Posted: 3 Min Read Feature Stories

Smart City in Practice: Not an Automatic “A”

At BlackHat Conference, researchers uncover new security flaws plaguing some of the devices winding up in use today by Smart Cities

When it comes cyber security, it turns out that you don’t need to be a genius to outsmart Smart Cities.

On paper, the Smart City concept sounds like a swell idea. More cities are digitizing their operations to help municipal administrators manage their departments more efficiently. The introduction of smart devices and networks will transform operations in areas like urban transport and public safety, turning City Hall into a veritable connected big brain that uses the latest technologies to improve the lives of its citizens.

But the Smart City fantasy also raises not a few troubling new cyber security scenarios. A cross-section of the devices in use today are flawed and the implications of these vulnerabilities could have serious consequences.

The latest evidence came Thursday during a presentation at the Black Hat conference in Las Vegas when cyber security researchers disclosed security flaws that have left some Smart City systems vulnerable to hacker mischief and worse – everything from changing traffic signals to opening the sluices on dams.

The problem has to do with design oversights that turn these products into sitting ducks for savvy hackers, who can easily exploit default passwords or take advantage of other security flaws to penetrate networks and carry out attacks. What’s more, many of the vulnerabilities could be exploited without any type of prior expert knowledge.

“Everything we looked at was pretty bad,” said Daniel Crowley, a research director with IBM's X-Force Red. “Whether that says something about the state of smart city security as a whole, who’s to say?”

But for the particular examples that Crowley and his fellow researchers presented, it was bad news in bells.

You also don’t need special sleuthing talent to find out who may have bought a device or what it's being used for. Companies often publish customer case studies about where and how the products are deployed.

For instance, one of the products the researchers highlighted was made by Libelium, which manufactures wireless sensors used in flood monitoring systems. In their demonstration, the researchers were able to exploit flaws in an IoT gateway device from Libelium that granted remote access, allowing anyone to hack into the system and trick the sensors.

Another product made by Echelon and called i.LON, is used to control street lights. But the researchers were able to easily uncover the default passwords stored on many of the devices.

“Once in,” said Crowley, “you can get the cleartext password or replace the binaries via FTP to execute whatever code you like - or lock people out by changing the IP address of the interface

And it’s not hard to find the information, noted fellow-presenter, Jennifer Savage, a security researcher from Threatcare.

“It turns out that the bar is low,” she said, adding that information about many connected Smart City devices is available on the Shodan search engine. The researchers said that a basic shodan.io search found 450 instances of one type of technology that was publicly exposed to the internet.

You also don’t need special sleuthing talent to find out who may have bought a device or what it's being used for. Companies often publish customer case studies about where and how the products are deployed. News reports about Smart City initiatives are also filled with information that hackers may find valuable. What’s more, many cities have open data initiatives where the information is publicly available to anyone.

The companies whose products were involved have since repaired the reported vulnerabilities and issued patches for their devices. 

“That was a silver lining,” Crowley said. “At least the vendors understood the flaws and wanted to fix them.”

When historians look back at these sundry glitches, these all may be remembered as the inevitable birthing pains that surround any technology transition. For now, though, George Jetson can wait until urban planners are sure that their systems are secure. As Crowley noted, it’s wise to attach “some amount of security due diligence around the deployment of these devices.”

Given how determined hackers will keep probing for the vulnerabilities that researchers haven't yet uncovered, that’s a bit of advice every smart urban planner ought to tack to their office wall.

You might also enjoy
Feature Stories 6 Min Read

Yes, We Used a Router to Fry an Egg and Here’s Why

As attackers turn to cryptojacking to make money, they’re adding wear and tear to your devices – and raising the risk of a meltdown

About the Author

Charles Cooper

Consulting Editor

Charles Cooper has covered technology and business for more than 25 years. He is now assisting Symantec with our blog writing and managing our editorial team.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.