How to address new Smart City vulnerabilities: report

News 12 May 2020

Potential for immense damage from hacking
But many basic vulnerabilities still unaddressed
Too much reliance on the open Internet
Attacks will come. Defences need to be in place now.

We hear a lot about Smart Cities and the manifold benefits they will bring to their citizens. We hear rather less about the problems and vulnerabilities inherent to Smart City systems and processes.

It’s a matter of extrapolation from the small and personal to the big and citywide. We all know that just about every consumer smart device has susceptibilities that can lay it open to hacking and cyber attacks.

‘Researchers found some profoundly deep vulnerabilities in smart city systems.’ – Martyn Warwick

The same applies at municipal level. Vulnerabilities abound in citywide smart systems, but the consequences of their being hacked will be much farther-reaching and potentially much more devastating than an attack on an individual consumer smart device (although citywide and even national cyber attacks can be originated via compromised consumer devices such as unprotected smart thermostats). And, of course, macro-scale municipal systems can be attacked and data compromised, too.

Scientists from IBM X-Force Red Security and the Austin, Texas-headquartered cyber security company Threatcare have been co-operating to stress-test a range of smart city systems and devices, and their report makes for disturbing reading.

The specific goal of the research was to assess the likelihood of what is called a “supervillain-level” attack from a great distance, and the team found 17 “zero-day” vulnerabilities in four different smart city systems. Eight of the 17 were classed as ‘critical severity.’

(The term ‘zero-day’ refers to an unknown software vulnerability that the developer has only just become aware of, and therefore, and obviously, no patch or update to correct the vulnerability has been released leaving a hacker free to run amok in a system).

Basic security susceptibilities

What is particularly worrying is that while the researchers found some profoundly deep vulnerabilities in smart city systems, they also found that they are wide open to a range of the oldest, most basic, well-known and common security vulnerabilities known to man.

They found that smart city systems are still not adequately protected against things such as easily accessed default passwords, authentication bypass and SQL injections.

The IBM and Threatcare teams focused on three categories of smartness: intelligent transportation systems, disaster management and the industrial Internet of Things (IoT). Such technology classifications communicate via Wi-Fi, 4G cellular and a variety of other comms protocols and platforms.

Data generated by sensors goes to interfaces that provide actionable information about sectors such as traffic flows, highway conditions, overcrowding and holdups on public services, pressure points in healthcare systems and the smooth (or otherwise) functioning of other municipal services including the water and sewage systems and on up through to environmental monitoring.

The joint researchers tested smart city technologies from three companies: Battelle (a not-for-profit organisation that develops and markets smart technologies), Echelon (an industrial IoT company) and Libelium (a manufacturer of hardware for wireless sensor networks). When the research team discovered vulnerabilities, they told the vendors about them and, to their great credit, all three companies responded immediately and very quickly issued patches and software updates to remedy the flaws discovered.

When the IBM and Threatcare teams discovered smart city susceptibilities, they probed them with various invasion scenarios and found that hundred of devices (from each vendor) were open to remote access hacking attacks. What’s more, the exposure of the vulnerabilities was affected via ordinary and commonly used search engines that are available to all and sundry.

To make matters worse, a surprisingly large number of smart city systems and applications continue to use the open Internet rather than a fully-secured municipal network either to connect IoT sensors or transmit data to the cloud. That means devices can be left visible and easily able to be appropriated by malign actor.

When susceptible devices were found, the researchers were able to access information including who bought the devices and what they were being used for. Among the scary discoveries was European country using insecure devices for radiation detection and a big US city using unprotected devices for traffic monitoring and elsewhere, the ability for an attacker to break into systems and manipulate water level sensors.

Preventive security

Having having quickly demonstrated just a few but deeply concerning smart city vulnerabilities, IBM and Threatcare provided a list of recommendations to help municipal authorities to secure smart city systems.

They are:

to implement IP address restrictions to connect the smart city systems;
to apply and continually use scanning tools to identify simple system vulnerabilities;
and to impose and police safer password and API practices.

Other precautions should include the use of security-incident and event-management tools to identify suspicious traffic and also the employment of ‘white hat’ hackers to test and test again smart city systems for both hardware and software weaknesses.

The forecast is that city authorities across the globe will spend upwards of USD 81 billion on smart city technology this year, and that figure will rise to USD 135 billion by 2021.

Smart cities are a wave of the future, but as their distribution becomes increasingly commonplace, the authorities and the industry at large must to take a long hard look at systems design and ensure that they are designed, from the very start and from the ground up, to be as secure as is humanly possible.

Remember the old adage: ‘the more data, the more the risk.’ And smart cities are going to generate immense amounts of data.

The original version of this article first appeared on TelecomTV. Views expressed in this article do not necessarily reflect those of ITU.

Martyn Warwick, TelecomTV

Cookie	Duration	Description
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_T69008QZXS	2 years	This cookie is installed by Google Analytics.
_gat_UA-121074739-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_hjSession_768571	30 minutes	No description
_hjSessionUser_768571	1 year	No description
AnalyticsSyncHistory	1 month	No description
articleTopicsViews	3 months	No description
BIGipServer3sEEw690n76oenZ3ixwpzQ	session	No description
li_gc	2 years	No description
TS010592a8	session	No description
TS01af0bc2	session	No description
TS70351561027	session	No description
wp-wpml_current_language	session	No description available.

How to address new Smart City vulnerabilities: report

Related content

Final version of use cases report

Competition on blockchain authentication for digital finance

The world generated 62 million tonnes of electronic waste in just one year and recycled way too little, UN agencies warn

Please fill in the form below to get your copy.