What happens when smart cities open the physical world to cyberattacks?

The benefits of smart cities and an increasingly connected world are much-discussed. But the convenience, energy efficiency, automation, and personalized experience of internet-connected homes, cars, offices, and cities also invites security threats that are just beginning to be understood, and many that have yet to be discovered.

Researchers at the Georgia Institute of Technology recently shed light on a less-discussed aspect of the threats of connecting the digital and physical worlds. In a study published in the journal Physical Review E, the researchers showed how hacked cars can cause mass mayhem by freezing traffic and gridlocking large cities.

“Unlike most of the data breaches we hear about, hacked cars have physical consequences,” says Peter Yunker, assistant professor in Georgia Tech’s School of Physics and co-lead on the study.

Alarm over hacking cars was first began in 2015. Security researchers Charlie Miller and Chris Valasek demonstrated how they could remotely manipulate a Jeep Cherokee and eventually shut it down through its infotainment system. With cars becoming increasingly equipped with internet-connected computing parts, these threats are becoming more of a reality, especially since many of these vehicles sport poorly secured components.

But while most research has focused on the consequences of hacking individual vehicles, the GIT researchers show the mass-scale consequences of vulnerabilities in vehicles.

“Anyone who has driven past a single accident has seen how much-isolated disruptions can impede the flow of traffic. However, what we find is that in a large-scale hack, traffic may not be merely slowed, but completely halted. This is an ‘emergent’ problem; in other words, the whole is more than the sum of the parts, and it can only be predicted by studying many vehicles at once,” Yunker says.

Yunker and his colleagues found that randomly hacking and stalling as much as 10 percent of cars during rush hour could bring traffic in a city such as Manhattan to a stand-still and disrupt critical services. This means that only a fraction of cars needs to be connected to the internet to make this threat a reality.

The larger threat of internet-connected infrastructure

While the GIT researchers studied hacks against cars, Yunker says that similar damages can be dealt with other domains where physical objects are being connected to the internet, collectively known as the internet of things (IoT).

“We do in fact see parallels. While the results of this work may not be directly applicable to these other domains, the idea that the offline, physical consequences must be accounted for to avoid ill effects remain,” Yunker warns.

The threat of massive hacking of internet-connected cars might still be remote. But we’ve already seen how vulnerabilities in other connected infrastructure can play out. In 2015, hackers with alleged ties to the Russian government hacked the power grid of Ukraine, causing a massive blackout that left 230,000 people without electricity in the freezing winter. The hackers launched a similar attack in 2016.

“As billions of insecure devices are connecting to the internet, they are creating a growing attack surface for bad actors,” says Jeff Hussey, CEO of Tempered Networks. “These devices can be compromised then used to launch attacks that spread laterally, from network to network, system to system, company to company, nation to nation.” 

Hussey warns about the threat of vulnerabilities in industrial IoT (IIoT), such as dams, residential buildings, transportation systems, and large industrial facilities that are being connected to the internet. 

“As IIoT devices are connected to the internet the cyber risks now include losing control of physical spaces, from commercial office buildings to hospitals, to manufacturing plants, and even ships at sea. To put this in perspective, losing control of a security camera is indeed troubling. But losing control of the facility itself, that the camera was protecting, is an even worse outcome,” Hussey warns.

What happens when you lose control of real, physical spaces? An example is the 2016 hack of the San Francisco Municipal Transportation Agency, in which cybercriminals infected the computers of the SFMTA with ransomware viruses

The attack did not bring the operations of the SFMTA to a halt, and the railways continued to operate, though customers were given free rides because ticket machines no longer worked. But this could be a precursor to more devastating future hacks. Experts are already warning about the threat of IoT ransomware, where attackers hold the physical operations of critical facilities and devices hostage.

IoT could become a loaded gun 

As internet connectivity becomes more ubiquitous in homes, offices, and public locations, there’s concern that IoT devices could become weaponized for other types of attacks. Hardware manufacturers compete to get a larger share of the fast-growing consumer IoT industry, and they are pushing plenty of insecure devices into the market, creating easy prey for cybercriminals.

“Most of IoT vendors are still driven by a ‘be first to the market’ approach. Today we see lots of poorly secured devices spread across households and corporate environments,” says Santeri Kangas, CTO of CUJO. “Cybercriminals see these insecure devices as an opportunity. They also use various automation tools to recruit new devices to their botnets.”

Botnets are computing devices that have been compromised by malware, allowing an attacker to remotely send commands to them. Hackers assemble huge botnets and used them for different types of cyberattacks such as a distributed denial of service (DDoS), where attackers flood a website with bogus traffic to overload and shut down its servers. Having lower security standards, IoT devices are attractive and easy targets for botnet developers.

“Using IoT devices as a source for DDoS attacks is getting really common lately, and we see more advanced development in this area, hidden in poorly secured IoT devices,” Santeri says.

One stark example is the massive DDoS attack against DNS provider Dyn, which caused massive internet outages in large swathes of the U.S. The attack was staged by Mirai, a botnet composed of thousands of hacked IoT devices.

IoT devices can also be hacked to perform other harmful activities, such as spying on homes or gathering mass data about consumers. 

The best offense is a good defense

“The primary approach to protecting the IoT to date has been to put traditional IT cybersecurity measures into place, which mostly involves installing a few firewalls and then observing insecure devices to see if they misbehave,” remarks Christopher Schouten, senior director of IoT Security at Kudelski Group. But as experience shows, that means weeks or months may pass before an attack is detected, and by that time, the damage is already done. 

A more effective approach, Schouten notes, is to ensure devices are secure by design, especially in high-risk industries such as healthcare, transportation, and heavy industrial machinery. This includes designing the hardware in a way that ensures the device’s software is protected, all the data it produces is private and confidential and only authorized people can access it, and that it will only accept commands from a system authorized to give them.

“Only by starting to think about security, identity, trust, integrity, and control at the beginning of the product life cycle will that product be protected from attack for the long-term,” Schouten says.

Of course, securing IoT devices costs time and money, and manufacturers are prone to cutting corners on security to deliver their products to market on time and faster than competitors. But this is gradually changing as new regulations are creating incentives and oversight for the security of IoT devices.

Laws such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are holding manufacturers and developers of IoT devices and applications to account for how they handle and secure their customers’ data.

“IoT device manufacturers are forced to comply with the new laws and ensure ‘privacy by design,’” notes CUJO’s Kangas, who admits there is still plenty of room for improvement. “It’s a financial and technological issue that not every manufacturer manages to implement. Due to this, user data is not secure.”

What this means is that aside from manufacturers, every user and customer of IoT devices need to take the security of their internet-connected devices seriously, regardless of whether it’s a simple smart thermostat, the infotainment system of a car, or a complex control system for a large dam. “Connectivity comes with a cost,” Kangas reminds.

The Georgia Institute of Technology study is a reminder of what can happen if the market and consumers alike don’t collectively take responsibility for the security of an increasingly connected world. “As connected cars and ‘smart cities’ become more common, our cyber-security solutions must account for the fact that hacking can have immediate offline consequences,” Yunker warns.

Ben Dickson

Ben Dickson

Ben Dickson is a software engineer and founder of TechTalks. His work has been published by TechCrunch, VentureBeat, the Next Web, PC Magazine, Huffington Post, and Motherboard, among others.