IBM, Threatcare uncover vulnerabilities of smart city tech
- Researchers with IBM and Threatcare released a study showing multiple areas in which smart city devices are vulnerable to hacking and cyberattacks, which offers attackers the opportunity to cause widespread public panic.
- The team uncovered 17 specific vulnerabilities when they examined four smart city systems from three different vendors. Eight of the flaws hold critical severity. The vulnerabilities leave cities open to false attacks meant to cause panic or real attacks such as flooding, radiation, gunshot reports or transportation and transit system gridlock.
- All device vendors quickly issued patches and software updates when the researchers informed them of the flaws.
This research raises the question of whether manufacturers are spending enough time on system security. The smart city space still is very much an emerging market and often developers and manufacturers race to be the first to get a product to market. But in such competitions, important details sometimes can fall to the wayside, even to the extent of producing catastrophic failures. A case could be made that the deadly Uber autonomous vehicle (AV) accident in Arizona might fall into this category.
Likewise, cities often scramble to be the first to implement technologies that could garner recognition, in addition to positive resident reactions, and they might not adequately research, confirm or understand security details. Granted, local governments aren't necessarily experts in all aspects of the tech field or in exactly what questions to ask about device security, which is why they enlist help from third-party vendors in the first place. And in the end, city employees can ask all the right questions but they still have to put their trust in a vendor's assurances that the system is secure.
The study specifically named the scare in Hawaii earlier this year when an emergency alert was sent to citizens' phones indicating an imminent missile attack. Although the alert and ensuing panic in Hawaii was caused by human error, it's an example of the type of chaos that could result from a smart system hack.
Although on a different scale and due to slightly different causes, Atlanta experienced its own chaotic digital event this spring when the city found itself the victim of a ransomware attack. It crippled the municipal computer system and created outages for both internal- and external-facing operations. The attack rendered residents unable to access certain information like court records or carry out some functions like bill payments, in addition to affecting internal systems like wiping out years worth of police dashcam videos.
Around the same time, Baltimore's 911 system was hacked. This is an example closer to the potential chaos described by the IBM and Threatcare researchers.
This study might serve as a wake-up call for cities to increase their diligence with product research and not jump on a device or vendor bandwagon prematurely. Smart device vendors also might be moved to better design and test products before releasing them to market.
The researchers provided five recommendations for securing smart city systems, including implementing IP address restrictions and using application scanning tools to identify simple flaws.
- SecurityIntelligence How to Outsmart the Smart City
- SC Media Black Hat USA 2018: IBM X-Force finds 17 zero-day vulnerabilities in four smart city systems
Follow Katie Pyzyk on Twitter