet. The IP addresses or domain names of the C&C server are hidden in the bots’ code and may be updated later via the C&C. Upon installation, a bot connects to its C&C server over a secure network protocol (e.g., HTTPS) and receives commands. The botnet operator notifies the C&C servers to send either a START or STOP command to the bots. A START command will contain parameters such as the start time and the duration. Optionally, a location can be provided to ensure that only bots located in a certain geographical region are activated in order to focus on a specific urban water service. Additional C&C mechanisms for botnets can be found in [54]. It is important to note that there are more advanced topologies which are resilient to being shut down, e.g., peer-to-peer, hierarchical, and random topologies.

In Sections 6 and 7 we show how a bot can (1) detect smart irrigation systems in its LAN within 15 minutes, and (2) control a smart irrigation system using various attacks.

5 Analysis and Reverse Engineering

Fig. 3: SoC board of commercial irrigation systems: (a) RainMachine [5], (b) GreenIQ [7], and (c) BlueSpray [6]. The GreenIQ smart irrigation system contains a Raspberry Pi as the SoC.

In this section we describe the analysis that we performed for three commercial smart irrigation systems (GreenIQ, RainMachine, and BlueSpray). We combined two techniques: (1) we connected all three smart irrigation systems to a router and captured their ingoing/outgoing traffic for a few days. We analyzed their connections with their C&C devices, cloud servers, and weather forecast services from the captured PCAP files using Wireshark. In addition, (2) we reverse engineered commercial smart irrigation systems by extracting their firmware. The GreenIQ second generation smart irrigation system is based on a Raspberry Pi controller board with a connected SD card (as can be seen in Figure 3b). We copied the content of the SD card to a laptop using an SD card reader and found 34 Python files that the firmware is based on. Unlike the GreenIQ smart irrigation system which uses a Raspberry Pi as its controller board, RainMachine does not use a commercial board and designed its own controlling circuitry. We used a USB to UART adapter (FT232R) to extract RainMachine’s firmware from the SoC’s UART terminals, a technique that was shown in [55]. RainMachine runs a modified version of the Android OS, so we looked for the APK of RainMachine’s application and found the file RainMachine-UI.apk. We extracted the APK to Java files using an online decompiler tool. The firmware of GreenIQ and RainMachine was not obfuscated.

6 Detecting Connected Smart Irrigation Systems

During the reconnaissance stage, each bot must detect whether a smart irrigation system is connected to its LAN. If no smart irrigation system is found, then the bot sends a notification to the C&C server and destroys itself in order to cover its tracks. We decided to design and empirically evaluate a model that detects a connected smart irrigation system and is used by a bot running on a compromised device which is connected to the same LAN (of the smart irrigation system); detection is based on analyzing the captured network traffic data of suspicious IP. In order to do so, we connected three commercial smart irrigation systems (RainMachine [5], BlueSpray [6], and GreenIQ [7]) to a router via Wi-Fi, and monitored the LAN traffic using a bot that was installed on a laptop that was connected to the same LAN (by applying ARP spoofing from the laptop to the smart irrigation systems). We extracted several features from the captured traffic data, and appended another set of traffic data with the same features (collected from various IoT devices in other research [56]) to them. The IoT data was obtained from numerous and various IoT device types that can be found in standard homes nowadays: two smart bulbs, a smart refrigerator, sixteen security camera, two laptops, two smartphones, and five smartwatches.

In our preliminary analysis, we explored the average number of unique destinations that smart irrigation systems interface with per hour, and compared the results with the abovementioned IoT devices. As can be seen in Figure 4, the average number of unique destinations that smart irrigation systems interface with is very low compared with the smartphones and smart refrigerator. However, a small average number of unique destinations is a property that is common to most of the IoT devices we analyzed so it cannot be used by a bot to determine whether a suspicious IP is a smart irrigation system or not.

Fig. 4: The average number of unique destinations that IoT devices interface with in an hour.

