Smart cities the world over ripe for hacking, expert says

“The current attack surface for cities is huge and wide open to attack”
“This is a real and immediate danger.”
Canberra Times

“It’s a matter of time until someone launches an attack over some city infrastructure or system.”

This isn’t just about turning off electricity, etc. as catastrophic as that could be. Powerful wireless transmitters (Smart Meters) are on every house and can be wirelessly reprogrammed. Wireless antennas and cell towers are throughout most towns and cities, with emission capabilities above what’s normally used.

If this type of system is hacked and the radiation level turned up, the effects could be lethal. Smart city becomes dead city. How long before that happens? Do you live near a cell tower?

From Canberra Times, April 23, 2015

So-called smart cities, with wireless sensors controlling everything from traffic lights to water management, may be vulnerable to cyberattacks, according to a computer security expert.

Last year, Cesar Cerrudo, an Argentine security researcher and chief
technology officer at IOActive Labs, demonstrated how 200,000 traffic
control sensors installed in major hubs like Washington, New York, Melbourne and Lyon were vulnerable to attack.
l> Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1500 feet away — or even by drone — because one company had failed to encrypt its traffic.

Just last Saturday, Mr. Cerrudo tested the same traffic sensors in San
Francisco and found that, one year later, they were still not encrypted.

Mr. Cerrudo said he was increasingly uncovering similar problems in other products and systems incorporated into smart cities. He has discovered simple software bugs, poorly installed encryption or even no encryption at all in these systems. And he has found that many are wide open to a fairly common attack, known as a distributed denial of service, or DDoS, in which hackers overwhelm a network with requests until it collapses under the load.

Mr. Cerrudo has found ways to make red or green traffic lights stay red or green, tweak electronic speed limit signs, or mess with ramp meters to send cars onto the freeway all at once.

Security researchers say that the opportunities for a maliciously minded hacker or government abound. Last year, security researchers at the Black Hat Europe conference in Amsterdam demonstrated how to black out parts of cites simply by manipulating smart meters and exploiting encryption problems in power line communication technology.

Increasingly, cities are automating systems and services. Saudi Arabia, for example, is investing $90 million to build four new smart cities. In South Africa, a $12.3 billion smart city project is already underway. By 2020, the market for smart cities is predicted to reach $US1 trillion, according to Frost & Sullivan, a consulting firm.

“The current attack surface for cities is huge and wide open to attack,” Mr. Cerrudo writes in a report he plans to present this week in San Francisco at the annual RSA Conference on security. “This is a real and immediate danger.”

The threat is not just hypothetical. Last year, security companies
discovered a hacking group, known both as Dragonfly and Energetic Bear, that was actively targeting power networks across the United States and Europe.

Last year, the US Department of Homeland Security acknowledged in a report that “a sophisticated threat actor” had broken into the control system network at a public utility, simply by guessing a password on an internet-connected system.

And in 2012, Chinese military hackers successfully breached the Canadian arm of Telvent. The company, now owned by Schneider Electric, produces software that allows oil and gas pipeline companies and power grid operators to gain access to valves, switches and security systems remotely. It also keeps detailed blueprints on more than half the oil and gas pipelines in North America.

In 2013, the energy industry became the most-targeted sector for hackers in the United States, accounting for 56 per cent of the 257 attacks reported to the Department of Homeland Security that year.

Some scientists are trying to redesign the smart grid to make it less
vulnerable. Currently, the smart grid is centralised, controlled by the energy suppliers, which makes utility companies a juicy target for hackers.

But this year, Science Daily reported that Benjamin Schäfer, a physicist from the Max Planck Institute for Dynamics and Self-Organization; his colleagues Marc Timme and Dirk Witthaut; and a master’s student, Moritz Matthiae, developed a model that showed, in theory, that smart meters could be monitored directly at customer sites, and decentralised in such a way that would make them much less vulnerable to attack.

For now, their research only works in principle. So Mr. Cerrudo said
municipal leaders had to start thinking of their cities as vast attack
surfaces that require security protection just as a corporate network might.

He encourages municipalities to adopt basic security measures like
encryption, passwords and other authentication schemes and an easy mechanism for patching security holes.

He suggests that cities create their own computer emergency response teams, or CERTs, to address security incidents, coordinate responses and share threat information with other cities.

He also suggests that cities restrict access to their data; track and
monitor those who do have access; and run so-called penetration tests, in which hackers try to break into cities so that municipalities can learn where they are most exposed.

Finally, he suggests that cities prepare for the worst, as they would for a natural disaster.

When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated — that the systems can be easily hacked and there are security problems everywhere — that is when smart cities become dumb cities,” Mr. Cerrudo said.

Also, see:
The New York Times

Reprinted under Fair Use Rules.

This entry was posted in Uncategorized and tagged , , , , , , , , , , , . Bookmark the permalink.