City sensors vulnerable to attack, warns IBM

Some sensor devices commonly used in cities across Europe, North America and Asia have been found to be open to attack by hackers, with the potential to cause chaos with traffic, flood and radiation warnings, and other alarms.

IBM’s security arm X-Force Red and Threatcare reported 17 vulnerabilities in devices sold by Libelium, Echelon, and Battelle. Left unpatched, the flaws could allow cybercriminals to gain access to sensors and manipulate data. Some of the weaknesses flagged include default passwords, authentication bypasses and exposure to the Internet.

“I was not surprised, but maybe a little bit disappointed, by the simplicity of the flaws that we found,” Daniel Crowley, Research Director, IBM X-Force Red, told Cities Today. “It seems to be a common pattern that with any emerging technology, security kind of falls by the wayside.”

The flaws were reported to the companies involved and all three have since issued patches and software updates to address them.

Crowley said that after an exposed device was located through Internet searches, it was possible–in some instances–to determine who had purchased the devices and what they were using the devices for. A European country using vulnerable devices for radiation detection and a large US city using sensors for traffic monitoring were among those affected. Both were alerted to the vulnerabilities, and the flaws were subsequently fixed.

While it is the job of the manufacturer to ensure that products are made securely, it is the responsibility of the user to practise good security hygiene, the report said.

Jennifer Savage, Information Security Consultant, Threatcare said that cities themselves need to look at policies around smart city devices and their deployment.

“They need to make sure that manufacturers are having third parties test the devices to ensure that they are secure, and they need to have remediation plans in place if any vulnerabilities come, at least on a regular basis, to deal with rising threats,” she said. “Cities should also have testing done on the implementation they put in place.”

The report lists some simple steps cities can undertake to check their systems:

• Implement IP address restrictions to connect to smart city systems.
• Leverage basic application scanning tools that can help identify simple flaws.
• Use safer password and API key practices.
• Take advantage of security incident and event management (SIEM) tools to identify suspicious traffic.
• Hire ‘hackers’ to test systems for software and hardware vulnerabilities.