IBM Research: The Sensors Powering Smart Cities Are Vulnerable to Hackers

Smart cities vulnerable

According to a research by IBM Security and data security firm Threatcare, sensors that power smart cities are vulnerable to hackers.

Smart city spending worldwide is estimated to reach about $81 billion globally in 2018. The researchers studied sensor hubs from 3 companies – Libelium, Echelon, and Battelle – that sell systems to underpin smart city schemes. All three companies influence smart city spending in various ways; for example, Echelon is one of the leading suppliers of smart street lighting deployments in the world, reports Wired.

These sensors monitor things such as air quality, weather, traffic, radiation, and water levels, and can be used to automatically inform fundamental services like traffic and street lights, security systems, and emergency alerts.

Read more Skyworks Launches 5G Antenna Tuning Solutions for Next-Gen Mobile Devices

About sending out emergency alerts, we know what happened in January; accidental missile alert sent Hawaii’s residents scrambling. In Dallas, last year, a hack set off the cities tornado sirens.

In fact, those incidents and others like it inspired Daniel Crowley of IBM X-Force Red and Jennifer Savage of Threatcare to investigate these systems in the first place. What they found dismayed them. In just their initial survey, the researchers found a total of 17 new vulnerabilities in products from the three companies, including eight critical flaws.

“The reason we wanted to focus on hubs was that if you control the central authority that runs the whole show then you can manipulate a lot of information that’s being passed around,” Crowley told Wired. “It appears to be a huge area of vulnerability, and the stakes are high when we’re talking about putting computers in everything and giving them important jobs like public safety and management of industrial control systems. When they fail, it could cause damage to life and livelihood and when we’re not putting the proper security and privacy measures in place bad things can happen, especially with a motivated and resourced attackers.”

The researchers discovered basic vulnerabilities, like weak default passwords that would make it easy for an attacker to access a device, along with bugs that could allow an attacker to inject malicious virus, and others that would allow an attacker to dodge authentication checks.

Also, schemes in many smart cities use the open internet, rather than an internal city network, to connect sensors or relay data to the cloud, potentially leaving devices exposed publicly for anyone to find.

The three companies have developed patches for all 17 bugs. Echelon, whose smart city offerings include not just lighting but also building automation and transportation, says it worked along with IBM to resolve its issues.

Smart cities vulnerable

“We appreciate IBM bringing their considerable resources to bear in finding these potential security issues,” Battelle spokesperson Katy Delaney WIRED. “We wanted feedback and we appreciate the scrutiny, improvement, and help.”

Libelium, a Spanish company that offers extensive support to smart cities, said in a statement that several weeks ago they were informed by IBM about some web vulnerabilities which had been found in the Meshlium Manager System. “The company took action instantaneously and all vulnerabilities detected were automatically amended with a new software version released on August 1st which is ready to be downloaded from the Manager System,” the statement read.

Read more Smart Cars Enabled with Wearables

While providing patches for the flaws is an important step, the researchers note the significance of raising awareness about these problems to make sure that the city governments are prioritizing patching, which organizations so often don’t. The smart city hubs the researchers investigated do not have capabilities of auto-updating, a common setup on industrial control devices since a foolish update could destabilize vital infrastructure. But the downside is that every entity using these products will need to proactively apply the patches, or devices in the wild will continue to be vulnerable, reported Wired.