AT THIS POINT, it seems like every so-called consumer smart device—from routers and baby monitors to connected thermostats and garage door openers—has been shown to have vulnerabilities. But that same security crisis has also played out on a macro scale, exposing municipal works and public safety sensors to manipulation that could destabilize traffic lights, undermine radiation sensors, or even create a calamity like causing a dam to overflow because of tainted water level data.
Researchers from IBM Security and data security firm Threatcare looked at sensor hubs from three companies—Libelium, Echelon, and Battelle—that sell systems to underpin smart city schemes. Smart city spending worldwide is estimated to reach about $81 billion globally in 2018, and the three companies all have different areas of influence. Echelon, for example, is one of the top suppliers of smart street lighting deployments in the world.
Fundamentally, though, the systems the researchers analyzed are similar. By setting up an array of sensors and integrating their data, a municipality can get more nuanced insight into how to solve interconnected problems. These sensors monitor things like weather, air quality, traffic, radiation, and water levels, and can be used to automatically inform fundamental services like traffic and street lights, security systems, and emergency alerts.
That last one might sound familiar; an accidental missile alert in Januarysent Hawaii’s residents scrambling, while a hack set off Dallas’s tornado sirens last year. In fact, those incidents and others like it inspired Daniel Crowley of IBM X-Force Red and Jennifer Savage of Threatcare to investigate these systems in the first place. What they found dismayed them. In just their initial survey, the researchers found a total of 17 new vulnerabilities in products from the three companies, including eight critical flaws.
“The reason we wanted to focus on hubs was that if you control the central authority that runs the whole show then you can manipulate a lot of information that’s being passed around,” Crowley says. “It appears to be a huge area of vulnerability, and the stakes are high when we’re talking about putting computers in everything and giving them important jobs like public safety and management of industrial control systems. When they fail, it could cause damage to life and livelihood and when we’re not putting the proper security and privacy measures in place bad things can happen, especially with a motivated and resourced attackers.”
The researchers found basic vulnerabilities, like guessable default passwords that would make it easy for an attacker to access a device, along with bugs that could allow an attacker to inject malicious software commands, and others that would allow an attacker to sidestep authentication checks.
Many smart city schemes also use the open internet, rather than an internal city network, to connect sensors or relay data to the cloud, potentially leaving devices exposed publicly for anyone to find. Simple checks on IoT crawlers like Shodan and Censys yielded thousands of vulnerable smart city products deployed in the wild. The researchers contacted officials from a major US city that they found using vulnerable devices to monitor traffic, and a European country with at-risk radiation detectors.
“I live in a city that’s starting to implement smart city devices,” Threatcare’s Savage says. “We bought a house here and we can choose not to have IoT devices in our home, we can go out of our way to buy a dumb TV not a smart TV. But I can’t control if there are street lights with cameras baked into them right outside my house and I have no control over the vehicle hub that my city might be using. It gets to me as a security researcher that a city might be making these types of decisions for me.”
The three companies have made patches available for all 17 bugs. Echelon, whose smart city offerings include not just lighting but also building automation and transportation, says it collaborated with IBM to resolve its issues. “Echelon confirmed the vulnerability, developed mitigation solutions, notified customers, and informed DHS ICS-CERT,” spokesperson Thomas Cook told WIRED, referring to the Department of Homeland Security’s Computer Emergency Readiness Team, which tracks vulnerabilities.
Battelle spokesperson Katy Delaney noted that the group is a technology development nonprofit, and that the vulnerability IBM researchers found was in an open source smart city hub collaboration with the Federal Highway Administration that hasn’t yet been deployed. “We appreciate IBM bringing their considerable resources to bear in finding these potential security issues,” Delaney told WIRED. “We wanted feedback and we appreciate the scrutiny, improvement, and help.” Libelium, a Spanish company with extensive smart city offerings, said in a statement that, “Several weeks ago Libelium was informed by IBM about some web vulnerabilities which had been found in the Meshlium Manager System. … The company took action instantaneously and all vulnerabilities detected were automatically amended with a new software version released on August 1st which is ready to be downloaded from the Manager System.”
While having patches available for all the flaws is a crucial step, the researchers note the importance of raising awareness about these problems to make sure that municipalities are prioritizing patching, which organizations so often don’t. The smart city hubs the researchers looked at don’t have automatic update capabilities, a common setup on industrial control devices since a buggy update could destabilize vital infrastructure. But the downside is that every entity using these products will need to proactively apply the patches, or devices in the wild will continue to be vulnerable.
And while the researchers emphasize that they don’t have evidence of any of the bugs they found being abused, they did discover that someone posted an exploit for one of the flaws on a hacker forum in August 2015. “There are people out there who aren’t white hat hackers who have had at least one of these exploits for ages and who knows what they’ve done with it,” Savage says. “This is something that people have been looking into.”
Industrial control hacking has recently become a major focus of nation state attackers, for instance, with Russia taking the most prolific known interest. State-sponsored Russian hackers have probed US grid and election infrastructure and have wreaked havoc overseas, causing two blackouts in Ukraine and compromising payment systems in the country with malware campaigns. As the risk grows worldwide, US officials have increasingly acknowledged the vulnerability of US infrastructure, and agencies like the Department of Homeland Security are scrambling to implement systemic safeguards.
Cities will continue to invest in smart technology. Hopefully as they do, they’ll appreciate that more data will often mean more risks—and that those vulnerabilities aren’t always easy to fix.