Black Hat 2018: Widespread Critical Flaws Found in Smart-City Gear

Smart-city technology continues to roll out in municipalities worldwide – everything from automated alerts about weather hazards and traffic issues to smart lighting and connected trash systems. However, like the rest of the Internet of Things (IoT) ecosystem, security is always a concern, as evidenced by the 17 zero-day vulnerabilities that researchers have found in four smart city systems — eight of which are critical in severity.

Researchers from Threatcare and IBM X-Force Red joined forces to test several smart-city devices that are widely deployed, with the specific goal of investigating “supervillain-level” attacks from afar. The research, at Black Hat and DEF CON 2018, delved into three categories of devices: Intelligent transportation systems, disaster management and industrial IoT.

Regardless of category, all smart city deployments share a common topology, IBM researcher Daniel Crowley noted, writing about the research in a posting today — a topology that presents an attractive attack surface for bad actors interested in causing disruption.

“Data generated by these systems and their sensors is fed into interfaces that tell us things about the state of our cities — like that the water level at the dam is getting too high, the radiation levels near the nuclear power plant are safe or the traffic on the highway is not too bad today,” he explained. “They communicate via Wi-Fi, 4G cellular, ZigBee and other communication protocols and platforms.”

He added, “‘panic attacks’ could become a real threat.”

Critical Flaws

The team’s initial testing showed that the devices across categories had another shared attribute: All were vulnerable to common security issues, such as default passwords, authentication bypass and SQL injections – “old-school threats that should not be part of any smart environment,” Crowley said.

Some of these proved to be critical in severity.

In the Meshlium wireless sensor networks by Libelium, researchers found a critical pre-authentication shell injection flaw, present in four distinct instances.

The researchers also found two critical flaws in the i.LON 100/i.LON SmartServer and i.LON 600 by Echelon, which are controllers/routers and smart energy managers for things like connected traffic lights.

These were a i.LON 100 default configuration that allows authentication bypass (CVE-2018-10627); and a second authentication bypass flaw in the i.LON 100 and i.LON 600 devices (CVE-2018-8859).

Other, less severe issues in the system included the use of default credentials, unencrypted communications and plaintext passwords.

In the vehicle-to-infrastructure V2I Hub v2.5.1 by Battelle, a critical flaw was found in the form of a hard-coded administrative account (CVE-2018-1000625). Other high- and medium-severity issues involved sensitive functionality being available without authentication; a vulns allowing SQL injection; the use of a default API key and the API key file being web-accessible; an API auth bypass; and a reflected cross-site scripting (XSS) flaw.

Meanwhile, a critical flaw in the V2I Hub v3.0 by Battelle would allow SQL injection (CVE-2018-1000631).

Once notified, all the vendors were responsive and have since issued patches and software updates to address the flaws, Crowley said.

Widespread Deployment

Once the vulnerabilities were uncovered, the researchers looked to see how widely deployed the affected gear is, using common search engines like Shodan and Censys. The team found hundreds of the devices exposed to remote access on the internet.

After some digging, they were able to trace the affected devices to the owners: major cities in the U.S., Europe and elsewhere.

“We found a European country using vulnerable devices for radiation detection and a major U.S. city using them for traffic monitoring,” said Crowley. “Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks.”

Potential Implications

In many cases, the vulnerabilities could be exploited for “nuisance” attacks – turning lights down or displaying untoward messages on highway signs. But they can also be used for much darker purposes – although there’s no evidence of such attacks taking place to date.

“Attackers could manipulate water level sensor responses to report flooding in an area where there is none — creating panic, evacuations and destabilization,” Crowley said, adding that the same could be true for radiation monitors at nuclear power plants and similar critical infrastructure. “Conversely, attackers could silence flood sensors to prevent warning of an actual flood event [or other catastrophe], whether caused by natural means or in combination with the destruction of a dam or water reservoir.”

Or, an attacker could control a few square blocks worth of remote traffic sensors, to create a gridlock effect as is often seen in the movies.

“Those gridlocks typically show up when criminals needed a few extra minutes to evade the cops or hope to send them on a wild goose chase,” Crowley said. “Controlling additional systems could enable an attacker to set off a string of building alarms or trigger gunshot sounds on audio sensors across town, further fueling panic.”

According to IBM, mitigations for cities include implementing IP address restrictions to connect to the smart city systems; leveraging basic application scanning tools that can help identify simple flaws; using safer password and API key practices; taking advantage of security incident and event management (SIEM) tools to identify suspicious traffic; and hiring pen testers to probe the system.

Cities would be wise to listen, given that deployments are gaining in momentum. Smart city technology spending is anticipated to hit $80 billion this year and grow to $135 billion by 2021, according to IDC.

“As smart cities become more common, the industry needs to re-examine the frameworks for these systems to design and test them with security in mind from the start,” Crowley said.