So-called smart cities, with wireless sensors controlling everything from traffic lights to water management, may be vulnerable to cyberattacks, according to a computer security expert.
Last year, Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, demonstrated how 200,000 traffic control sensors installed in major hubs like Washington, New York, Melbourne and Lyon were vulnerable to attack. Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1500 feet away — or even by drone — because one company had failed to encrypt its traffic.
Just last Saturday, Mr. Cerrudo tested the same traffic sensors in San Francisco and found that, one year later, they were still not encrypted.
Mr. Cerrudo said he was increasingly uncovering similar problems in other products and systems incorporated into smart cities. He has discovered simple software bugs, poorly installed encryption or even no encryption at all in these systems. And he has found that many are wide open to a fairly common attack, known as a distributed denial of service, or DDoS, in which hackers overwhelm a network with requests until it collapses under the load.
Mr. Cerrudo has found ways to make red or green traffic lights stay red or green, tweak electronic speed limit signs, or mess with ramp meters to send cars onto the freeway all at once.
Security researchers say that the opportunities for a maliciously minded hacker or government abound. Last year, security researchers at the Black Hat Europe conference in Amsterdam demonstrated how to black out parts of cites simply by manipulating smart meters and exploiting encryption problems in power line communication technology.
The threat is not just hypothetical. Last year, security companies discovered a hacking group, known both as Dragonfly and Energetic Bear, that was actively targeting power networks across the United States and Europe.
Last year, the US Department of Homeland Security acknowledged in a report that “a sophisticated threat actor” had broken into the control system network at a public utility, simply by guessing a password on an internet-connected system.
And in 2012, Chinese military hackers successfully breached the Canadian arm of Telvent. The company, now owned by Schneider Electric, produces software that allows oil and gas pipeline companies and power grid operators to gain access to valves, switches and security systems remotely. It also keeps detailed blueprints on more than half the oil and gas pipelines in North America.
Full article: Smart cities the world over ripe for hacking, expert says (The Sydney Morning Herald)