Imagine this: You’ve just ended your work day and escaped the office on a wet, winter evening. As you drive through town, the heavy rain drops fall like tiny, liquid mirrors under the glow of the street lamps. There’s traffic, but the stoplights are timed in your favor, you’re getting all green. Even with the weather, at this pace, you should make it home on time.
Suddenly, the only illumination cutting through the night are tail and headlights. The street lamps and traffic lights are dark. Even some buildings are now spotted in black. You see across the way, the city’s light rail train dead in its tracks. Your easy-flowing, luminous commute is now a cluster of honking paralysis, enveloped shadows. What’s happened? Your ‘smart’ city has been hacked.
Smart City, Vulnerable City
Cyber attack. Most often the phrase brings to mind assaults perpetrated against businesses and organizations; networks and data infiltrated for monetary or informational gain. Still low on our radar is the possibility of a whole city or region falling victim to a cyber invasion. Yet, a growing number of municipalities are becoming ‘smart’ - adopting IoT (Internet of Things) devices to monitor and control things such as weather, water levels, radiation, air quality, emergency alerts, drinking water filtration, lighting, traffic and public transportation – and thus systemically escalating the risks of faceless strikes.
Global smart city spending is estimated to hit about $81 billion by the close of 2018
Why Hack a City?
Why would someone want to hack a city? Shut down its lighting? Manipulate its traffic lights? Send out false emergency alerts? A city hack doesn’t hold the obvious enticements of big-revenue businesses or data-laden healthcare organizations. But that doesn’t mean real threats aren’t lurking around dark cyber corners. Holding a city’s controls or services for ransom could be one motivator. Or a hack that causes serious a disruption, such as a manipulating water dam controls to flood a city, could be used as distraction to commit another crime or interrupt events, such as elections or protests. Nefarious foreign state actors could also impose destruction on a larger scale. And sometimes, criminals execute a crime for nothing more than bragging rights, particularly within the cyber crime community. Peer recognition and accolades are reward enough. Whatever the reason, the fact remains: Every municipal function given over to wireless governing renders greater vulnerability.
Smart City Security Climate
With worldwide spending on smart cities expected to reach $81 billion by the end of 20181, IBM Security and the data security firm Threatcare, decided to conduct a review of smart cities’ sensor hubs - essentially the central brain of a smart city’s functions and data processes. They took a look at three separate manufactures of these sensors: Libelium, Echelon, and Battelle
A city’s central hub is a top concern. Those who control it, wield great potential to manipulate vital processes and information. In the wrong hands that power could be deadly. But often smart cities employ the open internet to transfer data or connect sensors instead of a more secure internal native network. This leaves them vulnerable to anyone combing the internet with bad intent.
17 Threats Found
Right away, the researchers discovered an unsettling 17 vulnerabilities in products from all three manufacturers. Eight of those significant. Some of the failings were common pitfalls, such as weak passwords or unpatched software updates that would permit a hacker to embed malware or bypass authentication protocols.
Though automatic updates serve as an easy fix to ensure all software is appropriately patched, municipal and industrial setups often don’t use this safety catch. A glitchy update could destabilize its environment before it would be detected. As expected, the hubs that were reviewed didn’t bear any automatic update capabilities.
The IBM and Threatcare team also scanned the internet with publicly available IoT crawlers and unveiled security-flawed smart city devices across the globe. The researchers even notified respective authorizes after finding vulnerable radiation detectors in one European country and risk-riddled traffic monitors in one major U.S. city.
The good news, so far: there is no evidence of malicious activity involving any of the identified vulnerabilities. Though they did unearth a 2015 posting on a hacker forum that revealed one of the known security gaps.
Cities must realize the risk within the returns
Cyber safety advocates, such as IBM and Threatcare, will continue to raise awareness of the ever-burgeoning threats that unsecured smart cities can impose upon citizens and municipal infrastructure. Cities have much to gain from automating processes and managing data on the cloud, but they must realize the risks within the returns. Conducting frequent in-depth risk assessments is just one of the methods to reveal vulnerabilities in their systems and institute more formidable security. ‘Smart’ isn’t inherently safe.
1.The Sensors That Power Smart Cities are a Hacker’s Dream, Wired, 2018
For more great industry info and news, check out our free tip sheet:
Written by Angie Longacre
As a writer for Assurance Software, Angie devotes her craft to promoting business continuity and disaster recovery awareness, and trumpeting Assurance Software’s invaluable benefits for both. When she’s not commanding the keyboard, you can find her outside for a run, searching for her next antique treasure, or lost in a good book.