Subscribe

Smart city security exposed

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 22 Apr 2016
The new wave of smart city services and technologies is also expected to create new security vulnerabilities
The new wave of smart city services and technologies is also expected to create new security vulnerabilities

Although smart city adoption is gathering pace across the globe, security experts fear that this will open doors to cyber criminals.

Market research firm Frost & Sullivan says smart city adoption is on the rise as a result of numerous market drivers such as population strain on ageing infrastructure, greater demand and improved affordability of building level sensors, and the evolution towards a connected world.

Perry Hutton, regional vice-president for Africa at Fortinet, says driven by rising urbanisation and fuelled by technologies such as the Internet of Things and data analytics, smart cities are on the cusp of explosive growth.

The concept of smart cities is still in the nascent stage in SA. Cities like Glasgow, Barcelona, Nice, New York City, London and Singapore have already embarked on the journey, he notes, adding the smart city technology market could be worth $27.5 billion annually by 2023, according to Navigant Research.

"But the new wave of smart city services and technologies is also expected to create new security vulnerabilities," Hutton says.

Security solutions vendor Kaspersky Lab recently conducted a field study into the specific type of road sensors that gather information about smart city traffic flow. The study proved that data gathered and processed by these sensors can be dramatically compromised. This could potentially affect future city authority decisions on the development of road infrastructure, says Kaspersky.

Complicated system

According to the security solutions vendor, transport infrastructure in a modern megalopolis represents a very complicated system, containing different sorts of traffic and road sensors, cameras, and even smart traffic light systems.

All the information gathered by these devices is delivered and analysed in real-time by the special city authorities, it notes. Decisions about future road construction and transport infrastructure planning can be made based on this information. If the data is compromised, it can cause millions in losses to the city, the vendor warns.

A Kaspersky Lab expert in Moscow recently conducted research on a network of road sensors that gather traffic flow information - in particular the quantity of vehicles on the road, their type and average speed. This information is transferred to the city authority's command centre.

City traffic authorities receive the information and use it to support and update a real-time road traffic map. The map, in turn, can then serve as a source of data for city road system construction or even for automating traffic light system controls.

The first security issue discovered by the researcher was the name of the vendor clearly printed on the sensor's box. This crucial information helped the Kaspersky Lab expert find more information online about how the device operates, what software it uses, etc. The researcher discovered that the software used to interact with the sensor, as well as technical documentation, were all available on the vendor's web site. In fact, the technical documentation explained very clearly what commands could be sent to the device by a third party.

Just walking near the device, the researcher was able to access it via Bluetooth as no reliable authentication process was implemented, says Kaspersky Lab. Anyone with a Bluetooth-enabled device and software for discovering passwords via multiple variants (brute force) could connect to a road sensor in this way, it points out.

Using the software and technical documentation, the researcher was able to observe all data gathered by the device. He was able to modify the way the device gathers new data - for example, changing the type of vehicle recorded from a car to a truck, or changing the average traffic speed. As a result, all newly gathered data was false and not applicable to the needs of the city.

Share