Smart city hacks could turn criminals into "supervillains"

Researchers say hackers could exploit vulnerabilities to mask flood warnings and sow chaos

Security researchers have warned that smart city infrastructure contains many flaws that could allow hackers to cause panic among citizens by manipulating systems used to warn people of emergency situations.

According to a blog post by Daniel Crowley, research director at IBM X-Force Red, around 17 vulnerabilities have been discovered in various smart city systems across the UK, US and Europe, eight of which have been deemed as "critical".

Advertisement - Article continues below

"While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment," said Crowley.

The team investigated smart city systems from companies Libelium, Echelon and Battelle. Four pre-authentication shell injection flaws were found in Libelium's wireless sensor network, Meshlium. Echelon's i.LON 100/i.LON SmartServer and i.LON 600 SmartServers had two critical authentication flaws, unencrypted communications problems, default credentials in use, and plaintext passwords.

Battelle's V2I (Vehicle-to-Infrastructure) Hub, version 2.5.1 had a hard-coded administrator account as well as default API keys and authentication bypass, SQL injection security flaws and reflected XSS vulnerabilities.

Once these flaws were discovered, researchers then carried out standard internet searches to find affected devices online.

Advertisement
Advertisement - Article continues below

"We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks," said Crowley.

Advertisement - Article continues below

A compromised system could be used to manipulate things such as water level sensors to activate false flood warnings, potentially creating panic and evacuations. More worryingly, hackers could use the same tactic to silence an alarm during a legitimate crisis.

"If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," he said. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere."

The discoveries were made known to the vendors, who then issued patches and software updates to address the flaws.

Advertisement

Recommended

Visit/strategy/28187/flexible-vs-agile-working
Business strategy

Flexible vs agile working

3 Mar 2020
Visit/careers/29106/what-does-the-future-of-work-look-like
Careers & training

What does the future of work look like?

13 Nov 2019
Visit/mobile/28081/what-is-5g
Mobile

What is 5G and how far are we from rollout?

29 Oct 2019
Visit/mobile/28067/what-is-4g
Mobile

What is 4G?

20 Aug 2019

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020