Auto Tech Threat to Smart Cities, Report Claims

Cars can become both victims and perpetrators of anticipated hacking attacks on smart cities, a report has warned.

For a white paper published by researchers at Threatcare and IBM X-Force Red who tested a range of smart city devices, discovered 17 vulnerabilities were found across four smart city systems, eight of which were “critically” severe.

In the study spanning the areas of intelligent transportation systems, disaster management and the IoT, smart city systems from Libelium, Echelon and Battelle were tested using commonly available search engines like Shodan and Censys. Among the security breaches was one unnamed major US city using devices to monitor traffic that could be accessed remotely via the internet. This means hackers would be able to gain access to the systems’ sensors and possibly even instigate collisions. Gridlocks could also be created that would prevent emergency services from getting to the scenes of terrorist attacks.

The researchers detected seven vulnerabilities to potential “vehicle-to-infrastructure” attacks in Battelle’s Hub v2.5.1 system, which it has been developing in cooperation with the US Federal Highway Administration. Five of these were rated as “high” in severity, one as “medium” and one was actually dubbed “critical”. One of the “high” threats was that “sensitive functionality” was found to be “available without authentication”. The critical threat was that an administrative account for the system was hard-coded. The researchers were also able to bypass the system’s authentication processes.

Threatcare’s Jennifer Savage said the vulnerabilities her and her colleagues identified within Hub v2.5.1 were “terrible”. A Battelle spokesperson responded to the white paper by saying: “The potential issues in the code IBM has pointed out have been fixed.”

It is also claimed IBM X-Force Red research director Daniel Crowley was able to gain access to Libelium’s Meshlium IoT gateway and flood a simulated road. The report identified four critical instances of a “pre-authentication shell injection flaw” in Meshlium. Crowley said: “If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic. While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere.”

As a result, the teams from Threatcare and IBM are now recommending city planners start using security incident and event management (SIEM) tools to “identify suspicious traffic”. While IBM says Libelium, Echelon and Battelle have all responded to the report by issuing security patches to cover the areas affected, the companies have yet to announce any long-term solutions to the security problems it exposed.

 


Leave a comment

Your email address will not be published. Required fields are marked *