Black Hat: Not So Secure Smart Cities

Wednesday, August 22, 2018 @ 05:08 PM gHale

By Gregory Hale
Smart city technologies are already thriving across the world in countries like Singapore, China down to cities like Austin, TX.

In the rush to deploy this Internet of Things (IoT) or Industrial Internet of Things (IIoT) smart city technology, security of the devices really come into play.

RELATED STORIES
Black Hat: Securing Cellular Gateways
Black Hat: Breaking Down Safety System Attack
Black Hat: Get to Root Cause
Lessons Learned One Year After Triton

Three security professionals – Daniel Crowley, research baron at IBM X-Force Red, Jennifer Savage, security researcher for Threatcare, and Mauro Paredes, managing consultant at IBM X-Force Red – took a sampling of smart city devices in use today and discussed just how vulnerable they were during a presentation entitled, “Outsmarting the Smart City,” at Black Hat USA 2018 in Las Vegas.

Crowley mentioned what makes a smart city smart:
• IIoT
• Urban automation
• Public safety/emergency management
• Intelligent transportation systems
• Metropolitan communication systems

In a smart city, however, there is limited citizen privacy and risk management options, so to eliminate those issues, Savage said residents would need to make sure they have:
• No Alexa
• No smart TV
• No smartphone
• Own a really old car
• Or just move into a “not smart city”

“You just don’t have a choice in smart cities,” she said.

Savage talked about her city of Austin, TX, and used it as a case study. The end result was there were plenty of devices deployed that had multiple vulnerabilities and some of it were with SCADA systems.

“With SCADA, if you can talk to it, you can control it,” she said.

In addition, in smart cities, it is easier for connected vehicles communicate with each other, Crowley said.

“There are privacy concerns,” Crowley said. “In China, they have said people have less concerns with privacy, which they say makes them much faster.”

In some smart cities, folks are beginning to install smart street lights with cameras. “In Singapore, they want to put facial recognition in all street lights,” Crowley said.

“The question now is, Crowley said, “what is out there and how do you find it?”

Those wanting to find more information can use search engines and find customer case studies, news reports, smart city open data initiatives, and some contracts are public by law.

In addition, it is possible to find information via search engines like Shodan, or even do visual inspections for wireless devices.

In their research on smart cities, the researchers tested four solutions by three manufacturers that see use in smart city development:
1. Meshlium by Libelium (Libelium is a manufacturer of hardware for wireless sensor networks)
2. i.LON 100/i.LON SmartServer and i.LON 600 by Echelon (Echelon specializes in industrial IoT, embedded and building applications and manufacturing devices like networked lighting controls)
3. V2I (vehicle-to-infrastructure) Hub v2.5.1 by Battelle (Battelle is a nonprofit that develops and commercializes technology)
4. V2I Hub v3.0 by Battelle

V2I (vehicle-to-infrastructure) Hub v2.5.1 by Battelle had a hard-coded admin account, various API key issues, XSS, SQLi in API and missing authentication, which could lead to the ability to track vehicles, send false safety messages, create traffic or just power it down.

“The ability to watch who is going where is very important for an adversary,” Crowley said.

With the i.LON SmartServer and I.LON 600 it is possible to gain access of default web credentials, default FTP credentials, unauthenticated API calls (SmartServer only), plaintext communications, and authentication bypass.

After gaining that access it is possible then to use cleartext password file on FTP, replace binaries via FTP to execute code, fiddle with ICS gear, change IP address of i.LON.

Libelium Meshlium allows an attacker to gain access because there is missing authentication and shell command injection, which could lead to creating false sensor data and hide real sensor data, the researchers said.

Device Categories
The tested devices fell into three categories: Intelligent transportation systems, disaster management and the industrial Internet of Things (IoT). They communicate via WiFi, 4G cellular, ZigBee and other communication protocols and platforms. Data then flows into interfaces that inform citizens about what is happening in cities, for instance if the water level at the dam is getting too high.

The researchers then conducted a demo showing how it was possible to flood a city by taking over the various devices and technology, while making them seem like everything is running normal.

The researchers did share what they found with the manufacturers, who worked quickly to make fixes and release them. In addition, the researcher informed the owners of vulnerable devices they found online.

There is no doubt smart cities are the wave of the future, but in their rush to become smart, cities need to think about a total security program and ensure security is built into devices.



Leave a Reply

You must be logged in to post a comment.