By hacking into fleets of vehicles, cardiac devices, and baby heartbeat monitors, we thought IoT hackers had already hit a new low. Beyond manipulating our data or draining our bank accounts, hackers can cause irreversible damage to our health. So, perhaps it shouldn’t come as a surprise that the next IoT hack on the horizon could be something even more serious.
By 2025, approximately 8 billion devices will be connected to the internet. That’s 8 billion possibilities for cybercriminals that, so far, have proven IoT breaches akin to stealing candy from a baby. When you also consider that by that same year, two-thirds of the world will have limited or scarce access to water, it becomes a powerful resource to control.
Research by scientists at the Ben-Gurion University of the Negev found that numerous vulnerabilities in smart irrigation systems could be an easy target for hackers. Criminals could take over the systems and cause water consumption to skyrocket by ramping up output, leading to water shortages.
The study assessed several smart IoT irrigation systems from manufacturers including RainMachine, GreenIQ, and BlueSpray. And the results were conclusive: the systems were insecure and each had significant vulnerabilities which, in the worst-case scenario, could allow hackers to drain public water supplies using a bot.
Many cybercrooks are only in it for the money. For others, human misery is pretty high up there on their list of guilty pleasures. And actually, seizing control over a resource as precious as water could wind up bringing in millions or even billions of dollars in payouts to regain control.
An IoT Breach Waiting to Happen
With developing technologies including blockchain and AI, many are hopeful that cybersecurity will become more robust. Others, though, believe that cybercriminals will only become more inventive and that threats will emerge at the same pace as new technologies.
Disrupting a city’s water supply is much easier to do remotely from a computer with no need to physically visit the critical infrastructure to cause damage. It’s also a lot harder to trace.
The hacker simply attacks the IoT devices connected to the water supply by taking control of a botnet and scanning for all smart irrigation systems connected. They could switch on the watering, using session hijacking and replay attacks as they please.
According to the research, a standard water tower could be emptied in as little as one hour by using a botnet of 1,355 sprinklers. It gets worse. A floodwater reservoir could be drained dry overnight using around 23,866 sprinklers.
It’s a pretty sobering thought, especially considering that, even if the attack were detected, the only possible reaction would be to shut down the water supply and cause temporary havoc.
While that would prevent a hacker from wasting more water, it would also deny people access to water, meaning the attacker’s goal was fulfilled either way. Researchers said that preventing people from obtaining access to water could be considered a “national disaster.”
How to Prevent This from Happening
IoT device security remains an issue of immense concern for many cybersecurity professionals. The majority of devices simply are not secure enough and have proven to place critical infrastructure at risk time and again.
The scientists at Ben-Gurion University report that preventing an attack involving IoT irrigation systems is possible by upgrading HTTP communication to HTTPS communication. But that may not be enough.
Doing so would prevent hackers from spoofing TCP packets, but SSH communication should be disabled in these devices as well since it creates an additional vulnerability and is “not needed” to communicate with a smart irrigation system using a cloud as a mediator.
Limiting device connectivity is another way to prevent hackers from gaining access, but it’s not a lasting or failsafe solution.
Ultimately, IoT technology still throws up an ominous number of question marks. How safe do you feel knowing that your Fitbit, portable speaker, baby monitor, or irrigation system could be used to cause unthinkable harm?
And here’s another question for you: If an IoT botnet can be used to control water systems, what’s to stop them from attacking other critical infrastructure? Moving climate change, nuclear war, and a robot invasion to one side, could the fate of the world actually lie in the hands of a poorly trained developer or sloppy IoT device manufacturer unwilling to secure their products?