Smart city hacks could turn criminals into "supervillains"

Researchers say hackers could exploit vulnerabilities to mask flood warnings and sow chaos

Security researchers have warned that smart city infrastructure contains many flaws that could allow hackers to cause panic among citizens by manipulating systems used to warn people of emergency situations.

According to a blog post by Daniel Crowley, research director at IBM X-Force Red, around 17 vulnerabilities have been discovered in various smart city systems across the UK, US and Europe, eight of which have been deemed as "critical".

"While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment," said Crowley.

The team investigated smart city systems from companies Libelium, Echelon and Battelle. Four pre-authentication shell injection flaws were found in Libelium's wireless sensor network, Meshlium. Echelon's i.LON 100/i.LON SmartServer and i.LON 600 SmartServers had two critical authentication flaws, unencrypted communications problems, default credentials in use, and plaintext passwords.

Advertisement - Article continues below
Advertisement - Article continues below

Battelle's V2I (Vehicle-to-Infrastructure) Hub, version 2.5.1 had a hard-coded administrator account as well as default API keys and authentication bypass, SQL injection security flaws and reflected XSS vulnerabilities.

Once these flaws were discovered, researchers then carried out standard internet searches to find affected devices online.

"We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks," said Crowley.

A compromised system could be used to manipulate things such as water level sensors to activate false flood warnings, potentially creating panic and evacuations. More worryingly, hackers could use the same tactic to silence an alarm during a legitimate crisis.

"If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," he said. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere."

The discoveries were made known to the vendors, who then issued patches and software updates to address the flaws.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


Business strategy

Benefits of flexible working (including for parents)

10 Dec 2019
Careers & training

What does the future of work look like?

13 Nov 2019

What is 5G and how far are we from rollout?

29 Oct 2019
Business strategy

Flexible vs agile working

26 Sep 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020