Are smart cities potentially safe to live? If we look into smart cities closely, these are urban communities, constantly using the power of cutting-edge digital and computing technology to monitor and manage the urban environment and simultaneously stay connected. Some of these universal technologies currently being used are IoT, Cloud computing, big data, artificial intelligence, and mobile apps. People and the places including utility plants to commercial and residential buildings are digitally connected to help enhance the efficiency, comfort zone, and livability in the urban space. However, in the attempt to transform the utopian-like vision into reality, cities are becoming a hotbed for hacking.
The idea of hacking is as old as the computer itself. In fact, it is advancing at a pace equal to computer technology. Potentially, there is no computer system in this world that cannot be hacked. Whether it is a legal hacking or illegal one with evil intentions, any computer in use can be breached today. Arguably, smart infrastructure that is touted to be the backbone of smart cities is most vulnerable to hacking – currently, the major cyber threat in smart cities which can operate in an unpredictable and malicious manner.
In 2018, the smart city technology is anticipated to hit $80 billion which will increase to $135 billion by 2021. Hence, as the use of the technology becomes more common in smart cities, it is the time that these urban communities become aware of the potential vulnerabilities. A group of researchers from IBM X-Force Red and Threatcare came together to investigate the smart city technology for the potential vulnerabilities. What they found was dismaying!
It All Started With The Accidental Missile Alert That Shook Hawaii!
In January 2018, an accidental missile alert on the mobile devices caused panic among the people of Hawaii for about 38 minutes. The false alert was actually a human error. But the question arises, what if such systems are used intentionally to cause panic? This and a hack that triggered off Dallas’ tornado sirens last year, inspired Daniel Crowley of IBM X-Force Red and Jennifer Savage of Threatcare to investigate such systems for vulnerabilities.
Shockingly, 17 computing vulnerabilities were found in four smart city systems. Out of which, eight were critical. These vulnerabilities were spotted just after the first phase of testing, though the research team was prepared to go deep into finding the flaws. The common security issues were identified, which included, default passwords, authentication bypass, and SQL injections.
The team realised that smart cities were already under such old-school threats which should not be the case. There are miscellaneous functions a smart city technology can perform, from detecting and managing traffic congestion to predicting disasters. If such systems are operated maliciously it could probably give rise to a situation that is extremely dangerous.
The research team tested smart city devices from three categories including disaster management, transportation systems, and the industrial IoT. All these devices use WiFi, 4G cellular, ZigBee and other such platforms for communication. An enormous amount of data is generated from the integrated sensors of these systems which then informs the state of our cities in real-time. For example, an alert for the rising water level in dams or even things like today the highway is free of gridlocks.
Going More Into The Detail
The devices tested by the research team were from Libelium, a manufacturer of hardware for wireless sensor networks; Echelon, a seller of industrial IoT, building automation and manufacturing technology for transportation; and Battelle, a nonprofit that develops and commercialises the technology.
These vendors were informed about the vulnerabilities in their products, soon after the findings. All three companies responded to the situation instantaneously by issuing patches for 17 bugs and software updates that addressed the flaws. According to Echelon, they collaborated with IBM to resolve the problem.
Going forward, the research team also made a successful attempt to test these devices while keeping the viability of an attack scenario in consideration. Again, the team found dozens (hundreds in some cases) of each vendor’s devices open to remote access on the internet. This was done just by using common search engines like Shodan and Censys which can be accessed by anyone using a computer.
After identifying the exposed devices using the standard internet searches, the team was able to find out the regions that were using the devices for specific purposes. A European country was using the vulnerable device to detect radiations while a major US city was using the device to monitor traffic. However, the team alerted the authorities of the risks immediately after the finding.
What Could Happen If Such Devices Are Used For Evil Intentions?
To reduce the impact of some of the potential threats IBM X-Force Red and Threat Care did some of the logical deductions. With these measures the chances for the smart city facing the issues varying from ‘inconvenient to catastrophic’ also reduced. There were no attacks that have been spotted anywhere, these susceptible systems were used under Europe, major cities of the United States, and other places around the world.
Some of the examples are listed below:
Flood Warnings (or vice versa) – Today, dams are outfitted with water level sensors that can respond to flooding. If such devices are used by attackers maliciously, they could trigger a sensor to report false alert of flooding in an area – leading to panic, evacuations, and destabilisation. The other way round, they could even prevent a sensor from sending the warning signals when there is actually a flood event taking place – either naturally or done intentionally by destroying the dam.
Radiation Alarms – Even here, the attackers could manipulate the radiation alarms to trigger a false warning of the radiation leak in an area which can create a situation of intense panic in the region. The invisible nature of radiation could result in increased panic among the civilians. Just like the flood scenario, vice versa could also happen.
General Chaos – Smart cities are connected with hundreds of technological devices that are used today at road intersections, public places, buildings, utility plants, hospitals and more. Hence, there are chances that a hacker picks up any of these to create a dangerous situation in a city. Like, traffic signals could be manipulated to reroute vehicles or sensors at a public place could be turned off to prevent gunshot detection or even cause a panic by triggering a false gunshot sounds. If traffic sensors are manipulated, it is not a difficult job to create a gridlock like the ones seen in action crime movies that give the criminals a few extra minutes to escape the cops.
These examples are just a few to name, but they give a clear message to smart cities to test a new technology for software and hardware vulnerabilities before it is deployed and even carry out testings for the technologies that are already being operated in the urban environment. There are certain security protocols that could help cities evade such situations safely. Furthermore, hiring a team of security professionals or “hackers” could also be a good way to combat the challenge. After all, it is the matter of safety for the smart cities and their nations, more importantly, for the millions of citizens.