Following this preliminary analysis, we looked for unique characteristics that could be used by a bot running on a LAN to decide whether a connected device is a smart irrigation system or not. Currently, the manufacturers of smart irrigation systems do not produce any other types of IoT devices [48, 49]. With this observation in mind, we decided to analyze the identity of the cloud servers that smart irrigation systems interface with. Unlike Samsung’s cloud server which supports many IoT devices manufactured by Samsung (smart refrigerator, smartphone, etc.), the cloud servers of the tested smart irrigation systems interface only with their respective smart irrigation systems. A packet sent to GreenIQ cloud server cloud server was sent only from GreenIQ smart irrigation system. The same thing is also true for BlueSpray and RainMachine during the 26 hour period of data collection. Hence, due to the absence of overlap between the contacted cloud servers, an outgoing packet sent to a smart irrigation system cloud server can clearly and reliably indicate that the packet’s sender is a smart irrigation system.

Fig. 5: Analysis of the number of TCP sessions opened by smart irrigation systems to their cloud servers during a typical hour.

As can be seen in Figure 5, smart irrigation systems typically interact with their cloud servers several times per hour (6-11 times). We analyzed the distribution of the average time between two consecutive outgoing packets from any smart irrigation system to its cloud server. As can be seen in Figure 6, for the GreenIQ smart irrigation system, the average time between two consecutive sessions with its cloud server is much lower than that of BlueSpray and RainMachine. Overall, the maximum amount of time between two consecutive sessions with the cloud servers is 15 minutes (the 99th percentile is approximately 10 minutes).

Fig. 6: Distribution of the time between two consecutive sessions. The red line represents the 99% percentile for each model.

Based on this observation we present Algorithm 1, a smart irrigation system classification model.

1:procedure isSmartIrrigationSystem(ip,period)
2:     
3:     
4:     
5:     
6:     startTime = currentTime()
7:     
8:     for  do
9:         
10:         if dstIP == bluespray1 then
11:                        
12:         if dstIP == bluespray2 then
13:                        
14:         if dstIP == greeniq then
15:                        
16:         if dstIP == rainmachine then
17:                        
18:         if startTime + period >= currentTime() then
19:                             
Algorithm 1

Algorithm 1 receives as input an IP of a suspicious device that is connected to the LAN of the bot and a period of time for capturing traffic. It applies ARP spoofing to the suspicious IP (line 7) and analyzes outgoing traffic from the IP for the amount of time given by period

. It classifies the suspicious

IP as a smart irrigation system if the outgoing traffic is being sent to known cloud servers. If the period of time that was specified has passed, it classifies the suspicious IP as other device. Figure 7 presents accuracy results of applying Algorithm 1 from a laptop connected to the same LAN as the smart irrigation systems for various periods of time. As can be seen in Figure 7, the classification accuracy reaches 99.9% after 10 minutes of analysis and 100% after 15 minutes.

Fig. 7: Algorithm 1’s accuracy for various time periods.

7 Spoofing Attacks

In this section we present a set of spoofing attacks on commercial smart irrigation systems that a bot can implement (after detecting a connected smart irrigation system) in order to spoof the input of the irrigation system. We consider a spoofing attack that: (1) changes an input to a smart irrigation system, (2) can be applied remotely by the attacker from a bot running on a compromised device that is connected to the LAN, and (3) results in watering according to the attacker’s wishes. Smart irrigation systems obtain information from cloud servers, weather forecast services, and sensors. All of the attacks presented in this section that were used to spoof smart irrigation system inputs are based on MITM attacks; the MITM attacks were applied by a bot running on another device that is connected to the same LAN and managed to intercept outgoing traffic sent from a smart irrigation system in order to impersonate to destination and hijack the entire session.

7.1 Spoofing smart irrigation system configuration

Fig. 8: Session stages between the GreenIQ smart irrigation system and its cloud server.
Fig. 9: A dry dropper boxed in yellow, and a dripping dropper (boxed in red) as a result of applying a watering plan injection attack.

The attacks demonstrated in this subsection represent attempts to spoof the smart irrigation system’s configuration response that is sent from the cloud server by impersonating the smart irrigation system’s cloud server. We demonstrate this attack against the GreenIQ smart irrigation system.

