Probing the smart city for vulnerabilities

August 23, 2018

One of my favorite corny traditions at industry conferences is buzzword bingo. What words and phrases will we hear at nearly every booth, lecture, and meeting? We never have to wait long to find out, and this year’s Black Hat didn’t disappoint with smart cities.

Now, the term isn’t new, and the concept actually seems to be one we could all get behind. A smart city is one that leverages technology to help residents live happier by preventing floods, reducing traffic, automating garbage pickup, and more. Sounds great, right?

But here’s the thing: The smart devices and systems enabling smart city technologies connect to the Internet — and they have some extra vulnerabilities that could lead to real-world issues.

Many times, people shrug off the insecurity of the IoT or mock technology makers for letting people spy on someone’s nanny cam or change the temperature on someone else’s connected thermostat. However, when you consider devices that can control the water levels at dams or alert residents of flooded streets — or radiation levels near a power plant — you are talking about major panic buttons.

During the second day of the conference, researchers from Threatcare and IBM X-Force Red shared joint research in which they described the zero-day threats they found within four different pieces of smart city tech.

Using IoT search engines Shodan and Censys, the researchers found the use of smart devices widespread in cities in the United States, Europe, and elsewhere. In total, they found 17 vulnerabilities, more than half of which can be considered critical.

The search also yielded some more scary intel, such as when the team found that a European country was using a vulnerable device to detect radiation and another in the US using it for traffic control. (The researchers alerted the authorities or agencies of the vulnerabilities.)

The thing is, those vulnerabilities were not particularly complicated. The researchers said they found the vulnerabilities pretty quickly, and that vendors could close most of them by taking basic measures.

As you can see, the threats are real. To their credit, the vendors were cooperative with the researchers and released patches for the vulnerabilities. Whether the municipalities in question then applied the patches in a timely manner, however, we cannot say.

In an effort to further highlight potential worst-case scenarios, the researchers rigged up a model dam based on one of the devices they assessed in their study. It used smart sensors to control the level of water in the dam. With an attack that took them less than a minute to carry out, the team drained the water from the dam and flooded the river below onto the roads on either side.

Again: The equipment is not some random IOT devices — it is real equipment that is used in real cities. Governments and municipalities rely on those devices in their daily tasks. If security researchers could find vulnerabilities there with minimum effort, it is only a matter of time before cybercriminals will do the same, or find something even worse.

We can scoff at the fear factor, but cities would be wise to heed the advice of these cybersecurity researchers; smart cities represent a booming industry expected to grow to $135 billion in the next three years. And unlike the majority of the IoT, these devices are protecting a lot more than a device that can order your pizza or get you a refill of laundry detergent in two days or less — they protect what really matters in a city: the people.