Hacking smart cities: Dangerous connections
Once just a curiosity for technology enthusiasts, the Internet of Things (IoT) has become mainstream. In fact, the IoT security market is estimated to grow from USD 7.90 billion in 2016 to USD 36.95 billion by 2021, at a CAGR of 36.1%, according to MarketsandMarkets.
We’re not just talking about devices such as home lightning systems or audio receivers anymore. Today, we are witnessing a surge in the development of smart buildings, routinely plagued by a plethora of security issues. Connections keep getting smarter and bigger. In fact, just last month, the Netherlands and South Korea got their own, nationwide IoT networks.
The rise of smart cities
Commercial real estate benefits greatly from IoT implementation. Gartner estimates that 1.6 billion connected things will be used by smart cities in 2016, an increase of 39 percent from 2015.
Many organizations around the world are working on innovative solutions that aim to make smart cities more comfortable, energy efficient, and safe. Unfortunately, not many are seriously considering the IT security of their products.
Thankfully, both the information security industry and governments worldwide are taking notice.
The European Innovation Partnership on Smart Cities and Communities (EIP-SCC), which brings together cities, industry and citizens to improve urban life through more sustainable integrated solutions, has published the first public draft of its Operational Implementation Plan.
Backed by IT security researchers, companies and organizations, including IOActive, Kaspersky Lab, Bastille, Opposing Force, and the Cloud Security Alliance, the global Securing Smart Cities initiative aims to solve the cybersecurity challenges smart cities face through collaboration and information sharing. I suggest taking a look at their Cyber Security Guidelines for Smart City Technology Adoption, as well as the Pen Testing a City whitepaper.
Hacking smart cities
While the idea of smart cities looks appealing on the surface, the technologies driving them are generally insecure.
“A lot of investment is required to create and install new technologies, and not much of that is dedicated to assess and verify them from a security perspective before market delivery,” Matteo Beccaro, CTO at Opposing Force, told Help Net Security.
“Since we still haven’t heard of a big security incident involving smart cities, vendors still primarily see security just as a cost. The main issue is that when (and not if) a security incident happens, it will probably be very high profile, and lives may even be in danger,” he added.
Despite the smart technology business booming, there are no compliance regulations that can help those implementing large-scale IoT solutions achieve more security. All they have at the moment are optional guidelines and best practices.
Matteo Beccaro, and his colleague Matteo Collura, are the authors of “(Ab)using Smart Cities: The Dark Age of Modern Mobility”, an analysis of the insecurity of smart cities, to be presented next week at the HITB GSEC conference in Singapore.
“We’ve discovered a complete lack of interest in devices that can handle millions of Euros for a city. For example, in our parking meter case study, a malicious user could easily sell hacked devices which allow user to obtain free parking forever. In our sample city, parking alone represents 27 million Euros of the city’s yearly income. We’re talking about just one city, while our device can be used in 40 cities,” says Beccaro.
The researchers also analyzed bike sharing, and spotted both hardware and software security flaws. They’ve discovered that the card used to unlock the bicycles can be easily cloned, meaning bikes might be removed from their stations without alerting the central system.
Smart cities are clearly the future, and they bring great promise. However, can we afford a rise in insecure connectivity and intelligence that can ultimately leave entire cities vulnerable to digital attacks?