7.1.1 Vulnerability

The cloud server is supposed to mediate between a C&C device (e.g., smartphone application) which can be located anywhere around the world and a smart irrigation system. Figure 9 outlines the interface between the GreenIQ application running on a smartphone to the GreenIQ smart irrigation system via the cloud server. Using a smartphone application, the user sends C&C commands to the cloud server (yellow arrow in Figure 9). Independently, a ping_to_cloud request (that contains the user’s ID) is launched from the GreenIQ smart irrigation system to the cloud server every minute in order to obtain the timestamp of the last time the user updated the watering plan configuration stored in the cloud server (red arrow in Figure 9). A response is sent from the cloud server with this timestamp (purple arrow in Figure 9). If the timestamp received from the cloud server is greater (after) than the timestamp that is stored on the GreenIQ smart irrigation system (signifying a more recent user update), a configxml request to retrieve the new watering plan configuration is launched by the GreenIQ smart irrigation system (green arrow in Figure 9). A response is sent from the cloud server with a file that contains the new watering plan configuration in XML format (blue arrow in Figure 9). This XML file contains details about all of the watering plans scheduled by the user (dates, hours, duration, zones/valves, etc.). Listing 1 presents the code that implements the abovementioned description which was extracted from the main.py file of GreenIQ’s firmware.

312# Check if config.xml was modified. If yes, retrieve it.
313if new_config > current_config :
314    main_log.info(’config time updated. current_config: %d , new_config %d’ % (current_config,new_config))
315    s2 = GD.get_config_xml(hub_hash)
316    if s2:
317        current_config = new_config
318        update_ping_to_cloud_immidiate = True
319else:
320    main_log.info(’config time did not change. new_config: %d’ % new_config)
Listing 1: GreenIQ’s firmware code extracted from main.py file.

As can be seen in Listing 1, the timestamp configuration received from the cloud, , is being compared to , which is the timestamp stored in GreenIQ of the last time the user updated the watering plan configuration (line 313). If an update was made by the user, the new configuration is retrieved from the cloud server (line 315) and stored in GreenIQ (line 317).

7.1.2 Exploitation

We demonstrate how an attacker can (1) launch watering using the GreenIQ smart irrigation system by injecting his/her own watering plans, and (2) cause the GreenIQ smart irrigation system to deny service permanently, thereby preventing any remote C&C interface with the smart irrigation system. Both attacks are applied by a bot that impersonates a weather forecast service. In our experiment we used the GreenIQ application to schedule a watering plan that waters 24/7 (every day, all day long) for a period of time between two future dates. We captured HTTP communication between the GreenIQ smart irrigation system and the cloud server during this time and extracted the watering plan configuration that was sent from the cloud server in the XML file. Then, using the GreenIQ application, we restored the GreenIQ smart irrigation system to its previous state.

Algorithm 2 presents the exploitation code used to inject a watering plan for a given future time period.

1:procedure SpoofConfiguration(packet,start,end)
2:     
3:     
4:     
5:     
6:     
7:     if dstIP != "www.greeniq.net" then
8:               
9:     if (method == "POST" & path == ping) then
10:               
11:     if (method == "GET" & path == retrieve) then
12:         
13:               
Algorithm 2

Algorithm 2 receives a sent from the GreenIQ application and two future timestamps, and , to launch watering. First, it verifies that the was sent to GreenIQ’s cloud server (line 7). If the is a request, a fake timestamp (denoted by the received parameter ) is sent to the GreenIQ smart irrigation system by the bot (line 10). A response with a future timestamp will trigger another request to retrieve the updated XML configuration launched from the smart irrigation system. If the received packet is a request, a fake XML with a watering plan between the timestamps of and is sent to the smart irrigation system by the bot (line 13).

We installed this code on a laptop that was connected to the same LAN as the GreenIQ smart irrigation system and applied ARP spoofing in order to refer traffic from the GreenIQ smart irrigation system to our bot. A request is sent from the GreenIQ smart irrigation system to its cloud server every minute over HTTP communication; this request is intercepted by our code. Two snapshots demonstrating the attack are presented in Figure 9. As can be seen in the figure, the attack caused the GreenIQ smart irrigation system to launch watering immediately after the response was received from the bot. We consider this attack a watering plan injection attack. It allows the attacker to trigger the GreenIQ smart irrigation system (via the bot) to launch watering according to his/her wishes. In addition, since the GreenIQ smart irrigation system sends requests to its cloud sever every minute, a watering plan injection attack can be performed by the attacker close to the time of the DDoS attack making it harder for detection.

