You may not realize it, but technology surrounds you wherever you go, especially if you are in the80 percent of Americans living in cities. We have had computer systems connected to public networks for decades now, but a new trend toward creating smart cities is pitting technological developments as solutions to age-old problems like traffic congestion, energy efficiency, and urban planning.
The moretech invades cities, the more vulnerable they become to cyberattacks. At a session titled Connected Cities, Hackable Streets at this years SXSW conference, Tom Cross of Drawbridge Networks and Robert Hansen of OutsideIntel, discussed the dangers of current smart city systems, and what canbe done about it.
Can’tcities just stay dumb?
Itwould be easier if cities could continue to operatewith their current dumb systems. We wouldnt have to worry about the privacy of our data or the security of the infrastructure around us. But an unavoidable problem remains: cities are incredibly inefficient.
Smart cities can help address all of these issues. According to network provider Telefonica, smart metering can decrease electricity consumption by 10 percent, and personal water waste by seven percent. It can also decrease the amount of transportation needed for trash collection by 25 percent, and CO2 emission 17 percent by decreasing traffic congestion.
If your trash knows when it’sfull you can focus trash collection when and where it needs to be collected, Cross said. If you have sensor based lights you dont have to have them on all night long, only when people are there. You can reduce light pollution and energy consumption. These may seem like small things, but when you think of something as big as a city, these consequences can add up.
Its not hard to hack a city
Smart cities have the worst of both worlds: legacy systems that have been in operation for a long time and bleeding edge tech that we havent been able to figure out yet but are being rapidly adopted throughout cities, according to Cross.
Like driving a car, being connected to the internet is inherently dangerous, and unless cities put on their cyber seatbelts and secure their devices, they are vulnerable to devastating events.
Of course, cybersecurity is much more difficult than putting on a seatbelt, but even the simple steps are being missed. A number of experiments by ethical computer hackers, known as white hats, illustrate just how easy it is for someone to hack into our infrastructure and cause tremendous damage.
In 2014, security researchers at the University of Michigan hacked nearly 100 traffic lights connected to a wireless network that they found had no security whatsoever. They discovered a number of trivial vulnerabilities in the devices: They werent encrypted, they used default usernames and passwords, and the network was vulnerable to known exploits.
The following year, ethical hackers Charlie Miller and Chris Valasek exploited a Jeep Cherokee and took over its controls from their basement 10 miles away. They toyed with the driver’s climate control, blared the radio, and even immobilized the Jeep by taking control of its accelerator and braking.
These are just a few examples of exploits discovered by the good guys. But what happens when the wrong hands pick up on these vulnerabilitiesif they haven’t already?
The real dangers of a smart city
Cross used the example of a smart traffic light and described three different actor classes for hacking infrastructure: teenagers who are bored, criminals, and nation states. If you are wondering why a nation state would go after traffic lights, Cross provides an enlightening answer: a country could attempt to influence a political election by changing the lights in certain areas to slow down where people can vote.
That example might seem far-fetched, but hackers will find any vulnerability to tap into.
In December 2013,Target was the victim of a breach that stole information from 40 million credit and debit cards. While Targets reputation took the hit, it was actually the air conditioning that caused the problem. According to well-known security reporter Brian Krebs, hackers stole login information and used malware to penetrate a heating, ventilation, and air-conditioning company working for Target. They used the HVAC company as a backdoor into Target’s databases.
But let’s go back to the bored teenager. If you think that sounds harmless, Im sorry to say youve already been proved wrong. In 2008, a 14-year-old Polish student hacked into the Lodz tram system with a modified TV remote. He derailed four trams and injured 12 people.
Now, imagine whathappens after the inevitable adoption of autonomous vehicles in the years ahead. Hansen says it could be used for warfare.
The problem is that cities are food islandsthey rely on food to be transported to us, same asgas, Hansen said. If trucks stop delivery, wed only have days of food left in this food island, a week max.”
Let’s just ship secure devices
Anyone who makes devices in the extremelycompetitive tech spaceisin a hurry to get their products to market, and they arent economically invested in putting in security. Adding security and testing it against known vulnerabilities increases cost to development and delays thelaunch.
Companies dont like that. They even go through stages of denial when theyre told about a security problem but don’t address it, according to Cross.
The first is a natural human process: Shoot the messenger. They say you shouldnt be allowed to talk about their car being hackable. The second is, I dont need to fix that, do I? If no one knows about it, its okay. The third is the acceptance phase, Im going to updating this all the time, I need infrastructure to do that.
As companies become more aware and proactive about securing their devices, they will need to change their strategies for creating new products.
Getting companies to spend on security
Even though some considered it stunt hacking, the media coverage of the aforementioned Jeep hack is one way of forcing companies into a corner, according to Cross.
Another is government enforcement.
It must be audited, it must be able to patch, there must be financial recourse for not having those things, Hansen said. We should be doing that with every contract we read or write by adding service-level agreements. We need a single throat to choke, a chief information officer for every city.
IOActive Labs, a security consultancy, offers several additional recommendations for protecting smart cities. Here are a few of them:
- Check for proper encryption, authentication, and authorization and make sure the systems can be easily updated.
- Ask all vendors to provide all security documentation. Make sure Service Level Agreements include on-time patching of vulnerabilities and 24/7 response in case of incidents.
- Fix security issues as soon as they are discovered. A city can continuously be under attack if issues are not fixed as soon as possible. For instance, if a traffic control system is hacked and not quickly fixed, it will continue being hacked over and over again and turn the city into chaos.
But the one thing that can be done even before a product goes into production is figuring out if it really needs to be on public internet and why.