Cities from Los Angeles to Seoul are pouring billions of dollars into smartifying infrastructure, networking everything from traffic lights to waste management systems. But just like most tech-focused public works project lead by underfunded or clueless (or both) bureaucrats, even basic security measures are being overlooked in the pursuit of progress.
Last year Argentinian security researcher Cesar Cerrudo showed how easy it was to breach traffic control systems used in 40 U.S. cities. Specifically, the magnetic sensors embedded in roads that send traffic data to trigger traffic lights could be compromised, allowing a nefarious individual to send incorrect information to the signals, screwing up the flow of traffic.
Cerrudo, a researcher at IOActive, is back this year with a paper that details all the different ways someone could access vital, networked infrastructure and city systems due to a lack of testing, nonexistent security, shoddy encryption, old technology, simple bugs that haven't been squashed, and a basic lack of resources.
"The goal of this paper is to open people's minds, to open companies minds and government's too," Cerrudo told Motherboard.
It might initially come off as alarmist, but delving into the problems over the last decade proves Cerrudo's point.
Back in 2013, a software glitch shut down the Bay Area Rapid Transit system into the early morning, stranding 19 trains with nearly 1,000 passengers on board. The previous year, a bug accidentally sent out 1,200 jury duty summons to Placer County California residents, clogging the streets around the courthouse for hours.
Then there's the 2003 blackout in Ontario, Canada that spilled into New York, leaving around 10 million people without power, canceling hundreds of flights, costing NY State billions, and contributing to the death of at least 10 people, including one man who was recovering from an electrical accident and was found dead in his apartment after his air conditioning shut down, causing his skin grafts to fail. Why? Just a bug in the alarm system.
The problem, as Cerrudo explains, is that the cities implementing these systems and the suppliers they're working with haven't taken the necessary precautions to ensure both air-tight security and eliminating glitches. In most cases, the companies supplying the systems are hardware vendors first, and their software skills are seriously lacking.
Some of the paper is dedicated to simple vulnerabilities in outdated systems, but the threat of target attacks are very much at the forefront of Cerrudo's mind. "Smart" street lighting, traffic control systems, sensors, public data, and cameras are all susceptible.
We've already seen how two LA traffic engineers accessed four intersections, reprogramming traffic lights to stay red for long periods of time, and snarling traffic for days. And that was in 2006.
"This is a real and immediate danger," says Cerrudo. "The more technology a city uses, the more vulnerable to cyber attacks it is, so the smartest cities have the highest risks."