We analyzed the code that was extracted from the GreenIQ firmware, and this is presented in Listing 1. As can be seen from line 312 (the if condition), this code verifies whether the received timestamp () is greater (after) than the timestamp stored in the GreenIQ smart irrigation system (). If is greater (after), the new timestamp is stored in the GreenIQ smart irrigation system, and the corresponding watering plan configuration is retrieved from the cloud server. No other verification regarding the correctness of the timestamp received, stored in is performed. This can be exploited by the attacker who can use the bot in order to cause the GreenIQ smart irrigation system to permanently deny service by implementing Algorithm 2 with an timestamp value that is far into the future (e.g., the timestamp of 1/1/2022). By applying the following, the bot causes the GreenIQ smart irrigation system to ignore any C&C command that is launched by the user until the time that is mentioned in the response, because any C&C command during this period of time will not be considered by the GreenIQ smart irrigation system as a user update (line 313 of the code in Listing 1). By combining a permanent denial of service attack (by replying with a future watering plan, e.g., the timestamp of 1/1/2022), with a watering plan injection attack that triggers the GreenIQ smart irrigation system to launch watering 24/7, the bot causes the irrigation system to start watering indefinitely and prevents the user from remotely stopping the watering using a C&C device. The only way in which the GreenIQ owner can stop the GreenIQ smart irrigation system from watering in this attack scenario is by physically turning off the main water line. In order to restore the GreenIQ smart irrigation system regular operation, the user would have to apply a factory reset to delete the future timestamp.

7.2 Spoofing weather forecast

The attacks demonstrated in this subsection represent attempts to spoof the weather forecast response sent from a weather forecast server by impersonating a weather forecast service. We demonstrate this attack against the RainMachine smart irrigation system.

7.2.1 Vulnerability

The RainMachine smart irrigation system was designed to save water and money by automatically adapting its watering plan to weather forecasts. It allows the user to configure a base watering plan according to the amount of water that is needed to water his/her yard and plants. Given the base watering plan configuration and the weather forecast (obtained from weather forecast services), the RainMachine smart irrigation system adapts its watering plan automatically. This means that for a rainy/cold weather forecast, watering will not take place, or only a percentage of the amount of water required by the base watering plan will be used (just the amount needed in order to fulfill the water requirements specified in the user’s configuration). In cases in which there is a forecast for dry weather, the RainMachine smart irrigation system automatically adjusts itself to compensate for a lack of precipitation by supplementing with watering plans that consume the required amount of water, based on the user’s configuration of the base watering plan. We analyzed the RainMachine smart irrigation system’s firmware and found the MainActivity.java file. RainMachine smart irrigation system contains a touchscreen that presents the weather forecast for the upcoming week. In addition, it presents the percentage of water that the smart irrigation system plans to consume in order to fulfill the water requirements specified in the base watering plan configured by the user. We searched for the code that calculates the exact percentage of water that is going to be consumed by the RainMachine smart irrigation system each day during the upcoming week and found that it relies on the amount of rain that is forecast for each day, as can be seen in Listing 2.

370int percentValue = Math.round(100.0f * ((Float) ((MainDayViewModel) viewModel.days.get(startDate.plusDays(indexDay))).programWaterNeed.get(viewModel.indexProgram)).floatValue());
Listing 2: RainMachine’s firmware code from MainActivity.java file
Fig. 10: Session stages between RainMachine smart irrigation system and Met.no weather forecast service
Fig. 11: The original weather forecast in London (upper picture) was spoofed to a fake weather forecast (lower picture)

We continued to analyze the RainMachine smart irrigation system’s firmware searching for the word "Weather." Listing 3 presents code from the file of weather forecast services that the RainMachine smart irrigation system interfaces with.

    public boolean isNOAA()
    public boolean isMETNO()
    public boolean isWUnderground()
    public boolean isForecastIO()
    public boolean isNETATMO()
    public boolean isCIMIS()
    public boolean isFAWN()
    public boolean isWeatherRules()
    public boolean isPWS()
Listing 3: List of weather services extracted from RainMachine firmware

We searched for these names on the Internet and found the weather forecast services that appear in Listing 3. We analyzed the REST API for each weather forecast service that was found in Listing 3. We note the following interesting observation: during the time in which this research was conducted, most of the weather forecast services provided a REST API based on HTTP communication. Figure 11 presents the REST API interface between the RainMachine smart irrigation system and a weather forecast service. An HTTP request that contains RainMachine’s location (in latitude-longitude format) is sent from the RainMachine smart irrigation system to a weather forecast service. A response is sent from the weather forecast service in the form of a file in XML format that contains the weather forecast (hourly resolution) with various details including: temperature, wind direction and speed, cloudiness, humidity, barometric pressure, etc. Four requests per day are launched by the RainMachine smart irrigation system to the weather forecast service, and based on the weather forecast received, the RainMachine smart irrigation system adjusts its future watering plans.

