IBM X-Force Red, Threatcare Warn about Smart City Vulnerabilities

A team of researchers from Threatcare and IBM X-Force Red has joined forces to test several smart city devices, with the specific goal of finding vulnerabilities in smart city systems.

Earlier this year, the team tested smart city systems from Libelium, Echelon, and Battelle.

Researchers found a total of 17 vulnerabilities in four smart city systems — eight of which are critical in severity.

“While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment,” said Daniel Crowley, research director at IBM X-Force Red.

The devices tested by researchers fall into three categories: intelligent transportation systems, disaster management, and the industrial internet of things.

“When we found vulnerabilities in the products these vendors produce, our team disclosed them to the vendors. All the vendors were responsive and have since issued patches and software updates to address the flaws we’ll detail here,” Crowley said.

Crowley also said that after the researchers found the vulnerabilities and developed exploits to test their viabilities in an attack scenario, they found dozens and in some cases, hundreds of each vendor’s devices exposed to remote access on the internet.

“Once we located an exposed device using some standard internet searches, we were able to determine in some instances who purchased the devices and, most importantly, what they were using the devices for. We found a European country using vulnerable devices for radiation detection and a major U.S. city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks,” he said.

The researchers said that some scenarios in which hackers can take advantage of smart city vulnerabilities can include:

Flood warnings. Attackers could manipulate water-level sensor responses to report flooding in an area where there is none — creating panic, evacuations, and destabilization. Conversely, attackers could silence flood sensors to prevent warning of an actual flood event, whether caused by natural means or in combination with the destruction of a dam or water reservoir.

Radiation alarms. Similar to the flood scenario, attackers could trigger a radiation leak warning in the area surrounding a nuclear power plant without any actual imminent danger. The resulting panic among civilians would be heightened due to the relatively invisible nature of radiation and the difficulty in confirming danger.

General chaos (via traffic, gunshot reports, building alarms, emergency alarms, etc.).

“In summary, the effects of vulnerable smart city devices are no laughing matter, and security around these sensors and controls must be a lot more stringent to prevent scenarios like the few we described,” Crowley added.

The team of researchers also issued a number of recommendations to help secure smart city systems:

• Implement IP address restrictions to connect to the smart city systems;
• Leverage basic application scanning tools that can help identify simple flaws;
• Safer password and API key practices can go a long way in preventing an attack;
• Take advantage of security incident and event management (SIEM) tools to identify suspicious traffic; and
• Hire white-hat hackers to test systems for software and hardware vulnerabilities.-enterprise iot insights