Security researchers have warned of a potential attack that – using a “piping botnet” of internet-connected irrigation systems that water simultaneously – could impact a city’s water system to the point of actually draining its reserves.

A team of six academics from Ben-Gurion University of Negev, Israel, identified and analyzed security flaws in the firmware of several commercial irrigation systems that are connected to the internet. They focused on three commonly sold smart irrigation systems – GreenIQ, BlueSpray, and RainMachine – and found that they suffer from vulnerabilities that enable attackers to remotely turn watering systems on and off at will.

Some devices were found to be prone to Man-in-The-Middle (MiTM) attacks, while others can be tricked into initiating the watering process by manipulating its sensors or spoofing weather data.

In essence, the attack would leverage poorly-secured Internet-of-Things (IoT) devices that are connected to a city’s critical infrastructure. Compared to infecting the physical cyber-systems of urban water services directly, however, undertaking the attack through an “army” of internet-connected irrigation controllers is much easier, noted the researchers.

“[W]hile previous attacks against critical infrastructure required the attacker to compromise the systems of critical infrastructure, we present an attack against critical infrastructure that does not necessitate compromising the infrastructure itself and is done indirectly by attacking client infrastructure that is not under the control of the critical infrastructure provider,” reads the paper.

“Municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don't have the same critical infrastructure security standards,” wrote the researchers, who revealed their findings in a paper called “Piping Botnet – Turning Green Technology into a Water Disaster”. Their research was also presented at the Def Con 26 Conference in Las Vegas earlier this month and summed up in this video.

"By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty a flood water reservoir overnight," one of the researchers, Ben Nassi, is quoted as saying on the university’s website. The attack would first involve taking control of a botnet of computers with an eye to detecting smart irrigation systems on local networks.

“The researchers demonstrated how a bot running on a compromised device can (1) detect a smart irrigation system connected to its LAN in less than 15 minutes, and (2) turn on watering via each smart irrigation system using a set of session hijacking and replay attacks,” according to the press release.

The researchers said that they have disclosed the vulnerabilities to the vendors so they can upgrade the firmware.