IBM Security and Threatcare found more than a dozen vulnerabilities in systems that connect to environmental sensors, traffic monitors and other advanced infrastructure.
It's surprisingly easy for a hacker to take control of the environmental sensors, traffic monitors and other internet-connected devices that power smart cities. With little more than some creative search-engine queries and tricks to get through or around authentication prompts, cyberattackers could take control of these systems and sow chaos in the cities that have embraced them as forward-thinking solutions, according to research released Thursday by IBM Security's X-Force Red group and the cyber-research firm Threatcare.
The researchers examined smart-city products from three companies — Libelium, Echelon and Battelle — and discovered no fewer than 17 vulnerabilities that could allow hackers to commandeer sensors and data for malign purposes. In some instances, the hacks were as obvious as entering a factory-default password like "admin" or bypassing authentication requests by adding slashes to a URL.
"Every single device examined by X-Force Red and Threatcare was still using the default passwords the they came in with the box, which are easily found online," a white paper published Thursday reads.
It's also simple to find smart-city sensors and the routers they're hooked up to, thanks to search engines like Shodan and Censys, which allow users to discover the physical locations and IP addresses of devices — effectively a map of the so-called Internet of Things.
For this study, IBM and Threatcare looked at "hubs," or the devices and software that connect smart-city devices to the wider internet. In the case of Libelium's Meshlium platform — a family of devices that transmit data collected by environmental sensors to cloud services — the researchers found that it's very susceptible to shell command injections, an attack in which a hacker uses a web interface to take control of a device's operating system. With Meshlium, the researchers found it was easy take control of the account that runs the device's web server and send commands that could disrupt sensors or falsify data relating to air quality, water levels or radiation.
Battelle's V2I Hub, a software platform the research organization is developing with the Federal Highway Administration to automate data transmission between late-model cars and municipal traffic systems — was found to have flaws that could allow a hacker to obtain an official user's credentials without authentication.
Echelon's i.LON series of servers — which support pumps, valves, environmental sensors and streetlights — was found to have numerous vulnerabilities ranging from easily obtainable passwords to authentication bypasses that can be achieved by tweaking a URL. Newer models in the product line require a physical button to be pushed before any settings can be changed, but the IBM and Threatcare researchers found they could still change the IP address, locking out legitimate users until someone pressed the button with a paper clip.
The footprint will only get larger
IBM and Threatcare write that their tests did not expose any populations to the vulnerabilities they found. But the research does stress how easy it can be to carry out a cyberattack against critical infrastructure, such as a dam in Westchester County, New York, that was targeted by Iranian hackers in 2016.
As the next wave of infrastructure, smart-city upgrades present governments with opportunities to modernize the services they provide to their residents, as well as security challenges that require them to harden themselves against non-physical attacks. And the appetite for new, internet-connected streetlights, environmental sensors and traffic signals is only growing: the International Data Corporation estimates $80 billion will be spent this year on smart-city technologies, $22 billion of that in the United States.
Not prioritizing cybersecurity as part of all those improvements leaves smart cities open to nightmare scenarios, IBM and Threatcare write. One possibility is an attacker taking control of devices to simulate a disaster and create public panic, or change readings to normal when there's a real problem.
Other threats could affect law enforcement in ways that recall blockbuster action films. The report describes a scene in 2017's "The Fate of the Furious," in which a villain played by Charlize Theron hacks into the on-board computers of parked cars and directs them to crash in order to tie up a busy New York City street so she can capture a government official carrying nuclear codes.
"While this scenario may seem far-fetched," IBM and Threatcare write, "hackers could accomplish simultaneous traffic tie-ups on key city blocks by taking control of traffic control infrastructure — enough to create gridlock and delay law-enforcement teams from accessing the real scene."
The already massive and growing number of internet-connected devices that cities use to run their operations makes security a challenge for information technology chiefs. "With the hundreds of thousands of connected devices deployed over many square miles — and from many vendors — city IT leaders can't easily patch or automatically update their sensor networks," the white paper reads.
But there are a few steps cities can undertake to improve their security hygiene as they automate and digitize more infrastructure. The report recommends implementing IP address restrictions on who can access smart-city devices, requiring users to create more complex passwords than "admin" and disable "unnecessary" remote administration features and ports.
The companies whose products were tested say they are addressing the vulnerabilities revealed int he research. Battelle, which plans to release its V2I software next month, told Forbes it fixed the flaws after being notified. Libelium posted on its website a statement that it released a security patch for its devices after being notified of IBM and Threatcare's findings.
In a statement, Echelon spokesman Andrew Maisel said IBM notified the company of the flaws it found in the i.LON line. "Echelon confirmed the vulnerability, developed mitigation solutions, notified customers, and informed DHS ICS-CERT," Maisel said, referring to the Department of Homeland Security office that informs companies about cybersecurity vulnerabilities. "This collaborative effort between IBM Security and Echelon demonstrates the commitment of both companies to promote a safe computing environment for the IoT."