A series of ethical hacks has revealed 17 serious vulnerabilities in smart city sensors and controls used around the world.
The findings, which highlight concerns around the security of internet of things devices and networks, come from an exercise carried out earlier this year by the X-Force Red security team at IBM and cyber security company Threatcare.
They have detailed the findings in a paper that says the connected systems that are being added to cities’ infrastructures can improve people’s lives but are also attractive targets to hackers, and that the accompanying security is relatively immature.
Writing in a related blogpost, Daniel Crowley, research director of IBM X-Force Red, says eight of the 17 vulnerabilities were critical in their severity.
“While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realise that smart cities are already exposed to old school threats that should not be part of any smart environment,” he says.
Recurring failures
The paper says the vulnerabilities fell into various categories, but that several were recurring. These included: insecure public default passwords that make it easy for novice hackers to access devices; authentication bypass that allows attackers to skip a log-in pages and call up an internal administrative menu page; and SQL injects, which involves sending data that looks like part of the communication between the application and the database. The latter can lead to the disclosure of information such as user names and passwords.
It also says it was very easy for the hackers to find the locations of smart city devices and their purposes. Among the weaknesses was that every single device was still using the default passwords they came with in the box, which are easy to find online.
Among the possible consequences it highlights are the transmission of false alert signals to disaster detection and alarm systems, the manipulation of systems to interfere with the police response to a crime or incident, and the disruption of nurturing agricultural crops.
In response, it says public authorities and technology suppliers need to prioritise security by re-examining security protocols, building proper frameworks for the system, and developing standard best practices for patching security flaws.
Guidelines for cities’ security personnel include implementing IP address restrictions for who can connect to the devices, especially if networks rely on the public internet; and using application scanning tools to help identify vulnerabilities.
The paper does not name the cities whose systems were hacked.
New challenges in cyber security for the public sector will provide the focus for the UKAuthority Public Sector Cyber Forum, scheduled to take place in London on Thursday 20 September and free to attend for public servants. More information and registration details from here.
Image by Kai Stachowiak, CC0 via Wikimedia Commons
