An ethical hacking project has revealed 17 vulnerabilities in smart city sensors and control devices which are currently installed in cities around the world.
The study uncovered a total of 17 vulnerabilities in smart city sensors that are currently in use, and which could allow hackers to intentionally spread misinformation or access critical infrastructure systems. Among the vulnerabilities identified, eight were described as ‘critical’ in severity, meaning that they must be addressed as urgently as possible.
The ethical hacking project was undertaken by cyber-security company Threatcare and an autonomous group of IBM Security employees known as IBM X-Force Red, and was launched when a civil alert message was sent to mobile devices across Hawaii warning of an imminent ballistic missile threat, which was later confirmed to have been sent in error.
What were the primary vulnerabilities that the researchers found?
Among the security challenges facing smart city networks and technologies were many of the most common issues faced by legacy technologies, which suggests that too little attention is being paid to the security of devices. This includes the use of default passwords, particularly in cases where devices do not require users to create a more secure password before putting the device into use.
Other recurring flaws, which were among the most common identified by the research, included authentication bypassing, which allow hackers to call up internal administrative areas of a network that should not be accessible to them without having to enter a password.
Many devices were also found to be vulnerable to SQL injection, in which attackers send data between the application and the database which the database confuses with the actual transmission. In this way, hackers can force the device to perform actions which will compromise its security.
How can the problems be addressed?
Following their discovery of vulnerabilities in smart city sensors and devices, the researchers alerted a number of manufacturers to ensure that the vulnerabilities could be patched or fixed with software updates before they were revealed to the general public. However, many such concerns will exist if technology developers do not design and build there devices with security in mind.
Daniel Crowley, head of research for IBM’s X-Force Red, explained that many of the threats found are among the most common in all technology spheres, and that this does not typify the ‘smart’ expectations attached to new and emerging technologies.
He said: “While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realise that smart cities are already exposed to old-school threats that should not be part of any smart environment.”
