Critical vulnerabilities discovered in smart city systems from several vendors can allow malicious actors to perform various actions that could lead to widespread panic, researchers warn.
The world’s major cities are increasingly reliant on smart technologies, including for traffic management, disaster detection and response, and remotely controlling utilities. These systems communicate via protocols such as 4G, ZigBee and Wi-Fi.
Following the recent accidental false missile alert in Hawaii, experts at Threatcare and IBM X-Force Red have decided to join forces and analyze smart city technologies to see if they are affected by any vulnerabilities that could be exploited to intentionally cause panic.
Researchers from the two companies analyzed products from Echelon, Libelium and Battelle. Their tests led to the discovery of 17 previously unknown vulnerabilities across four types of smart city products, including eight security holes described as “critical” and six as “high severity.”
In the case of Echelon, the companies tested i.LON 100 and 600 routers, which allow organizations to monitor and control LonWorks devices such as pumps, valves, motors, sensors and lights. They also analyzed the vendor’s SmartServer products, described as a “versatile controller, router, and smart energy manager that connects control devices to IP-based applications such as building automation, enterprise energy management, demand response programs, and high-value remote asset management programs.”
A total of five vulnerabilities were discovered in these systems, including two critical flaws that allow authentication bypass, default credentials, plaintext passwords, and the lack of encrypted communications. ICS-CERT recently published an advisory describing some of the issues identified by IBM and Threatcare.
In the case of Libelium, which specializes in hardware for wireless sensor networks, researchers analyzed Meshlium, an IoT gateway designed for connecting sensors to any cloud platform. Four distinct instances of a pre-authentication shell injection flaw were discovered in the product, and they have all been classified as “critical.”
As for Battelle, a global research and development organization, IBM and Threatcare analyzed two versions of its V2I (vehicle-to-infrastructure) Hub product, which is used for communicating data from traffic signal controllers to connected vehicles.
The list of vulnerabilities found in these systems include SQL injection, hardcoded passwords, unprotected sensitive functionality, cross-site scripting (XSS) flaws, and various API-related issues. A majority of these security holes have been assigned either a “critical” or “high severity” rating.
All the affected vendors have been notified and they have addressed the vulnerabilities.
Battelle has clarified that V2I Hub is a 2.5-year project that it’s working on for the Federal Highway Administration. The project is ongoing – it’s expected to be finished at the end of September – and it has only been deployed for testing purposes. Battelle told SecurityWeek that it fixed the flaws found by IBM in early July.
Libelium said it addressed the flaws with a software update released on August 1. The company has issued a press release.
However, the discovery of these basic security holes shows that smart city systems are highly exposed to cyberattacks.
While there is no evidence of malicious attacks exploiting the vulnerabilities found as part of this research project, the companies warned that the risks are significant.
Worryingly, online searches conducted using Shodan and Censys showed that there are tens or hundreds of vulnerable systems accessible directly from the Internet. Some of them have been found to belong to a European country that uses vulnerable devices to detect radiation, and a major U.S. city that relies on them for traffic monitoring.
“According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” researchers said.
In a theoretical attack scenario described by the experts, an attacker exploits the vulnerabilities to manipulate data from water level sensors to indicate a flood, which could create panic. In addition, hackers could make the water level appear normal during a flood.
Hackers could also cause mass panic by manipulating data from radiation sensors in order to trigger radiation leak warnings.
Hijacking traffic systems can also have serious consequences. Attackers can cause chaos by controlling traffic signals, and create additional panic by setting off building and emergency alarms, and triggering gunshot sensors.
*Updated with information from Libelium and Battelle.
Related: Hacking Europe’s Smart Cities