Our cities are becoming smarter, but our security is not following suit.
Smart city development is in full swing, but it appears that city officials are leaving security by the wayside.
While the definition of what makes a city “smart” is still up for debate, in general, we often consider it a system of both traditional infrastructure and new, overlaying structures created from emerging technologies such as web connectivity, data collection and analytics, sensors, and mobile solutions.
Smart traffic systems to reduce congestion, surveillance systems to detect crime, LED-based street lighting with motion sensors and data-driven control of the smart grid and water systems are only some of the ways that a city can be considered smart — but with all new advances in technology, there are potential drawbacks.
Security is the critical issue at the forefront of the minds of researchers and one that could cause chaos in urban areas unless we gain a handle on it now.
According to Trend Micro’s latest “Securing smart cities” report, released on Tuesday, security may be the element which could bring a smart city down to its knees and city officials may not be doing enough to enforce security basics while being swept away on the tide of exciting new smart city ideas.
Smart city investment is expected to reach $88.7 billion by 2025 in comparison to $36.8 billion in 2016 with funding projects such as the US White House’s “Smart Cities initiative” further fuelling demand.
City planners have seized upon the idea of bringing connectivity, data analytics and smart city solutions to the population, but in Trend Micro’s report, we can see just how many attacks on these services are possible today.
The threats that these smart cities face are numerous. With roughly 70 percent of the energy produced globally now funneled into cities and the same percentage being generated by these areas in terms of gross domestic product (GDP), any kind of compromise, intrusion, or spying on smart cities can have serious consequences.
In Yokohama, Japan, for example, energy management systems (EMS) at being implemented to improve the city’s energy efficiency as well as reduce CO2 emissions. Smart meters are also in use, but these readings can be decoded with a cheap USB kit, fake signals can be sent, power can be throttled and if tapped into, attackers could also potentially record when and where power is being used — which can tell them whether anyone is physically in a property.
Trend Micro has spotted injection and remote code execution attacks being levied against power meter providers, as well as attacks against industrial control systems (ICS) used in power grids which have resulted in outages. When it comes to EMS, radio signal jamming can be used to disrupt services.
Also: Becoming a smart city: Five essential steps | Nvidia intros Metropolis video analytics platform for smart cities | How Louisville became the first smart city on the IFTTT platform | Ford sees autonomous vehicles as key cog of smart city | TechRepublic: 5 lessons from IoT leaders creating sustainable, smart cities
Smart transport and traffic management solutions are also at risk. In Japan, Softbank has created a smart parking project which allows drivers to monitor available spots and book parking spaces, and while lucrative for city planners, the researchers note that such systems, reliant on connected NarrowBand IoT (NB-IoT) sensors and a low-power wide area network (LPWAN), may be abused by cybercriminals.
In particular, ransomware operators who know how important these systems are in a city and are aware of how much revenue can be lost due to disruption may target vulnerable systems.
IoT-based environmental controls also play a part in today’s smart cities. Air quality sensors, waste management, and smart sewer systems can all help us improve city environments, however, many use embedded Linux as controllers or Arduino-based MCUs.
As noted by the security firm, it can be a challenge to protect these projects.
“Given the limited computing power of MCU, Wi-Fi credentials may be stored in clear text from in EEPROM or removable media while Bluetooth usually works with the default PIN code, 1234, if at all,” the report says.
“Security is also harder to ensure for projects that use embedded Linux. Vulnerabilities in Linux can also affect embedded chips. A single air quality sensor may not be worth breaking into, but all air quality sensors in a city are a different matter.”
It is also the connection of local government to citizens which can become a security risk. Cities including Bristol, UK, and Boston, US, have launched citizen portals which allow residents to do everything from report street issues to pay their council tax and renew parking permits.
Such systems, including the BOS:311 app, improve the accessibility of public services but as information slurpers they can also become a tempting target.
One 311 app discovered by the researchers, for example, displayed Google API keys in clear text which allowed attackers to use paid Google services — courtesy of Los Angeles.
In 2011, research revealed that there is one CCTV camera for every 32 people in the county. With so many in use, maintaining control can be difficult. In Rio de Janeiro, the government can monitor traffic and weather conditions through a web of over 500 cameras, of which at least 20 operators can access the same footage remotely.
With such networks, concerns over privacy are well-founded — but it is not just overseer governments or law enforcements that citizens should be concerned about. IP cameras have been targeted by malware, such as in the case of the Mirai botnet, and it is likely that lax security such as default passwords and open ports will cause a repeat in the future.
Smart city systems may be a target purely for threat actors as a testing ground, or for professional criminals, telecommunication systems can be compromised as a means to spy on conversations or steal valuable data in the name of cyberespionage.
Energy supply instability, the use of ransomware to lock critical systems and force payment, data sniffing and vehicle tampering to cause accidents are also a risk.
“Devices with open ports or factory-designed backdoors can be easily found and compromised,” Trend Micro says. “Given how many Internet-connected devices have publicly available code repositories and default credentials, unencrypted and poorly configured devices can be just as easy to abuse.”
Many embedded systems and IoT services are based on lightweight, low power consumption devices which may not have the technological sophistication to protect themselves — such as edge routers and switches — and so strong perimeter defense is a must.
In February, researchers revealed that over 178 million IoT devices can be scanned from the web and are vulnerable to attack. Discovered in only ten US cities, the figures only touch upon just how problematic IoT security in the home truly is — and it is the responsibility of vendors and users alike to bring security up to scratch.
The same concept applies to smart cities. We may all enjoy the potential benefits of connecting our cities, smart grids and data-driven traffic and safety solutions, but security has to be part of the supply chain.
Trend Micro says that city planners and officials looking to utilize smart city solutions should make sure security foundations are laid from the start.
The company suggests the establishment of a municipal computer emergency response team (CERT) or computer security incident response team (CSIRT), inspections, the application of software and firmware updates quickly and consistently, secure data processing, encryption usage, the implementation of a manual override for emergencies, and a backup system to ensure that in the case of complete IoT and smart city failure, citizens still have access to basic services.
Finally, city planners should remember that all technology has an expiry date. It is not just about installing a smart solution and leaving things at that — instead, once smart solutions become obsolete, there must be a plan in place to replace them to prevent security vulnerabilities from compromising core services and systems.