Connecting state and local government leaders
“The current attack surface for cities is huge and wide open to attack,” says IOActive CTO Cesar Cerrudo.
Faster technology adoption saves cities resources and time while allowing them to better serve their citizens. But that creates more layers of technological infrastructure and IT systems, and, thus, more exposure to potential cyber threats, Chief Technology Officer Cesar Cerrudo wrote in the report.
“The current attack surface for cities is huge and wide open to attack. This is a real and immediate danger,” Cerrudo wrote. “It’s only a matter of time until attacks on city services and infrastructure happen.”
Hallmarks of smart cities are intuitive traffic lights, parking apps, streetlights, transportation schedules, resource monitoring, security cameras and gunshot detectors.
The systems, networks and sensors those services employ can be subverted to deny service, cause traffic accidents and blackouts, damage infrastructure, fake disasters or steal data.
Cerrudo cites a few threat scenarios in his white paper. An example:
Imagine if an attacker can intentionally trigger those bugs and with some planning, get an even bigger impact. For instance, an attacker could manipulate map information and work orders to send city or contractor workers to dig a hole over gas or water pipes or communication cables, with the intention to damage those facilities. After all, this has already happened in the past by mistake several times.
Another more specific threat Cerrudo points to involves smart traffic signal systems. There are at least 100,000 intersections in the United States and Canada that his research found to lack encryption. Some cities that use the vulnerable traffic control sensors include Washington, D.C., New York City, Seattle and San Francisco, according to the white paper.
Cerrudo notes in his research common pitfalls of cities include failing to regularly test new tech’s cybersecurity, improper encryption and a lack of a computer emergency response team or, barring that, an emergency response.
“Technologies used by cities must be properly security audited to make certain that they are secure before they are implemented,” he wrote. “To fail to do so is reckless.”
Even open data can be manipulated or used to sharpen attacks—from attackers ranging from well-educated terrorist extremists to foreign countries and cybercriminals to hacktivists.
Cerrudo’s solution? Among other things, require 24/7 response and patching from vendors, monitor public data access, fix bugs quickly and prepare for the worst with organizational threat modeling.