Spurred by the false alarm that made Hawaii residents fear for their lives earlier this year, IBM X-Force Red and Threatcare researchers have decided to test several smart city devices and ultimately found 17 zero-day vulnerabilities, some of which could be exploited to create potentially deadly chaos.
“While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment,” shared Daniel Crowley, research director of IBM X-Force Red.
“After we found the vulnerabilities and developed exploits to test their viabilities in an attack scenario, our team found dozens (and, in some cases, hundreds) of each vendor’s devices exposed to remote access on the internet. All we did was use common search engines like Shodan or Censys, which are accessible to anyone using a computer.”
The researchers tested four solutions by three manufacturers:
- Meshlium by Libelium (Libelium is a manufacturer of hardware for wireless sensor networks)
- i.LON 100/i.LON SmartServer and i.LON 600 by Echelon (Echelon specializes in industrial IoT, embedded and building applications and manufacturing devices like networked lighting controls)
- V2I (vehicle-to-infrastructure) Hub v2.5.1 by Battelle, and
- V2I Hub v3.0 by Battelle (Battelle is a nonprofit that develops and commercializes technology).
“The devices we tested fall into three categories: intelligent transportation systems, disaster management and the industrial Internet of Things (IoT). They communicate via Wi-Fi, 4G cellular, ZigBee and other communication protocols and platforms. Data generated by these systems and their sensors is fed into interfaces that tell us things about the state of our cities — like that the water level at the dam is getting too high, the radiation levels near the nuclear power plant are safe or the traffic on the highway is not too bad today,” Crowley explained.
Meshlium was found to have four critical pre-authentication shell injection flaws, Echelon’s offerings had a two authentication bypass flaws, default credentials, plaintext passwords and unencrypted communications, and Battelle’s solutions sported a hard-coded administrative account, SQL injection flaws, a default API key, an APU authentication bypass flaw, and more.
Some of these flaws could be easily exploited to create “panic attacks” and endanger citizen’s lives.
“Attackers could manipulate water level sensor responses to report flooding in an area where there is none — creating panic, evacuations and destabilization. Conversely, attackers could silence flood sensors to prevent warning of an actual flood event, whether caused by natural means or in combination with the destruction of a dam or water reservoir,” Crowley explained.
Attackers could also create general chaos through false building alarms, emergency alarms, by tampering with traffic control systems, etc.
The researchers have shared their findings with the manufacturers, who were very responsive and have already pushed out fixes. They have also notified the owners of vulnerable devices they found online.
Smart cities are the future, but the industry needs to re-examine the frameworks for these systems to design and test them with security in mind from the start, Crowley noted.
Their advice for securing smart city systems include implementing IP address restrictions for connections; using application scanning tools to identify simple flaws; implementing safer password and API key practices, taking advantage of SIEM tools to identify suspicious traffic; and hire “hackers” to test systems for software and hardware vulnerabilities.