As smart city systems become more common across the globe, professionals trust them to provide accurate information on everything from weather and traffic to lost children. However, IBM researchers uncovered 17 zero-day vulnerabilities in four smart city systems—eight of which were critical—that have the potential to be exploited remotely and wreak havoc on businesses, according to a Thursday report.
The largest vulnerabilities were caused by some of the most common security issues, Daniel Crowley, research director for IBM X-Force Red, explained in a blog post. Default passwords, authentication bypass, and SQL injections were all common threats impacting smart city devices.
IBM tested devices across three categories: Intelligent transportation systems, disaster management, and the industrial Internet of Things (IoT). These devices collect data that can inform people about the state of cities, such as water and radiation levels, traffic, weather, disaster detection, and remote control of industry and public utilities.
SEE: IT leader's guide to the rise of smart cities (Tech Pro Research)
The vulnerabilities were found in smart city systems from Libelium, Echelon, and Battelle. All of the flaws were disclosed to the companies and have since been patched, the post noted.
"According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," Crowley wrote in the post. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the U.S., Europe and elsewhere."
By exploiting the flaws in the devices studied, attackers could cause chaos in a number of ways, the report found. For one, they could manipulate water level sensor responses to report flooding in an area where there is none, or to silence those sensors to prevent the warning of an actual flood. It's also possible to do something similar with radiation alarms. Hackers could also gain access to remote traffic sensors to cause gridlock on roads, or set off building alarms.
"The effects of vulnerable smart city devices are no laughing matter, and security around these sensors and controls must be a lot more stringent to prevent scenarios like the few we described," Crowley wrote in the post.
SEE: Vendor relationship management checklist (Tech Pro Research)
Many new opportunities exist for businesses located in smart cities, especially if they want to partner with the city on initiatives. However, businesses must be wary of these potential vulnerabilities. To stay secure, IBM recommended smart city systems do the following:
- Implement IP address restrictions to connect to smart city systems
- Leverage basic application scanning tools to identify flaws
- Use strong password and API key practices
- Use security incident and event management (SIEM) tools to identify suspicious traffic
- Hire penetration testers to test systems for software and hardware vulnerabilities
Businesses should ensure that any smart city projects they work with have those procedures in place, and that they have their own security protections in place as well.
The big takeaways for tech leaders:
- IBM researchers uncovered 17 zero-day vulnerabilities in four smart city systems that have the potential to be exploited remotely and wreak havoc on businesses.
- Smart city systems should implement IP address restrictions, basic application scanning tools, strong passwords, and SIEM tools to protect themselves.
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.