“An actor who is determined to incite mass chaos could create far greater impact with minimal effort if security for sensors and controls is not strengthened,” reads a 2018 report by IBM entitled: The Dangers of Smart City Hacking.
The paper follows an investigation by IBM X-Force Red and Threatcare that discovered 17 zero-day vulnerabilities in smart city sensors and controls used in cities around the world. If left unpatched, they say, these vulnerabilities could allow a new breed of “supervillain” to access sensors and manipulate data to disastrous effect.
The vulnerabilities discovered in this project might not just allow “supervillain” hackers to manipulate sensors and wider systems - without increased security being deployed “a kid with a computer his or her bedroom” may have the ability to cause catastrophe. “Many of these scenarios have been key moments in major movie plots – but the truth is, it’s incredibly easy to do and is a very real threat today,” the IBM report suggests.
Here we explore a few of the potential scenarios that could become a reality based on the smart city technology hacks that the IBM X-Force Red and Threatcare teams discovered:
If the intention is to cause panic within a population then emergency warning systems may be the focus of an attack. On April 7th 2017, for example, hackers took control of all 156 emergency sirens in Dallas, Texas. Taken by surprise, city officials had to first confirm there was no real emergency but even then they were unable to turn off the system. The continuous nature of the cyber attack meant that the sirens were only shut down after one hour and forty minutes of confusion as 911 emergency response phone lines were overwhelmed by concerned citizens.
Then, in January 2018, every television and mobile phone in Hawaii simultaneously received an official alert message which read “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.” The terrified citizens who received the ballistic missile alert fled to shelter, inundated emergency services phone lines, and overloaded cell-phone networks with frightened calls to family and friends. This was not a real missile threat however, nor was it a hacking incident. It was a simple employee error, but highlighted the panic that could be caused by a malicious attack in the same vein.
As we have seen depicted in numerous hollywood movies, hackers looking to create escape routes or stifle law enforcement ability to reach the location of a crime could target a city’s traffic systems. By manipulating traffic signals, for example, it would be possible to cause disruption at certain junctions across a city, thereby controlling traffic to suit the objective of the attackers.
“Hackers could accomplish simultaneous traffic tie-ups on key city roads by taking control of traffic control infrastructure – enough to create gridlock and delay law-enforcement teams from accessing the real scene of a crime,” explains the IBM report, which sites a similar scenario played out in the film ‘Fate of the Furious.’
Just this month, at the Ben-Gurion University of the Negev (BGU) in Israel’s arid south, a team of cyber security researchers found vulnerabilities in a number of commercial smart irrigation systems. The weaknesses would allow attackers to remotely control watering systems, enabling them to increase or decrease flow at multiple sites. This represented a huge issue for a nation of many enemies in a desert region where water is a scarce and precious resource.
“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty ﬂood water reservoir overnight,” said Ben Nassis, a researcher for BGU.
“Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers,” he continued.
The use of technology in agriculture is growing at a rapid pace and with it comes an increased cyber threat to our food supply. The great strides taken by smart buildings in controlling the indoor environment for the benefit of occupants has also lead to the emerging field of vertical, urban, indoor farms. These intelligent spaces precisely control lighting, temperature, humidity and other elements to help crops grow. By tricking sensors used in indoor and outdoor farms, hackers could trigger the system to increase heat, light and so on, to that point that crops die.
“Smart farming has become commonplace as farmers use sensors to measure humidity, rainfall, and temperature to efficiently irrigate crops and determine optimal harvest times,” explains the IBM report. “Manipulation of this sensor data could result in irreversible crop damage, targeting a specific farm or an entire region – which from a global perspective, could cut off food to populations, dictate new market realities, or even spread disease.”
Defending against this range of attacks is not as simple as just increasing traditional cyber security efforts, however, due to the ubiquity of the technology and the vast number of entry points for hackers. Furthermore, once a vulnerability is identified, it is not as simple as sending out a patch to solve the problem.
“There’s no easy way to patch a city, and this maps back to the fact that when it comes to device security, the responsibility is twofold: while it’s the manufacturer’s job to make sure that their products are built securely, it’s the user’s responsibility to make sure they are practicing good security hygiene,” the IBM report explains. “Further, there’s a shared responsibility between the manufacturer and the user: with the former issuing software updates for security issues, and the latter actually applying those updates.”
Cyber security in smart cities will require a top-to-bottom culture shift, from the manufacturers, vendors and users of these vulnerable systems. Considering worldwide spending on technologies for smart city projects is estimated to reach $80 billion in 2018 and will grow to $135 billion by 2021, it seems that we will soon be too deep into the technology deployment to solve these issues before that become problems. As so often is the case, we will have to wait for a major cyber-supervillain incident before we begin to address the vulnerabilities of smart cities.