Smart city security flaws discovered by IBM Security are putting populations at risk to “supervillain” hackers who could manufacturer disasters at the touch of a button.
Hostile hackers could cause radiation sensors to report incorrect data, or create gridlocks to prevent law enforcement from arriving at the scene of a crime.
Cities around the world, such as New York, Singapore and Barcelona, are using internet-connected technology to improve their management.
That can take the form of sensors that collect data traffic flow, as in the case of Las Vegas “Innovation District”.
But IBM Security’s white paper, The Dangers of Smart City Hacking, warns that it is “painfully easy” to find the location and purpose of IoT devices and their security details, which it found were often “minimal”.
One of the biggest recurring vulnerabilities was the failure to update devices from their default passwords, which can easily be found online.
IBM’s X-Force Red and cybersecurity company Threatcare found this to be the case in every single device they examined.
Smart city security flaws have been exploited before
In December 2015 hackers successfully compromised the IT systems of three energy distribution companies in Ukraine, leaving around 230,000 people without electricity for up to 6 hours.
It is considered the first known successful cyberattack on a power grid. Since then, hackers affiliated with Iran successfully gained access to the New York Dam.
New York Democrat Senator Charles Schumer said of the Iranian incident: “They were saying that we can damage, seriously damage, our critical infrastructure and put the lives and property of people at risk.”
The false ballistic missile alert text to Hawaiian residents in January – an employee error rather than hackers – is an example of the panic and disruption that can be caused.
Furthering risk is smart city technologies that are connected to legacy equipment or operating systems. The 2017 WannaCry ransomware attack, which resulted in the cancellation of nearly 7,000 NHS appointments, is one such example.
The report found that outdated legacy systems are often connected to the internet without a proper security audit.
How to defend smart cities
The report called for smart city device manufacturers and agencies to learn from previous mistakes.
It said it is the responsibility of the device manufacturer to ensure security and the user to practice “good security hygiene”. That includes manufacturers issuing regular security patches and the users installing them.
It also called for smart city leaders to run regular security tests and IP scans. Vendors should also add network port restrictions and stronger password controls.
Ethical hackers, also known as white hat hackers, could also be employed to discover flaws so they can be remedied before a hacker knows they exist.
Worldwide spending on smart city technologies is projected to reach $80bn in 2018 and will grow to $135bn by 2021, according to IDC’s Worldwide Semiannual Smart Cities Spending Guide.