We hear a lot about Smart Cities and the manifold benefits they will bring to their citizens. We hear rather less about the problems and vulnerabilities inherent to Smart City systems and processes.
It’s a matter of extrapolation from the small and personal to the big and citywide. We all know that just about every consumer smart device has susceptibilities that can lay it open to hacking and cyber attacks.
‘Researchers found some profoundly deep vulnerabilities in smart city systems.’ – Martyn Warwick
The same applies at municipal level. Vulnerabilities abound in citywide smart systems, but the consequences of their being hacked will be much farther-reaching and potentially much more devastating than an attack on an individual consumer smart device (although citywide and even national cyber attacks can be originated via compromised consumer devices such as unprotected smart thermostats). And, of course, macro-scale municipal systems can be attacked and data compromised, too.
Scientists from IBM X-Force Red Security and the Austin, Texas-headquartered cyber security company Threatcare have been co-operating to stress-test a range of smart city systems and devices, and their report makes for disturbing reading.
The specific goal of the research was to assess the likelihood of what is called a “supervillain-level” attack from a great distance, and the team found 17 “zero-day” vulnerabilities in four different smart city systems. Eight of the 17 were classed as ‘critical severity.’
(The term ‘zero-day’ refers to an unknown software vulnerability that the developer has only just become aware of, and therefore, and obviously, no patch or update to correct the vulnerability has been released leaving a hacker free to run amok in a system).
What is particularly worrying is that while the researchers found some profoundly deep vulnerabilities in smart city systems, they also found that they are wide open to a range of the oldest, most basic, well-known and common security vulnerabilities known to man.
They found that smart city systems are still not adequately protected against things such as easily accessed default passwords, authentication bypass and SQL injections.
The IBM and Threatcare teams focused on three categories of smartness: intelligent transportation systems, disaster management and the industrial Internet of Things (IoT). Such technology classifications communicate via Wi-Fi, 4G cellular and a variety of other comms protocols and platforms.
Data generated by sensors goes to interfaces that provide actionable information about sectors such as traffic flows, highway conditions, overcrowding and holdups on public services, pressure points in healthcare systems and the smooth (or otherwise) functioning of other municipal services including the water and sewage systems and on up through to environmental monitoring.
The joint researchers tested smart city technologies from three companies: Battelle (a not-for-profit organisation that develops and markets smart technologies), Echelon (an industrial IoT company) and Libelium (a manufacturer of hardware for wireless sensor networks). When the research team discovered vulnerabilities, they told the vendors about them and, to their great credit, all three companies responded immediately and very quickly issued patches and software updates to remedy the flaws discovered.
When the IBM and Threatcare teams discovered smart city susceptibilities, they probed them with various invasion scenarios and found that hundred of devices (from each vendor) were open to remote access hacking attacks. What’s more, the exposure of the vulnerabilities was affected via ordinary and commonly used search engines that are available to all and sundry.
To make matters worse, a surprisingly large number of smart city systems and applications continue to use the open Internet rather than a fully-secured municipal network either to connect IoT sensors or transmit data to the cloud. That means devices can be left visible and easily able to be appropriated by malign actor.
When susceptible devices were found, the researchers were able to access information including who bought the devices and what they were being used for. Among the scary discoveries was European country using insecure devices for radiation detection and a big US city using unprotected devices for traffic monitoring and elsewhere, the ability for an attacker to break into systems and manipulate water level sensors.
Having having quickly demonstrated just a few but deeply concerning smart city vulnerabilities, IBM and Threatcare provided a list of recommendations to help municipal authorities to secure smart city systems.
Other precautions should include the use of security-incident and event-management tools to identify suspicious traffic and also the employment of ‘white hat’ hackers to test and test again smart city systems for both hardware and software weaknesses.
The forecast is that city authorities across the globe will spend upwards of USD 81 billion on smart city technology this year, and that figure will rise to USD 135 billion by 2021.
Smart cities are a wave of the future, but as their distribution becomes increasingly commonplace, the authorities and the industry at large must to take a long hard look at systems design and ensure that they are designed, from the very start and from the ground up, to be as secure as is humanly possible.
Remember the old adage: ‘the more data, the more the risk.’ And smart cities are going to generate immense amounts of data.