Smart cities still dumb enough to be hacked

The root of the problem with malicious smart city hacking lies in the fact that sensors typically collect 'raw' data and then merely pass it on.

Every light, every traffic signal a potential point of attack
Every light, every traffic signal a potential point of attack

The growth of connected devices and sensors inside the industrial Internet of Things has led us to coin the term ‘smart cities'.

These devices and the wider networks that support them manifest themselves in everything from intelligent road signals and traffic monitoring systems all the way down to sewer and water supply sensors.

When all these smart city systems work, the population enjoys a more pleasant existence – but what about when they fail, or worse still, when they are hacked?

Raw, like sushi… and data

The root of the problem with malicious smart city hacking lies in the fact that sensors typically collect ‘raw' data and then merely pass it on. No analysis is performed on the data at its point of origination, so consequently, we rely on that data source being accurate before we move that data onwards for analysis.

But what if a malicious actor were to alter that raw core data? The consumers of the data streams would start to perform analysis on incorrect data that could be fed into change and development plans for urban IT infrastructure in the real world.

Denis Legezo writes on Kaspersky Lab's SecureList to suggest that, although hackers will often find it hard to identify exact sensor types, if a model is identified then we have a problem.

It's still early days for the Internet of Things so embedded device manufacturers and integration partners will often host a large degree of documentation related to sensors on their website. In some cases the website will even provide links to most drivers and other core pieces of software needed to make the devices function.

“You [a potential hacker] will almost certainly find a marketing leaflet about each device; there is also a good chance you will find a larger sales-oriented document. It is also not uncommon to come across documentation, but finding a full-fledged technological description with the device's command system is a rare piece of luck,” writes Legezo.

Automation consternation

The root of the root of the problem (if you will pardon the expression) is that, yes, the sensor data is raw – yes we've said that – but also there will inevitably be a fairly high degree of automation based upon particular communication protocols and their identifiers to and from devices. Once we know those digital values, our route inwards to be able to hack the smart city devices in question is much easier.

SCMagazineUK.com spoke to Cesare Garlati, chief security strategist for the prpl Foundation, who told us that quite simply, the devices designed to make smart cities possible were never built with security in mind.  

“While the chips and sensors found in many of these devices are so small that security may not have felt like an ‘issue', the sheer proliferation of them now, especially the amount needed to create and maintain a smart city, means that it could become a real problem. At prpl, we believe the industry as a whole must start addressing the security conundrum sooner – at the hardware level – rather than after development, where by then it will be too late,” he said.

Richard Kirk, SVP at AlienVault and an expert on IoT security, points to connected cars as an example, saying that there are many plausible uses for having full remote control over vehicles, and science fiction is rapidly becoming reality. Some of the applications here include fleet management and control, location of stolen vehicles, preprogramming journey routes as well as emergency assistance in the case of accident.

“However,” says Kirk. “There are several reasons why we need to take this seriously, mostly because connected cars are like an iPhone on wheels, so consequently susceptible to all of the same issues we face on a daily basis with computers. Cars are big hunks of metal and when not in control, can do a lot of damage since the systems, perhaps running in the cloud, controlling and coordinating the vehicles, are all prone to intrusion and failure. If the US government can't keep its personnel records secure, what hope is there for a car manufacturer?”

Kirk adds, “More often than not, businesses are driven by profit and only invest in safety innovation when required to do so, either by governments, peer pressure or customer demand. Perhaps what is needed is the equivalent to the PCI and OWASP compliance guidelines, but aimed at the vehicle industry. We know that compliance only works when it has teeth, and is backed by regulation, hefty fines or some other form of penalty that causes companies to view it as more than just a cost of doing business.”

Smarter smart cities

Kaspersky's Legezo closes by saying that at the installation stage, it makes sense to avoid using any standard identifiers. Obviously, he agrees, manufacturers need to advertise their products (and servicing teams may need to collect additional information from adhesive labels on a device), but there are also issues of information security to consider.

Last but not least, it's not worth relying solely on the standard identification implemented in well-known protocols. This way, we can build smarter smart cities.