Security researchers have warned that smart city infrastructure contains many flaws that could allow hackers to cause panic among citizens by manipulating systems used to warn people of emergency situations.
According to a blog post by Daniel Crowley, research director at IBM X-Force Red, around 17 vulnerabilities have been discovered in various smart city systems across the UK, US and Europe, eight of which have been deemed as "critical".
"While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment," said Crowley.
The team investigated smart city systems from companies Libelium, Echelon and Battelle. Four pre-authentication shell injection flaws were found in Libelium's wireless sensor network, Meshlium. Echelon's i.LON 100/i.LON SmartServer and i.LON 600 SmartServers had two critical authentication flaws, unencrypted communications problems, default credentials in use, and plaintext passwords.
Battelle's V2I (Vehicle-to-Infrastructure) Hub, version 2.5.1 had a hard-coded administrator account as well as default API keys and authentication bypass, SQL injection security flaws and reflected XSS vulnerabilities.
Once these flaws were discovered, researchers then carried out standard internet searches to find affected devices online.
"We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks," said Crowley.
A compromised system could be used to manipulate things such as water level sensors to activate false flood warnings, potentially creating panic and evacuations. More worryingly, hackers could use the same tactic to silence an alarm during a legitimate crisis.
"If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," he said. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere."
The discoveries were made known to the vendors, who then issued patches and software updates to address the flaws.
-
HPE eyes enterprise data sovereignty gains with Aruba Networking Central expansionNews HPE has announced a sweeping expansion of its Aruba Networking Central platform, offering users a raft of new features focused on driving security and data sovereignty.
-
Fortify your future: How HPE ProLiant Servers deliver top-tier cyber security, management, and performanceWhitepaper Deploy servers with a secure approach
-
Fortify your future with HPE ProLiant Servers powered by IntelWhitepaper Enhance your security and manage your servers more effectively
-
Architecting enterprise networks for the next decadeWhitepaper A new paradigm in network architecture
-
Why network monitoring tools fail within secure environmentsWhitepaper Gain visibility into devices, networks, and applications
-
Better together: HPE Aruba Networking CX switches and HPE Aruba Networking CentralWhitepaper Explore the power and simplicity of managing HPE Aruba Networking CX Switches with HPE Aruba Networking Central
-
Cyber-resilient infrastructure starts with server securitywhitepaper Take a security-focused approach when investing in the next wave of IT infrastructure.
-
Driving digital innovation with intelligent infrastructurewhitepaper Strong infrastructure investment is driving digital in all industries
