SoS Musings #18 - Get Smart About Smart City Cybersecurity

SoS Musings #18

Get Smart About Smart City Cybersecurity

The ultimate goal of a “smart city” is to improve upon the quality of life for those residing within the city. However the execution of attacks on smart city systems could lead to devastating consequences for residents. A smart city deploys technologies with the purpose of managing the performance of urban services via the analysis of data collected by internet-connected devices. These internet-connected devices include environmental sensors, traffic monitors, water level gauges, and more. Smart city systems can be implemented to manage air quality, water flow, traffic signals, transportation, disaster warnings, and more. The compromise of these systems by cyberattackers could lead to mass panic similar to that of the incident in Hawaii on January 13, 2018 in which a false ballistic missile alert was sent out via the Emergency Alert System by an employee, leaving Hawaiians fearing for their lives. Although the incident occurred as a result of human error, it did ignite concerns surrounding the deliberate abuse of such systems by cyberattackers to raise havoc.

Recent research has highlighted the security weaknesses contained by smart city systems and the havoc that could occur if these weaknesses were to be exploited by malicious actors. The panic that followed the false missile alert in Hawaii is what influenced researchers from Threatcare and IBM X-Force Red to further investigate the vulnerability of smart city systems to being hacked and the dangers that could arise as a result of such incidents. Smart city systems provided by companies, Libelium, Echelon and Battelle, were discovered to contain 17 zero-day vulnerabilities that could be exploited by hackers to manipulate the sensors and data used by these systems in order to cause major disruption or harm. The vulnerabilities discovered in the systems examined in this study could lead to a number of disruptive and potentially disastrous outcomes such as the issuing of false alerts pertaining to floods and radiation leaks, creation of gridlocks, shutdown of lights, and more. The ways in which these vulnerabilities emerged call for vendors to prioritize and examine security in the development of these smart city systems.

Many of the vulnerabilities discovered in smart city systems by IBM X-Force and Threatcare were reported to be simple to exploit as they fell into common groupings including default passwords, authentication bypass, and SQL injection. In addition, many of smart city devices used in these systems were found to be vulnerable to remote access online through the use of search engines, Shodan and Censys, which could allow attackers to determine how these devices are being used, where they are located, who they have been purchased by, and the security features they contain. Following the disclosure of discovered security vulnerabilities to the vendors of affected smart city products, patches and software updates were issued. However, further steps need to be taken to ensure the security of these smart city systems.

Researchers have urged manufacturers and users of smart city devices to take further actions to securing such devices. The leaders of cities in which these smart systems are being utilized as well as the vendors of devices being used in these systems are expected to make security a priority in the development and implementation of this type of technology. The security of smart cities could be improved through the examination of security protocols, creation of security frameworks, and establishment of procedures for executing patches for security vulnerabilities. Researchers have also emphasized the importance of specific practices such as managing who can connect to smart city devices through the application of IP address restrictions, using vulnerability-identifying applications, enforcement of stronger password practices, deactivation of remote administration features that are not required, and more.

This study calls for further investigation of vulnerabilities contained by smart city systems. More strategies and best practices for bolstering the security of such systems should be developed as the exploitation of the vulnerabilities contained by these systems could have serious implications with respect to the security and well-being of city residents.