7.2.2 Exploitation

We demonstrate how an attacker can manipulate the RainMachine smart irrigation system to schedule unnecessary watering plans based on his/her wishes by impersonating a weather forecast service and injecting a fake weather forecast. We analyzed the Met.no API and found that it provides a REST interface based on HTTP communication. We identified the format of the response sent from the Met.no weather forecast service, and based on these findings, we wrote a Python code that changes weather forecast parameters between two given timestamps.

We installed our code on a laptop that was connected to the same LAN as the RainMachine smart irrigation system and implemented an ARP spoofing attack to refer traffic sent from the RainMachine smart irrigation system to the Met.no weather forecast service. Originally, the RainMachine smart irrigation system was configured to work in London. We performed the attack during the winter; since London is rainy in the winter, no watering would likely be needed in order to fulfill the requirements of the base watering plan configuration. Accordingly, RainMachine adapted its watering plan to consume no water for the upcoming week, as can be seen in Figure 11a which presents RainMachine smart irrigation system’s screen before the attack.

A request to the Met.no weather forecast service is sent every six hours from the RainMachine smart irrigation system over HTTP communication and in this attack such a request was intercepted by our code. As can be seen in the Figure 11a, the original weather forecast for London did not require any watering at all, because the temperatures forecasted were between -1°and 12°for the entire week. However, implementing the attack caused this temperature to be changed to values between 0°and 50°. As a result, the RainMachine smart irrigation system immediately adjusted its watering plan to compensate for these temperatures by scheduling watering plans, as can be seen in Figure 11b.

Another way of manipulating the RainMachine smart irrigation system in order to schedule unnecessary watering plans is by changing the location of the request sent from the RainMachine system to the weather forecast service to the most arid place on Earth for the day on which the attack is performed. The previous attack, which responds with a fake XML file, required the attacker to identify the format of the XML response that is sent from the weather forecast service. The current attack requires a much simpler process of changing the request location (longitude, latitude) value that is supplied as part of the request. We conducted an additional experiment in which we performed the attack by changing the location of the request from London to Algeria which was the driest and hottest place on Earth when we performed the attack. As a result of the attack, the RainMachine smart irrigation system adapted itself automatically to compensate for the dry weather and scheduled watering plans. Although the response sent from the Met.no weather forecast service contained the coordinates of the city in Algeria, the RainMachine smart irrigation system did not identified this change and accepted the new weather forecast. As a result, it adjusted its watering plan to compensate for the lack of water and the weather in Algeria.

We consider these attacks weather forecast injection attacks. They allow an attacker to trigger the RainMachine smart irrigation system (via the bot) to launch watering based on his/her wishes. In addition, since the RainMachine smart irrigation system sends requests to weather forecast services every six hours, a weather forecast injection attack can be performed by the attacker around the time of the DDoS attack.

7.3 Sensor attacks

Many smart irrigation systems allow sensor connectivity, using sensors like rain sensors, water flow sensors, and soil moisture sensors to regulate watering and water consumption more efficiently. IoT device sensor attacks are very common and can appear in one of the following ways:

  • Compromising a sensor - the attacker manages to compromise a sensor (e.g., using a supply chain attack, exploiting an OS vulnerability). As a result, the sensor sends false data.

  • Spoofing outgoing communication from the sensor - the attacker manages to change the data that is sent from the sensor (e.g., using a MITM attack).

  • Physically influencing the sensor - the attacker manages to influence the phenomena that is being measured (e.g., by hitting a temperature meter, pouring water on a rain or water moisture sensor) so false measurements were obtained.

Spoofing a sensor’s output with any of the abovementioned methods will influence the operation of smart irrigation systems. Smart irrigation systems with a connected rain sensor allow the user to define rules that prevent watering on rainy days. Considering this fact, spoofing a rain sensor’s data so that it won’t notify the smart irrigation system when it is rainy causes the daily watering program to work as usual instead of being disabled during rainy weather.

