As the world’s major cities have deployed smart city, the IBM X-Force Red team and security operator Threatca have teamed up to examine the major systems used in smart cities and found 17 security vulnerabilities that will allow the passengers manipulated the alarm system, tampering with sensor data, causing panic or urban confusion. This research was announced at the Black Hat Hacker Conference this week.
Daniel Crowley, director of research at IBM X-Force Red, said that they started testing the Libelium, Echelon, and Battelle systems used in smart cities earlier this year, with Libelium being a hardware manufacturer of wireless sensor networks and Echelon selling industrial IoT devices and embedded applications also produce connected lighting controllers, and Battelle is a non-profit organization that specializes in the development and commercialization of various technologies.
Researchers mainly visit devices related to smart transportation systems, disaster management, and industrial Internet of Things, which are connected via Wi-Fi, 4G, ZigBee, or other communication protocols.
After finding vulnerabilities in these devices or services, researchers have also discovered hundreds of vulnerable machines on the open Internet. Some European countries use these devices to detect radiation, and American cities use them to monitor traffic.
These 17 security vulnerabilities involve the use of default passwords, bypass authentication mechanisms, and data hidden codes. Eight of them are classified as critical vulnerabilities, revealing that even the most modern smart city is still exposed.
Crowley pointed out that these vulnerabilities will allow hackers to place water level sensors to trigger false flood warnings or to avoid triggering flood warnings. Similarly, hackers can also manipulate radiation sensors near nuclear power plants, or by traffic. The control of systems, building alarm systems, or emergency alert systems creates confusion and smart cities that show a lack of security is likely to cause more panic or actual harm.
According to estimates, smart city technology spending will grow from $80 billion this year to $135 billion in 2021. As smart cities become more popular, Crowley reminds the industry that security should be used as a starting point to re-examine the framework of these systems. It is recommended that the heads of intentionally importing smart cities should limit the IP addresses of the connected smart systems, scan for defects in these systems, use more secure passwords and API keys, or hire white hats to test the security of software and hardware.
At present, the manufacturers of related devices or the cities where these devices are deployed have been patched by IBM.