More than 100 smart irrigation systems were left exposed online without a password last month, allowing anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes.
The exposed irrigation systems were discovered by Security Joes[1], a small boutique security firm based in Israel.
All were running ICC PRO[2], a top-shelf smart irrigation system designed by Motorola for use with agricultural, turf, and landscape management.
Security Joes co-founder Ido Naor told ZDNet last month that companies and city officials had installed ICC PRO systems without changing default factory settings, which don't include a password for the default account.
Naor says the systems could be easily identified online with the help of IoT search engines like Shodan.
Once attackers locate an internet-accessible ICC PRO system, Naor says all they have to do is type in the default admin username and press Enter to access a smart irrigation control panel.
Here, Naor says attackers can pause or stop watering events, change settings, control the water quantity and pressure delivered to pumps, or lock irrigation systems by deleting users.
More than 100 ICC PRO irrigation systems were left exposed online without a password last month when Naor first spotted this issue.
The security researcher said that more than half of the exposed systems were located across Israel, with the rest being spread across the entire globe.
Naor notified CERT Israel last month, which then contacted the affected companies, the vendor (Motorola), and also shared the findings with other CERT teams in other countries.
The exposure started getting better last week. Naor credited Motorola with this development after the company sent a letter to customers about the dangers of leaving irrigation systems exposed online.
As a result of these