Smart city hacks could turn criminals into "supervillains"

Researchers say hackers could exploit vulnerabilities to mask flood warnings and sow chaos

Security researchers have warned that smart city infrastructure contains many flaws that could allow hackers to cause panic among citizens by manipulating systems used to warn people of emergency situations.

According to a blog post by Daniel Crowley, research director at IBM X-Force Red, around 17 vulnerabilities have been discovered in various smart city systems across the UK, US and Europe, eight of which have been deemed as "critical".

"While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment," said Crowley.

The team investigated smart city systems from companies Libelium, Echelon and Battelle. Four pre-authentication shell injection flaws were found in Libelium's wireless sensor network, Meshlium. Echelon's i.LON 100/i.LON SmartServer and i.LON 600 SmartServers had two critical authentication flaws, unencrypted communications problems, default credentials in use, and plaintext passwords.

Battelle's V2I (Vehicle-to-Infrastructure) Hub, version 2.5.1 had a hard-coded administrator account as well as default API keys and authentication bypass, SQL injection security flaws and reflected XSS vulnerabilities.

Once these flaws were discovered, researchers then carried out standard internet searches to find affected devices online.

"We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks," said Crowley.

A compromised system could be used to manipulate things such as water level sensors to activate false flood warnings, potentially creating panic and evacuations. More worryingly, hackers could use the same tactic to silence an alarm during a legitimate crisis.

"If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," he said. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere."

The discoveries were made known to the vendors, who then issued patches and software updates to address the flaws.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

What is 4G?
Mobile

What is 4G?

17 Jun 2020
What does the future of work look like?
Careers & training

What does the future of work look like?

28 Apr 2020
Flexible vs agile working
Business strategy

Flexible vs agile working

3 Mar 2020

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021