Connect with us

Hi, what are you looking for?



Flaws in Smart City Systems Can Allow Hackers to Cause Panic

Smart city - Credits: JCT 600

Smart city - Credits: JCT 600

Critical vulnerabilities discovered in smart city systems from several vendors can allow malicious actors to perform various actions that could lead to widespread panic, researchers warn.

The world’s major cities are increasingly reliant on smart technologies, including for traffic management, disaster detection and response, and remotely controlling utilities. These systems communicate via protocols such as 4G, ZigBee and Wi-Fi.

Following the recent accidental false missile alert in Hawaii, experts at Threatcare and IBM X-Force Red have decided to join forces and analyze smart city technologies to see if they are affected by any vulnerabilities that could be exploited to intentionally cause panic.

Researchers from the two companies analyzed products from Echelon, Libelium and Battelle. Their tests led to the discovery of 17 previously unknown vulnerabilities across four types of smart city products, including eight security holes described as “critical” and six as “high severity.”

In the case of Echelon, the companies tested i.LON 100 and 600 routers, which allow organizations to monitor and control LonWorks devices such as pumps, valves, motors, sensors and lights. They also analyzed the vendor’s SmartServer products, described as a “versatile controller, router, and smart energy manager that connects control devices to IP-based applications such as building automation, enterprise energy management, demand response programs, and high-value remote asset management programs.”

A total of five vulnerabilities were discovered in these systems, including two critical flaws that allow authentication bypass, default credentials, plaintext passwords, and the lack of encrypted communications. ICS-CERT recently published an advisory describing some of the issues identified by IBM and Threatcare.

In the case of Libelium, which specializes in hardware for wireless sensor networks, researchers analyzed Meshlium, an IoT gateway designed for connecting sensors to any cloud platform. Four distinct instances of a pre-authentication shell injection flaw were discovered in the product, and they have all been classified as “critical.”

Advertisement. Scroll to continue reading.

As for Battelle, a global research and development organization, IBM and Threatcare analyzed two versions of its V2I (vehicle-to-infrastructure) Hub product, which is used for communicating data from traffic signal controllers to connected vehicles.

The list of vulnerabilities found in these systems include SQL injection, hardcoded passwords, unprotected sensitive functionality, cross-site scripting (XSS) flaws, and various API-related issues. A majority of these security holes have been assigned either a “critical” or “high severity” rating.

Register for SecurityWeek’s ICS Cyber Security Conference

All the affected vendors have been notified and they have addressed the vulnerabilities.

Battelle has clarified that V2I Hub is a 2.5-year project that it’s working on for the Federal Highway Administration. The project is ongoing – it’s expected to be finished at the end of September – and it has only been deployed for testing purposes. Battelle told SecurityWeek that it fixed the flaws found by IBM in early July.

Libelium said it addressed the flaws with a software update released on August 1. The company has issued a press release.

However, the discovery of these basic security holes shows that smart city systems are highly exposed to cyberattacks.

While there is no evidence of malicious attacks exploiting the vulnerabilities found as part of this research project, the companies warned that the risks are significant.

Worryingly, online searches conducted using Shodan and Censys showed that there are tens or hundreds of vulnerable systems accessible directly from the Internet. Some of them have been found to belong to a European country that uses vulnerable devices to detect radiation, and a major U.S. city that relies on them for traffic monitoring.

“According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” researchers said.

In a theoretical attack scenario described by the experts, an attacker exploits the vulnerabilities to manipulate data from water level sensors to indicate a flood, which could create panic. In addition, hackers could make the water level appear normal during a flood.

Hackers could also cause mass panic by manipulating data from radiation sensors in order to trigger radiation leak warnings.

Hijacking traffic systems can also have serious consequences. Attackers can cause chaos by controlling traffic signals, and create additional panic by setting off building and emergency alarms, and triggering gunshot sensors.

*Updated with information from Libelium and Battelle.

Related: Hacking Europe’s Smart Cities

Related: SirenJack – Hackers Can Remotely Trigger Warning Sirens

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.