What if hackers malevolently caused a city-wide panic by manipulating smart devices, say by sounding alarms when there was no emergency, or controlling remote traffic sensors, or triggering a radiation leak warning from a nearby nuclear power plant?
The panic that might ensue could be hellacious. A new study released by IBM’s X-Force Red Team and Threatcare researchers on Thursday at Black Hat 2018 determined that those types of disasters and more are no longer the stuff of movies. The researchers found 17 zero-day vulnerabilities in four common smart city systems -- eight of which were critical, readily exploitable by cyber crooks.
"The same innovations that make smart city technology attractive to cities – such as their connectivity and ease of management – also make them attractive targets to attackers," IBM wrote in the study. “City leaders and citizens alike are trained to trust these systems and their alerts. If control is placed in the wrong hands, attackers can abuse that trust, to devastating consequences.”
Perhaps what’s most disconcerting is that the security flaws are rather pedestrian -- default passwords, authentication bypass and SQL injections. The early conclusion? “Smart cities are already exposed to old-school threats that should not be part of any smart environment,” wrote Daniel Crowley, IBM X-Force Red research director, in a blog post.
IBM tested devices in three macro categories: intelligent transportation systems, disaster management and the industrial Internet of Things (IoT), that communicate through various communications protocols and platforms, including Wi-Fi, 4G cellular and ZigBee. The team tested smart city devices by Libelium, which makes wireless sensor networks, Echelon, which sells embedded IoT devices like networked lighting controls, and Battelle, a non-profit applied science and technology developer.
The researchers not only found vulnerabilities in the vendors’ products but in some cases test exploits yielded hundreds of each vendor’s devices exposed to remote access on the internet. The good news is that all four vendors, when told of the flaws, quickly issued patches and software updates.
“If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” wrote Crowley.
Fortunately, there’s no evidence of cyber attacks on smart city devices despite the plethora of vulnerable systems in major cities in the U.S. and Europe, he said. In making the point that the market for smart city technology is growing rapidly, the vendor pointed to researcher IDC’s forecast that it will reach $135 billion in the next three years from the current $80 billion. “As smart cities become more common, the industry needs to re-examine the frameworks for these systems to design and test them with security in mind from the start,” Crowley said.
How to Secure Smart City Systems, Infrastructure
Here are IBM X-Force Red’s recommendations to help secure smart city systems:
- Implement IP address restrictions to connect to the smart city systems.
- Leverage basic application scanning tools that can help identify simple flaws.
- Implement safer password and API key practices.
- Take advantage of security incident and event management tools to identify suspicious traffic.
- Hire white hat hackers to find the flaws in systems.
IBM Security: Additional Developments
The recommendations come the same week that IBM Security launched the X-Force Red Labs Internet of Things (IoT) device and system analysis network.
During a Black Hat breakfast with MSSP Alert, IBM X-Force Red Global Managing Partner Charles Henderson and IBM Security VP John Wheeler explained the evolving nature of IT outsourcing and managed security services.
The age of static, long-term outsourcing relationships is over, Wheeler explained. Instead, modern MSSPs like IBM must maintain a trusted, dynamic relationship with customers -- constantly evolving to address the ever-changing threat landscape, Wheeler added.
Customers, meanwhile, must evolve to safeguard new types of endpoints and sensors. Henderson walked MSSP Alert through several types of industrial control systems and IoT endpoints that vendors typically fail to harden for customers.
Additional reporting from Joe Panettieri.