Smart cities still vulnerable to well-known attacks
- By Matt Leonard
It’s been almost two years since the Mirai botnet attack brought down a number of popular websites by leveraging internet-of-things devices to direct an unmanageable amount of traffic to DNS servers.
Smart cities may suffer a similar fate.
A new study from the IBM X-Force research group and security advisory firm Threatcare shows that some of the same vulnerabilities experts highlighted following the October 2016 Mirai attack -- such as unchanged default passwords -- can still be found in components of smart city applications.
The researchers found 17 zero-day vulnerabilities across different products from three companies: Echelon, Libelium and Battelle.
Echelon's i.LON device family connects industrial control systems to IP-based networks.
“The state of ICS security is such that being able to communicate with an ICS device at all generally puts you in a position to control that device as if you’re an administrator,” Daniel Crowley, research baron at IBM's X-Force Red penetration testing group, said in an interview.
But additional vulnerabilities with the i.LON family make hacking them even easier. The devices use default passwords, and the smart server did not require a username and password to use the application programming interface. “That means you can use pretty much all the functions of the device without any authentication,” Crowley said.
The Libelium Meshlium IoT gateway has a series of pre-authentication shell injection flaws that could be used to launch an attack.
The V2I Hub from Battelle is open source software for connecting automated vehicles to smart city infrastructure. In one version of the software, researchers found hard-coded passwords. A newer version of the software had an SQL injection flaw in the login prompt, Crowley said, which could allow someone to get all of the usernames and passwords out of a database and then login with one of them.
Many of these vulnerabilities, especially default passwords, are easy to exploit, he said. Default passwords can routinely be found with a Google search for “default password" and the name of the target device.
The report offered a few recommendations for managing smart city vulnerabilities, including restricting access to connected devices, scanning applications and disabling unnecessary remote administration features.
Crowley also suggested that cities be more transparent about the IoT technology they install. “The people who live in the city don’t really get a choice in the matter of whether or not they get these devices deployed," he said.