You may not realize it, but technology surrounds you wherever you go, especially if you are in the 80 percent of Americans living in cities. We have had computer systems connected to public networks for decades now, but a new trend toward creating “smart cities” is pitting technological developments as solutions to age-old problems like traffic congestion, energy efficiency, and urban planning.
The more tech invades cities, the more vulnerable they become to cyberattacks. At a session titled “Connected Cities, Hackable Streets” at this year’s SXSW conference, Tom Cross of Drawbridge Networks and Robert Hansen of OutsideIntel, discussed the dangers of current smart city systems, and what can be done about it.
Can’t cities just stay dumb?
It would be easier if cities could continue to operate with their current “dumb” systems. We wouldn’t have to worry about the privacy of our data or the security of the infrastructure around us. But an unavoidable problem remains: cities are incredibly inefficient.
Smart cities can help address all of these issues. According to network provider Telefonica, smart metering can decrease electricity consumption by 10 percent, and personal water waste by seven percent. It can also decrease the amount of transportation needed for trash collection by 25 percent, and CO2 emission 17 percent by decreasing traffic congestion.
“If your trash knows when it’s full you can focus trash collection when and where it needs to be collected,” Cross said. “If you have sensor based lights you don’t have to have them on all night long, only when people are there. You can reduce light pollution and energy consumption. These may seem like small things, but when you think of something as big as a city, these consequences can add up.”
It’s not hard to hack a city
Smart cities have the worst of both worlds: legacy systems that have been in operation for a long time and bleeding edge tech that we haven’t been able to figure out yet but are being rapidly adopted throughout cities, according to Cross.
Like driving a car, being connected to the internet is inherently dangerous, and unless cities put on their cyber seatbelts and secure their devices, they are vulnerable to devastating events.
Of course, cybersecurity is much more difficult than putting on a seatbelt, but even the simple steps are being missed. A number of experiments by ethical computer hackers, known as white hats, illustrate just how easy it is for someone to hack into our infrastructure and cause tremendous damage.
In 2014, security researchers at the University of Michigan hacked nearly 100 traffic lights connected to a wireless network that they found had “no security whatsoever.” They discovered a number of trivial vulnerabilities in the devices: They weren’t encrypted, they used default usernames and passwords, and the network was vulnerable to known exploits.
The following year, ethical hackers Charlie Miller and Chris Valasek exploited a Jeep Cherokee and took over its controls from their basement 10 miles away. They toyed with the driver’s climate control, blared the radio, and even immobilized the Jeep by taking control of its accelerator and braking.
These are just a few examples of exploits discovered by the “good guys.” But what happens when the wrong hands pick up on these vulnerabilities—if they haven’t already?
The real dangers of a smart city
Cross used the example of a smart traffic light and described three different actor classes for hacking infrastructure: teenagers who are bored, criminals, and nation states. If you are wondering why a nation state would go after traffic lights, Cross provides an enlightening answer: a country could attempt to influence a political election by changing the lights in certain areas to slow down where people can vote.
That example might seem far-fetched, but hackers will find any vulnerability to tap into.
In December 2013, Target was the victim of a breach that stole information from 40 million credit and debit cards. While Target’s reputation took the hit, it was actually the air conditioning that caused the problem. According to well-known security reporter Brian Krebs, hackers stole login information and used malware to penetrate a heating, ventilation, and air-conditioning company working for Target. They used the HVAC company as a backdoor into Target’s databases.
But let’s go back to the bored teenager. If you think that sounds harmless, I’m sorry to say you’ve already been proved wrong. In 2008, a 14-year-old Polish student hacked into the Lodz tram system with a modified TV remote. He derailed four trams and injured 12 people.
Now, imagine what happens after the inevitable adoption of autonomous vehicles in the years ahead. Hansen says it could be used for warfare.
“The problem is that cities are food islands—they rely on food to be transported to us, same as gas,” Hansen said. “If trucks stop delivery, we’d only have days of food left in this food island, a week max.”
Let’s just ship secure devices
Anyone who makes devices in the extremely competitive tech space is in a hurry to get their products to market, and they aren’t economically invested in putting in security. Adding security and testing it against known vulnerabilities increases cost to development and delays the launch.
Companies don’t like that. They even go through stages of denial when they’re told about a security problem but don’t address it, according to Cross.
The first is a natural human process: Shoot the messenger. They say you shouldn’t be allowed to talk about their car being hackable. The second is, “I don’t need to fix that, do I? If no one knows about it, it’s okay.” The third is the acceptance phase, ”I’m going to updating this all the time, I need infrastructure to do that.”
As companies become more aware and proactive about securing their devices, they will need to change their strategies for creating new products.
Getting companies to spend on security
Even though some considered it “stunt hacking,” the media coverage of the aforementioned Jeep hack is one way of forcing companies into a corner, according to Cross.
Another is government enforcement.
“It [smart city tech] must be audited, it must be able to patch, there must be financial recourse for not having those things,” Hansen said. “We should be doing that with every contract we read or write by adding service-level agreements. We need a single throat to choke, a chief information officer for every city.”
IOActive Labs, a security consultancy, offers several additional recommendations for protecting smart cities. Here are a few of them:
- Check for proper encryption, authentication, and authorization and make sure the systems can be easily updated.
- Ask all vendors to provide all security documentation. Make sure Service Level Agreements include on-time patching of vulnerabilities and 24/7 response in case of incidents.
- Fix security issues as soon as they are discovered. A city can continuously be under attack if issues are not fixed as soon as possible. For instance, if a traffic control system is hacked and not quickly fixed, it will continue being hacked over and over again and turn the city into chaos.
But the one thing that can be done even before a product goes into production is figuring out if it really needs to be on public internet and why.