In the 20-page ‘An emerging US (and World) Threat: Cities Wide Open to Cyber Attacks' whitepaper released earlier this week, IOActive CTO Cesar Cerrudo closely examined the vulnerabilities of smart cities, which he says are becoming a “global, accelerating and unstoppable phenomenon”.
For his research, he defined smart cities as using technology to automate and improve city services, thus enhancing citizen lives. For example, this might involve the use of Internet of Things (IoT) sensors for traffic lights that can adapt to traffic conditions, or street lights which adjust to the weather and the time of day. Other smart cities are utilising real-time water and energy management systems to reduce costs for citizen, or to improve quality and reliability.
Cerrudo, who demonstrated how you could hack traffic control systems at DEFCON last year, cited Saudi Arabia investing US$ 70 billion (£46.5 billion), South Africa establishing a US$ 7.4 billion (£4.91 billion) project and Barcelona, already believed to be the biggest smart city in the world, as examples that the trend is in full swing. These cities, in the market forecast to be worth a US$ 1 trillion by 2020, are backed up by IoT sensors, machine-t-machine learning technologies, open data, mobile apps and fibre optics networks.
“Every new technology and innovation brings new challenges and problems. In this report, I'm focusing on cyber security-related problems that currently affect or will affect cities in general around the world, whether considered smart or not. These problems would impact the city government, residents, and the businesses and other organisations that conduct business there,” wrote the IOActive exec.
“Keeping in mind the new technologies and life in a smarter city, let's consider what could happen if one or more technology-reliant services don't work. What would commuting look like with non-functioning traffic control systems, no street lights, and no public transportation? How would citizens respond to an inadequate supply of electricity or water, dark streets, and no cameras? What if garbage collection is interrupted in summertime and stinks up the streets?
“That scenario might not be as unlikely as you think. Any number of cyber-security problems could trigger it.”
As examples, he drilled down on a lack of security testing, poor or non-existent security, weak encryption, a lack of communication with CERTs, complex attacks, no or irregular patching, insecure legacy systems, the prevalence of simple bugs, and no emergency plans in the event of an attack. He also noted the potential use of DoS attacks and of technology vendors selling cities insecure products.
On testing, he said: “Sadly cities are implementing new technologies without first testing cyber-security. In fact, this is happening in most countries. I have proven this with my latest research. I learned that about 200,000 vulnerable traffic control sensors were installed in important cities around the world such as Washington DC, New York, Seattle, San Francisco, London, Lyon, and Melbourne.”