Researchers Reveal Smart City System Flaws at Black Hat
LAS VEGAS—A pair of researchers from IBM and Threatcare have discovered 17 vulnerabilities across three different manufacturers and four different smart city products and will detail their findings at Black Hat USA here on Aug. 9.
In a video interview with eWEEK, security researcher Daniel Crowley from IBM X-Force Red and security researcher Jennifer Savage from Threatcare outlined the risks and provided a physical demonstration of what the impact could be. The demonstration was done with a miniature dam that was connected to a vulnerable device. The researchers showed how they were able to take control of the vulnerable hub, tricking the attached sensors, leading to a flood.
The overall goal of the research was to look at potential vulnerabilities in connected smart city technologies. The technologies enable digital control and remote access of different types of infrastructure sensors that could be used in a variety of scenarios. Savage said the two researchers looked specifically at control hubs to identify vulnerabilities.
Crowley explained that the flood control system was controlled by a device from Libelium called the Meshlium, which is an internet of things (IoT) gateway. The researchers found four flaws in the device that enabled them to gain remote access. The researchers did not need any exotic tools to discover the flaws.
Savage noted that the researchers were able to download the firmware for the impacted devices, which was written in the open-source php programming language. They were then able to simply use the "grep," or search command, to look for potential points of access. Crowley said the grep search looked for the php "exec" function, executing on data from a "get" or "post" array, for user input.
"These vulnerabilities were pretty easy to find," Crowley said.
The researchers worked with ICS-CERT and impacted vendors to disclose the vulnerabilities, which have since been patched.
It's not entirely clear how many deployed devices and cities were at risk from the flaws. Crowley said that a basic shodan.io search found 450 instances of one type of vulnerable technology that was publicly exposed to the internet.
"Certainly exposing smart city technology to the internet, without any sort of restriction on who can connect to it, that I'd call a configuration mistake," Crowley said. "These things shouldn't be exposed to the entire world."
Watch the full video interview with Crowley and Savage above.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.