From Radiation Detection To Flood Defenses, Smart City Security Really Sucks
Given Russians have reportedly hacked their way deep into America’s old power systems, you’d expect those building the next-gen tech for so-called “smart cities” would’ve put real effort into ensuring strong security. Not so much, if a report from a pair of researchers released Thursday is anything to go by.
Tech helping run radiation and flood detection, as well as software designed to help manage traffic, all contained vulnerabilities that hackers with just rudimentary skills could manipulate. That’s according to Jen Savage, security researcher at Threatcare, and Daniel Crowley, “research baron” at IBM’s X-Force Red cybersecurity unit.
They found weaknesses across a range of smart city tech from three different vendors: Battelle, Echelon and Libelium. All three had produced code containing “terrible vulnerabilities,” said Savage. They were riddled with severe weaknesses that could be used to cause real disruption across modern cities, Savage told Forbes ahead of her presentation at the Black Hat cybersecurity conference in Las Vegas on Thursday.
Of real concern to Savage was the Meshlium device from Spanish company Libelium. Given the Meshlium software is used for critical processes like radiation and flood detection, the impact of hackers taking control of the Libelium tool in the real world “could be quite great,” she added.
The problem with the Meshlium software was simple: it accepted certain commands from anyone on the internet without any need for a username or password. With the most basic of attacks, “you can do anything you want with the device,” said Crowley. “A single web request gets you there.”
“My concern with that is that you could potentially simply turn off the radiation detection,” added Savage. She envisaged a situation where a dirty bomb went off and a city’s radiation detectors were simultaneously turned off by the attackers. Or scenarios where flood detection software could be tampered with to cause alarms to go off, forcing people to evacuate and “cause mass panic.”
Other basic problems were found across “vehicle-to-infrastructure” tech made by Battelle, which automates communication between cars and tech like traffic controllers. Such smart city tech should lessen the chance of irritating traffic jams, but if hackers get control of it, some kind of road carnage could be caused.
Various severe problems were also uncovered in kit from Echelon, including its iLon products designed to connect technologies for managing energy usage.
Looking across all three organizations’ tech, Savage and Crowley were disapointed in how basic the mistakes were. “I gotta say as a nerd, I’m a little disapointed the vunerabilites weren’t a little more interesting,” Crowley said. “[That] makes this even worse, because they’re not next-level vulnerablities. “
Many of the devices were also accessible to anyone with a web connection, the researchers found. For instance, they uncovered 450 iLon smartserver devices exposed on the internet and dotted across the globe.
Fixing the smart city
The researchers said all the affected companies had been responsive in trying to patch the security loopholes. Libelium provided Forbes with a link to its statement, in which it said the company had issued patches.
Battelle said its vehicle software was built as part of the “V2I Hub,” a multi-year project it was working on with the Federal Highway Administration. It was open source software and, whilst it was still in a testing phase and the final product won’t be delivered until September, Battelle thanked the researchers for looking at the code within. “You put your work out there and you hope others will take a look and point out any potential flaws in the code,” a spokesperson said. “The potential issues in the code IBM has pointed out have been fixed.”
Echelon said it had confirmed the vulnerability found by the researchers and “developed mitigation solutions, notified customers and informed DHS ICS-CERT,” the U.S. government organization set up to alert industry of security issues.
Whilst those specific technologies have been patched, it’s clear basic mistakes are still being made in the coding of future cities.