However, since smart irrigation systems were just introduced a few years ago, the current generation of commercial smart irrigation systems supports only wire connectivity to a reserved set of connectors that can be found on the smart irrigation system SoC board. This fact limits the type of attacks that can be performed by the attacker in order to spoof sensor data because: (1) spoofing outgoing communication from the sensors requires physical access to the cable that connects the sensor with the smart irrigation system, (2) physical attacks (the third type of attack mentioned above) on many sensors are not practical, since they require many people to engage with the sensors of the attacked smart irrigation system during the time of the attack, and (3) compromising a massive amount of sensors can only be done using a supply chain attack, which is not easy to perform.

We believe that next generation of smart irrigation systems will support wireless connectivity to sensors, creating a new attack vector for spoofing data that is sent from the sensor remotely to the smart irrigation system.

8 Replay Attacks

In this section we present a set of replay attacks that can be implemented by a bot against a commercial smart irrigation system in order to launch watering. A replay attack (or playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently transmitted. We consider a replay attack that: (1) can be applied remotely by the attacker by a bot running on a compromised device that is connected to the LAN, (2) results in watering according to attacker’s wishes, and (3) exploits a legitimate HMI interface for C&C as a means of attack. The attacks demonstrated in this section were performed by a bot that is running on another device that is connected to the same LAN as the smart irrigation system and generates

8.1 Scheduling a watering plan

The attack demonstrated in this subsection is scheduling watering plan attack. We demonstrate this attack against the BlueSpray smart irrigation system.

8.1.1 Vulnerability

All smart irrigation systems provide an HMI to a C&C device. The HMI can be operated from various C&C devices including a mobile application, Web browser, or smart assistant. Using a C&C device, the user can use the HMI to: (1) connect the smart irrigation system to a LAN, (2) update the watering plan configuration, (3) monitor the watering history, (4) define zones, (5), add sensors, etc. BlueSpray provides an HMI interface based on PCs and laptops via a Web browser that is based on HTTP communication. The user can open a Web browser (Chrome, Firefox, etc.) from another device that is connected to the same LAN, type BlueSpray’s IP address, and send it C&C commands. Listing 4 presents a payload (JSON format) extracted from an HTTP packet for scheduling a watering plan that was sent from a Chrome browser to the BlueSpray smart irrigation system.

1{"action":"set","data":[{"enabled":1,"type":2,"program":10,"rpt":[0],"season":0,"cycle":[5,60],"name":"New run","start_date":"2018-06-17","start_time":0,"id":5,"flag":"change"}],"msgid":77080}
Listing 4: Payload of an HTTP request sent to BlueSpray

We were surprised to find that no authentication is required in order to communicate with the BlueSpray smart irrigation system from another device that is connected to the same LAN.

Fig. 12: BlueSpray’s Web user interface. Before the attack (upper picture) there are no watering plans, and after the attack (lower picture) watering plans have been scheduled for the entire week.

8.1.2 Exploitation

We demonstrate how an attacker can launch watering via the BlueSpray smart irrigation system by scheduling watering plans according to his/her wishes. We analyzed the HTTP packets of watering plan updates sent from a laptop to the BlueSpray smart irrigation system from a PC connected to the same LAN via the Chrome Web browser and learned how such a request is generated. Based on our findings, we wrote a Python code that schedules watering between two given timestamps using HTTP request that is sent to the BlueSpray smart irrigation system.

We reset the BlueSpray smart irrigation system to its previous configuration with no watering plans. We installed our code on a laptop that was connected to the same LAN and ran the code. The code launched an HTTP request to schedule watering plans for the entire week. Two snapshots that demonstrate this attack scenario are presented in Figure 12. As can be seen in Figure 12, our code successfully scheduled new watering plans for the BlueSpray smart irrigation system.

8.2 Opening the valves of a smart irrigation system

The attacks demonstrated in this subsection were implemented on the GreenIQ smart irrigation system.

8.2.1 Vulnerability

We analyzed the GreenIQ smart irrigation system’s firmware and looked for the code that opens a valve. Listing 5 presents code from the file.

