Smart city hacks could turn criminals into "supervillains"

Security researchers have warned that smart city infrastructure contains many flaws that could allow hackers to cause panic among citizens by manipulating systems used to warn people of emergency situations.

According to a blog post by Daniel Crowley, research director at IBM X-Force Red, around 17 vulnerabilities have been discovered in various smart city systems across the UK, US and Europe, eight of which have been deemed as "critical".

"While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment," said Crowley.

The team investigated smart city systems from companies Libelium, Echelon and Battelle. Four pre-authentication shell injection flaws were found in Libelium's wireless sensor network, Meshlium. Echelon's i.LON 100/i.LON SmartServer and i.LON 600 SmartServers had two critical authentication flaws, unencrypted communications problems, default credentials in use, and plaintext passwords.

Battelle's V2I (Vehicle-to-Infrastructure) Hub, version 2.5.1 had a hard-coded administrator account as well as default API keys and authentication bypass, SQL injection security flaws and reflected XSS vulnerabilities.

Once these flaws were discovered, researchers then carried out standard internet searches to find affected devices online.

"We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks," said Crowley.

A compromised system could be used to manipulate things such as water level sensors to activate false flood warnings, potentially creating panic and evacuations. More worryingly, hackers could use the same tactic to silence an alarm during a legitimate crisis.

"If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," he said. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere."

The discoveries were made known to the vendors, who then issued patches and software updates to address the flaws.