IBM researchers have discovered 17 zero-day vulnerabilities in smart city technology that could potentially be exploited by cybercriminals to sow panic or prevent the devices from detecting when a real emergency occurs. Researchers from Threatcare and IBM X-Force Red tested several widely deployed smart-city devices to investigate the potential of "supervillain-level" attacks.
Presenting their findings at Black Hat and DEF CON 2018, the researchers focused on three categories of devices - intelligent transportation systems, disaster management and industrial IoT. They uncovered 17 vulnerabilities in four smart city devices, eight of which were critical in severity.
The team of researchers tested smart city systems from Libelium, Echelon and Battelle.
"They communicate via Wi-Fi, 4G cellular, ZigBee and other communication protocols and platforms," IBM researcher Danial Crowley wrote. "Data generated by these systems and their sensors is fed into interfaces that tell us things about the state of our cities — like that the water level at the dam is getting too high, the radiation levels near the nuclear power plant are safe or the traffic on the highway is not too bad today.
"While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment."
Researchers identified four critical pre-authentication shell injection flaws in Libelium's wireless sensor network, Meshlium. Echelon's i.LON 100/i.LON SmartServer and i.LON 600 SmartServers contained two critical authentication flaws, unencrypted communications issues, use of default credentials and plaintext passwords.
Battelle's V2I (Vehicle-to-Infrastructure) Hub, version 2.5.1 contained one critical hard-coded administrative account along with five other flaws deemed "high" in severity such as permitted access to sensitive functionality without authentication, default API keys and authentication bypass, SQL injection flaws and reflected XSS issues as well.
They also found that dozens of each vendor's devices were exposed to remote access on the internet that could be easily searchable using Shodan or Censys. In some cases, they were also able to pinpoint who purchased the devices and what they were used for.
"We found a European country using vulnerable devices for radiation detection and a major U.S. city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks," Crowley said.
Cybercriminals looking to wreak havoc could potentially manipulate water level sensor responses to report flooding and trigger panic and evacuations. Alternatively, they could also silence these sensors to prevent warnings of an actual flood. The same scenario could apply to radiation monitors at nuclear power plans, remote traffic sensors, and other critical infrastructure.
IBM has already notified Libelium, Echelon and Battelle of their findings, noting that all three firms were "responsive" and have issued security patches to fix the vulnerabilities.
They have also recommended that cities implement IP address restrictions to connect to smart city systems, leverage basic application scanning tools to identify simple flaws, use safer password and API key practices, leverage SIEM tools to monitor for suspicious traffic and hire pen testers to regularly probe systems for both hardware and software flaws.
"Smart city technology spending is anticipated to hit $80 billion this year and grow to $135 billion by 2021," Crowley noted. "As smart cities become more common, the industry needs to re-examine the frameworks for these systems to design and test them with security in mind from the start."