When you live in a smart city, you have a lot more to worry about than rising rent.
Cities are constantly evolving, and adding technology to make processes more convenient seems like a natural step. These multi-million dollar tech upgrades to major cities are designed to make everyday life easier, whether it’s web-connected cameras on street lights in San Diego or solar-powered sensors to detect fire alarms across Louisville, Kentucky.
But those high-tech conveniences come with cutting edge risks as well. Cities with more connected infrastructure open the door to hackers looking for vulnerabilities, a trend we’ve seen with the increased number of connected devices in our lives. But in the case of smart cities, hackers exploiting a security loophole doesn’t just affect an individual or family, but potentially millions of residents.
Security researchers from IBM and Threatcare found 17 new vulnerabilities with smart city systems used across the world, which would have allowed potential attackers to change traffic signals and send off flood warnings even when nothing is happening.
Jennifer Savage, a security researcher from Threatcare, and Daniel Crowley, a research director with IBM’s X-Force Red, disclosed their findings at the Black Hat cybersecurity conference in Las Vegas on Thursday.
The researchers contacted the companies involved, who said they’ve since fixed these vulnerabilities and issued patches for their devices. It’s unclear if all the cities using these systems have installed them, however.
These vulnerabilities are a reminder that there may be other risks these researchers haven’t found yet — ones that hackers are constantly on the hunt for.
Many of the vulnerabilities the two researchers discovered were simple to exploit, the two said in an interview prior to Black Hat on July 30. That included entire city systems accessible thanks to default passwords, and networks exposed online for anybody to find.
“These are devices that can be exploited without any type of prior knowledge,” Crowley said. “These are Application Security 101 types of issues. You shouldn’t be exposing any devices to the entire internet.”
The researchers looked at three smart city systems: Libelium, Echelon and Battelle. Their systems have been used for detecting floods in Argentina, controlling lights in France, and monitoring traffic in Massachusetts, according to the companies’ case studies.
Echelon said it’s confirmed the vulnerabilities and notified customers to apply updates.
“We’ve redesigned our user interface to secure vulnerabilities,” a spokesman from Battelle said.
Libelium did not respond to requests for comment.
With access to those controls, Savage said, potential attackers could carry out widespread attacks causing panic across cities. She pointed to the false alarms blaring across Dallas, Texas after hackers set off tornado sirens with a rogue radio signal.
During their research, Savage and Crowley found many of these smart city devices online, publicly available on Shodan, a search engine to find internet-connected gadgets. From there, they were able to see who purchased the device, what city they’re in, and what it’s used for. In many cases, they were also able to see that these devices were using default passwords and open to takeovers.
But don’t worry — they weren’t using live systems as test dummies for their attacks. The pair spent thousands buying these smart city systems on their own to break apart and find security flaws on, Savage said.
A Smart City under cyberattack
The vulnerabilities range from devices designed to monitor water levels to traffic controls and accessing industrial controls.
Battelle offers a service called V2I (Vehicle to Infrastructure) Hub, which is being tested with the Federal Highway Administration, but not used in any public roads, the company said. It monitors traffic and helps determines signal timing to connected cars, according to city records (.pdf).
It’s supposed to monitor how many cars are on the road and control signals to help with the flow of traffic. If a hacker took it over, Crowley said it would be able to make traffic problems “much worse.”
For the flood control systems, Crowley and Savage were able to take over the machines and have it set off warnings even when there wasn’t a single drop of water around.
The system, which is offered by Libelium, has a critical vulnerabilities that allowed for hackers to take control of these wireless sensors over the internet. It meant that an attacker could also silence flood warnings, potentially putting a town in danger.
“Something this vulnerable is being relied on for something that important,” Savage said.
And Echelon’s smart city system, i.LON, is used to control street lights in cities like Dublin, Ireland. Savage and Crowley found that many of its devices online had default passwords.
A smart city under attack by hackers can have far-reaching consequences, with the power to shut down roads and lights, the two researchers warned.
“By the time that people realize that something is wrong, it might be too late to prevent or reverse whatever damage is done,” Crowley said.
Patch your city
But it’s not all doom and gloom for cities that want to stay connected.
Smart sensors are helpful for city officials looking to make services run much more efficiently. The flood warning system has saved lives, while smart lights has helped cities become more environmentally friendly.
Still, it’s important that these officials are also careful with what they’re implementing and continue to maintain cybersecurity for their cities.
“What would the impact be if the lights couldn’t turn on?,” Michael Lee Sherwood, Las Vegas’ director of technology and innovation, said. “It’s about security as well as safety now.”
Sherwood is responsible for keeping Las Vegas’ smart city secure, and he said the city officials are always looking for vulnerabilities before it rolls out the technology to the public. He urges other cities to do the same, since the risks will only rise as smart cities become more prevalent.
“Eventually, it’ll just be infrastructure. People will expect automation in lights and in parking,” Sherwood said. “The term ‘smart city’ will go away, but the need for security will not. It’s only going to elevate.”
For starters, cities should change passwords for these connected devices the moment they install them, and also harden restrictions so that random people can’t find them online.
Most importantly though, Savage said, when security vulnerabilities pop up, city officials should recognize them and look to fix them as soon as possible.
“I hope that when it comes to something as big and important as a city, that people are more careful and more aware, and that they will patch,” Savage said.