221def set_gpio(MAX_PORTS, gpio_map, gpio_command, high_is):
222    global model_utilities
223    model_utilities.set_gpio(MAX_PORTS, gpio_map, gpio_command, high_is)
Listing 5: A code for opening a valve (extracted from GreenIQ firmware)

A GPIO (general purpose input output) interface is used by the GreenIQ smart irrigation system’s SoC board (Raspberry Pi) to control the connected valves. We looked in the firmware’s code for a specific call to the function and found the following code (presented in Listing 6) in the file:

427# Testing - Operate Master Valve
428set_gpio(MAX_PORTS, gpio_map, ’00000010’, high_is)
429time.sleep(test_preiod)
Listing 6: Execution of the code for opening a valve (Listing 6)

Closing the valves is handled by executing the following code: .

8.2.2 Exploitation

We demonstrate an opening valve attack by opening and closing the master valve every 10 seconds using SSH communication from a laptop that is connected to GreenIQ smart irrigation system’s LAN. Two snapshots from the experiment are presented in Figure 13.

Fig. 13: (a) an empty glass, and (b) a glass that is being filled as a result of a compromised device that uses SSH communication to launch watering

As can be seen in Figure 13, watering starts and ends every 10 seconds. An opening valve attack can be implemented from a bot running on: (1) a compromised device connected to the LAN of the GreenIQ smart irrigation system using SSH communication and a password (as we did), and (2) the GreenIQ smart irrigation system itself. This allows the attacker to trigger the GreenIQ smart irrigation system (via the bot) to launch watering according to his/her wishes.

9 Calculating the Damage

Fig. 14: Modeling pipeline system that distributes water as flow network

In this section we describe two methods to calculate the damage that can be caused by applying a distributed attack on urban water services: (1) a theoretical calculation using a flow network, and (2) an empirical estimation using an experiment.

9.1 Calculating the damage using a flow network

Given an area with a pipeline system that distributes water obtained from an areal water reservoir to clients/sinks (e.g., homes, yards/gardens, public locations, etc.), we calculate potential water waste and financial damage by modeling the area’s pipeline system as a flow network and identifying maximum flow in the network with well-known algorithms. A flow network is defined as quartet of (G,c,s,t), where G = (V,E) is a directed graph, c is a capacity function, s is a source vertex, and t is a target vertex. Given an areal distribution pipeline with water providers (e.g., water reservoirs, water tanks), water consumers (e.g., houses, schools, etc.), and a network of pipelines, we build a flow network as follows:

Vertices

  1. Let V’ be a set of vertices, where v belongs to V’ if it is a water reservoir.

  2. Let V” be a set of vertices, where v belongs to V” if it is a pipeline junction.

  3. Let V”’ be a set of vertices, where v belongs to V”’ if it is a sink/water consumer (e.g., house, school, etc.), and a smart irrigation system is not connected to the consumer.

  4. Let V”” be a set of vertices, where v belongs to V”” if it is a sink/water consumer (e.g., house, school, etc.), and a smart irrigation system is connected to the consumer.

  5. Let us define a new supersource vertex s and new supersink vertex t.

The entire set of vertices V is defined as follows:

Edges

  1. Let E’ be a set of edges, where e = (v1,v2) belongs to E’ if a pipeline between v1 and v2 exists (v1,v2 belongs to V).

  2. Let E” be a set of edges between the source vertex s to every vertex in V’.

  3. Let E”’ be a set of edges between every sink vertex v (belongs to V””) that has a smart irrigation system to the target vertex t.

The entire set of edges E is defined as follows: The entire graph G is defined by G = (V,E)

Capacity function

Let c be a capacity function from edges to a real number defined as follows:

(1)

where w is the average amount of water that can be consumed by a smart irrigation system.

The flow network is defined by (G,c,s,t). An edge from a vertex to t in a flow network (G,c,s,t) exists only if the vertex contains a connected smart irrigation system. Let us assume that each bot can consume the maximum amount of water that can be supplied to the household by opening all of the smart irrigation valves. The potential water wasted can be calculated by applying well- known algorithms for maximum flow problems (Ford-Fulkerson, Edmonds-Karp, MPM, and Dinic’s algorithm) on the constructed flow network and determining the amount of water flow that is found in the supersink vertex t. The financial damage can be calculated by multiplying the following: the maximum flow of the supersink vertex f, the average combined water tariff in the area, and the time period of the attack.

