jamesteohart - stock.adobe.com
In an attempt to make cities more efficient and to improve the lives of their citizens, city managers and urban planners are making cities’ infrastructure vulnerable to cyber attack, a report has warned.
In New York, more than 600 sensor cameras gather traffic data for the city’s Department of Transportation, mainly for signal timing and emergency management. The data collected by the cameras also sheds light on average vehicle speeds and bicycle usage.
In Barcelona, the city’s lighting masterplan uses smart technology to improve the efficiency of lampposts; when the streets are empty, lights automatically dim to conserve energy. The lampposts also have sensors that collect air quality data.
By taking advantage of readily available tools for identifying exposed devices, and the relatively immature security in smart city technology, the report said attackers could take control of these systems.
This means cyber attackers could potentially cause citizens to panic, put workers in danger and send law enforcement officers and other incident responders on wild-goose chases by triggering false alarms. “If control is placed in the wrong hands, attackers can abuse that trust, to devastating consequences,” the report warned.
Left unpatched, the report said these vulnerabilities could allow hackers to gain access to sensors and manipulate data, adding that it was important to keep in mind that even a simple false sensor alert, generated by malicious hacking or otherwise, could trigger mass panic.
“An actor who is determined to incite mass chaos could create far greater impact with minimal effort if security for sensors and controls is not strengthened,” the report warned.
IBM Security report
The vulnerabilities found in smart city sensors and controls fell into various categories, but the most common were public default passwords, authentication bypass and SQL injection.
The report said many devices could be placed into operation without requiring the user to create a secure password, but default passwords – such as “admin” – allow even the most novice hackers to easily gain access to these devices.
Authentication bypass flaws, the report said, allow attackers to skip a login page and call up an internal administrative menu page that should not be accessible to them, allowing an outsider to gain the same control as a legitimate administrator.
SQL injection, which is a long-standing entry on the Owasp Top Ten list of the most common application security mistakes, involves sending data that looks like part of the communication between the application and the database, confusing the database into performing actions it should not, such as disclosing usernames and passwords.
According to the report, researchers found it “painfully easy” to find out the locations of smart city devices, their purpose, and the minimal security safeguards they were shipped with.
One method the research team used to discover these systems was to search Shodan or Censys, two search engines for internet of thing (IoT) and connected devices, for the specific locations and IP addresses of devices and then match the search data to published supplier information to determine what the device is used for, such as air-quality monitoring.
Next, researchers looked for supplier support information such as installation guides that outline password protection, troubleshooting and other security features.
Attackers who can track down and research smart city controls and sensors may have little trouble exploiting vulnerabilities and getting past minimal security barriers, the report said, especially where default passwords are used and authentication bypass is possible.
The report noted that smart city technologies present, and sometimes further complicate, many of the security challenges that local government and industrial control system (ICS) networks have been facing over the past decade.
“These challenges often have to do with the fact that the devices/assets are often attached to legacy equipment on legacy operating systems or have been connected to the internet without a full security audit of the risks,” the report said.
According to IBM researchers, there is no easy way to patch a city, particularly as the responsibility is shared between device makers and users.
While it is the manufacturer’s job to make sure their products are built securely, the report said it was the user’s responsibility to use good security hygiene.
Further, the report said there was a shared responsibility between the manufacturer and the user, with the former issuing software updates for security issues, and the latter applying those updates.
Guidelines for city security personnel to secure smart cities
- Implement IP address restrictions for who can connect to the smart city devices, especially if networks rely on the public internet.
- Use basic application scanning tools that can help identify vulnerabilities.
- Use strong network security rules to prevent access to sensitive systems, as well as safer password practices.
- Disable unnecessary remote administration features and ports.
- Take advantage of security incident and event management tools to scan network activity and identify suspicious internet traffic.
- Hire ethical hackers to test systems. These teams are trained to “think like a hacker” and find flaws in systems before the bad guys do.