By Marilia Wyatt
When compromised smart city technology systems have a physical risk element, there is a lot at stake for public safety.
The CyberPrivacy Brief:
- Smart city technology is being built without basic security protections and rolled out in cities with vulnerabilities, researchers say.
- The flaws could enable attackers to take control of systems to manipulate data and significantly compromise public safety.
- It’s easy to exploit the devices by readily finding their location, function, and minimal security protections they came with, they add.
- An attacker with the intent to incite chaos could create far greater impact with minimal effort if cybersecurity of sensors and controls is not strengthened, they advise.
Why it matters: A smart city embeds information and communication technologies (ICT) within government systems and connect components within the city. They include Internet of Things sensors to open data collection and other smart technology capabilities to enhance services and increase operational efficiency. Sensors can monitor air quality, traffic, radiation, and water levels, and can automatically inform services like street lights, security systems, and emergency alerts. These systems might be highly interconnected and could have a physical risk element when compromised as they provide services to the public, making their robust security standards a matter of public safety.
17 vulnerabilities found and responsibly disclosed. The August 2018 whitepaper from security researchers at IBM X-Force Red and cybersecurity firm Threatcare revealed the systems lacked basic security protections and had various flaws but contained these three common issues:
- Default public passwords that don’t require the users to create a secure password.
- Authentication bypass flaws that would allow an attacker to skip log in page and set up administrative level menu to gain access that should not have been available to them.
- SQL injection flaws that would allow malicious code to manipulate the database into revealing information it shouldn’t such as usernames, passwords, and confidential data.
‘Dangers’ of smart city hacking. The report highlights areas of potential risk and impact if smart city systems are compromised:
- Attackers could send out false emergency alerts trigging citizens’ panic;
- Compromise public safety by blocking warnings about real dangers;
- Cause city officials to allocate resources to nonexistent issues.
The report further raises concerns about attackers borrowing strategies and tools they’ve used on industrial control systems (ICS) on smart city sensors and controls to cause damage to critical systems that run plants and utilities. “If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” said Daniel Crowley, research director, IBM X-Force Red in a blog post.
Recommendations: The report advises city leaders, manufacturers, and cybersecurity leadership to improve frameworks by taking action in the following areas:
- Prioritizing cybersecurity by re-examining the vendors’ standard protocols.
- Building adequate cybersecurity frameworks for these systems.
- Developing standard best practices for patching software security flaws.
- Vendors adding network port restrictions and stronger password controls to make sure the systems are accessible only by authorized users.
- Vendors and city officials running security tests and IP scans on devices and networks to provide an extra level of protection against unauthorized access and manipulation.
There is no easy way to patch a smart city as devices are often connected to legacy operating systems that lack proper risk security audits before being connected to the internet, researchers say. But there are still proactive steps city officials and manufacturers should take. For instance, manufacturers should build products secure by design and city officials should have processes in place for vulnerability patching and ensure city vendors adhere to proper cybersecurity requirements and standards, the report says.
Commentary & Analysis
There is no silver bullet. As smart cities develop and increasingly grow, city officials should manage detailed incident response plans and practice them. Preparation can benefit city officials by helping them identify gaps in plans, clarify roles and responsibilities, work out difficult decisions, and test policies and lines of communications when mayhem strikes.