9.2 Estimating the damage using an experiment

An alternative way to estimate the damage that can be caused by applying a distributed attack on urban water services is by calculating the amount of water that can be consumed from a sprinkler. A typical sprinkler’s water flow is between 0.66 to 4.93 cubic meters per hour (as can be seen in the specs of the Falcon 6504 sprinkler [57]). Let us assume that the attacker controls a botnet of smart irrigation systems (each of which is connected to a single sprinkler) which are operated for a given period of time . The expected water waste caused by applying the attack is calculated by multiplying the average water flow (2.795 cubic meters per hour) by the size of the botnet and the amount of time (the duration of the attack):

(2)

Table I presents the calculation of the damaged that can be caused (wasted water) by applying the attack with various numbers of bots and periods of time.

Botnet size (number of sprinklers) Amount of time Average amount of water wasted
1 1 hour 2.795
1,355 1 hour 3,787
Typical
water tower
capacity
13,550 6 minutes
143,200 1 hour 404,244
Floodwater
reservoir
capacity
23,866 6 hours
TABLE I: Damage Calculation

A standard water tower capacity is 3,785 cubic meters (according to [58]) and as can be seen in Table I, it requires a botnet of 1,355 sprinklers that water a single hour in order to waste 3,787 cubic meters, a volume of water which is greater than capacity of a standard water tower. A small floodwater reservoir capacity is 400,000 cubic meters (e.g., Betarim [59]) and as can be seen in Table I, it requires a botnet of 23,866 sprinklers that water six hours (overnight) in order to waste 404,244 cubic meters, a volume of water which is greater than capacity of a small floodwater reservoir.

10 Countermeasures

In this section we describe countermeasures to detect and prevent a distributed attack against urban water services. A distributed attack launched from smart irrigation systems can be detected by deploying a model that monitors unusual water consumption in urban water services (e.g., using anomaly detection methods). However, even if such an attack can be detected by an urban watering service, its ability to react to such an attack is very limited. The only thing that an urban watering service can do when such an attack is detected is stop water distribution. While this solution prevents the attacker from wasting any more water, it also prevents people from obtaining water which is the aim of the attacker. Preventing people from obtaining a resource from critical infrastructure can even be considered a national disaster, as was the case in the cyber attack against the Ukrainian power grid

[3]. Preventing a bot from impersonating a party that a smart irrigation system interfaces with can be done by upgrading HTTP communication to HTTPS communication. Doing this will prevent the attacker from spoofing TCP packets . In addition, SSH communication is not needed in order to communicate with a smart irrigation system when a cloud serves as a mediator, so disabling SSH communication will prevent attackers from executing a code on smart irrigation systems by detecting weak passwords.

11 Ethical Considerations and Disclosure

We performed full ethical disclosure, revealing the vulnerabilities discussed in this paper and providing all of the relevant technical details and suggestions for addressing them to GreenIQ, RainMachine, and BlueSpray in June 2018. We received confirmation of our findings from each of them. GreenIQ thanked us for sharing our findings and decided to apply HTTPS communication between their smart irrigation system and cloud server. In addition, they decided to close the SSH port in their firmware to prevent an attacker from running Python code for watering. In June 2018 the Norwegian Meteorological Institute (Met.no) upgraded their HTTP API to an HTTPS version.

12 Discussion

The distributed attack described in this paper can result in (1) the DOS of water service in cities in which water is not provided by a natural water source (e.g., groundwater), and (2) financial damage. The proposed IoT botnet can also be used to attack other types of critical infrastructure as well. For example, it can be used to attack the smart grid which uses smart homes to produce electricity in order to implement a DoS attack on power distribution services (another critical infrastructure) in a neighborhood, as opposed to performing an attack directly on the regional electricity company. Another interesting method for triggering the attack, that does not require to compromise a device that is connected to a LAN of smart irrigation system, targets smart assistants which can be used to control smart irrigation systems. For example, an attacker could replicate Burger King’s method and launch a Google query to Google Home (a smart assistant) by placing an ad on national television that contains an embedded message which initiates watering [34]. The Google query could even be launched via ultrasound [60] using the advertisement. Given that recently malware has been used to attack smart refrigerators, air conditioning systems, thermostats, TVs, and now smart irrigation systems, we can only hypothesize whether the next generation of technicians will have to become cyber security analysts. The question remains: will Wireshark replace the traditional monkey wrench and Phillips screwdriver?

References