The initial testing yielded some of the most common security issues, such as default passwords and authentication bypass
Researchers from cyber-security specialist Threatcare and IBM X-Force Red, an autonomous group within IBM Security, have found 17 vulnerabilities in smart city sensor and control devices deployed in cities around the world, eight of which have been described as critical in severity.
They were uncovered in early 2018 as part of an ethical hacking project by the two organisations and are detailed in The Dangers of Smart City Hacking study, presented at the Black Hat 2018 information security event taking place in Las Vegas.
The trigger for the project was the civil alert message that Hawaiians saw on their mobile devices in January this year informing them of a ballistic missile threat and instructing them to seek immediate shelter. It was a false alarm put down to human error but the study warns that the same smart city technology used to try to improve citizens lives could have devastating consequences if control of it is placed in the wrong hands.
“By taking advantage of readily available tools for identifying exposed devices, and the relatively immature security in smart city technology, attackers can take control of these systems,” says the report. “They can potentially cause citizens to panic, put workers in danger, and send law-enforcement officers on wild-goose chases.”
The research team wanted to learn more about real-world possibilities of smart city hacking technology and assess if “supervillain-level” attacks on smart cities were possible. It also set out to determine whether testing methods such as those employed in every day application security review and penetration testing work could be used to find such vulnerabilities.
The vulnerabilities fell into a number of categories but there were some recurring ones:
Public default passwords: the devices could be placed into operation without requiring the user to create a secure password. Default passwords such as “admin” allows even the most novice hackers to easily gain access to these devices.
Authentication bypass: these flaws allow attackers to skip a login page and call up an internal administrative menu page that shouldn’t be accessible to them, allowing an outsider the same control as a legitimate administrator would have.
SQL injection: a long time entry on the OWASP Top Ten, a list of the most common application security mistakes, SQL injection involves sending data that looks like part of the communication between the application and the database, confusing the database into performing actions it shouldn’t, such as disclosing usernames and passwords.
“While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realise that smart cities are already exposed to old-school threats that should not be part of any smart environment,” writes Daniel Crowley, head of research for X-Force Red, in IBM’s Security Intelligence Security Intelligence.
The research team disclosed the vulnerabilities in products to the technology vendors and it says all “were responsive” and have since issued patches and software updates to address the flaws.
The report concludes by acknowledging that there is “no easy way to patch a city” because device security is not just down to the manufacturers ensuring their products are built securely but also users must practice “good security hygiene”.
It adds: “Further, there’s a shared responsibility between the manufacturer and the user: with the former issuing software updates for security issues, and the latter actually applying those updates.”
The report, which also includes guidelines for city personnel to help secure smart cities, can be downloaded at IBM’s Security Intelligence.
If you like this, you might be interested in the following:
Data breaches to expose 146 billion records by 2023
Despite legislation like GDPR mandating strong cyber-security and authentication measures, average levels of cyber-security spend remain relatively static
What role should City Hall play in security innovation?
As cities become smarter, what role should local governments play in security innovation? Telstra’s Tom Homer takes a look.
IoT cyber-security spend to rise by 300%
Spending on Internet of Things cyber-security solutions is set to reach over $6 billion globally by 2023