In a shocking display of poor management over 100 smart irrigation systems were left exposed online without any security or even a password. Which allowed anyone to access and mess with any of the water irrigation which was used for crops, trees, cities, and any building complex.
This clear example of what not to do was discovered by a security firm in Israel, Security Joes.
These systems were running off of ICC PRO designed by Motorola for agricultural use and as well landscape. Security Joes co-founder Ido Naor reported that these companies and city officials had these installed but left them on factory settings which don't have a password for the default account.
Anyone attacking the systems could have identified them with IoT (Internet of Things) search engines like Shodan. Once they did locate the ICC PRO system, they would just have to type the default username for the system, and boom they are in.
They'll have access to pause or stop the water, change settings, water quantity, water pressure, and even lock the systems by deleting the user. Honestly this sounds more like a prank to do in the park in the middle of summer. Yet it could be more dangerous as Israel is in the middle of the desert.
Security did identify that with the 100 ICC PRO systems almost half of which were located in Israel while the rest were in other places around the globe. Ido Naor notified the CERT in Israel which then contacted the companies who own these systems, Motorola, and shared the information with other CERT teams in other countries.
Thankfully Motorola sent an announcement to customers about the dangers of leaving systems on default without a password. Security Joes has stated that the number of exposed systems has gone down to about 78 as companies begin to securing their ICC PROs.
Back in April Israel did have attacks targeting water management systems to alter water systems in order to create water shortages in certain areas by emptying water reserves and causing outright civil unrest. To combat this the INCD Israel's cybersecurity agency has sent out nationwide alerts to have passwords changed for web-based management systems.