Critical vulnerabilities present in smart city systems

Share this…

Researchers have discovered countless zero-day vulnerabilities that can be used to disrupt critical systems

Experts in enterprise network security from the International Institute of Cyber Security reported the finding of 17 vulnerabilities in different smart city systems that could affect core services.

At an event held in Las Vegas last Monday, a team of enterprise network security experts demonstrated how old-school threats are putting the development of smart city environments at risk in the future.

It is estimated that investment in smart cities technology will reach $80 billion USD this year and will reach $135 billion USD arriving to 2021, only in the United States. Water and drainage systems, intelligent lighting, traffic controllers, utilities and more will be intertwined in smart cities, seeking to make urban life more efficient in terms of energy, ecology and sustainability.

However, connecting all these critical elements can have devastating effects if something goes wrong, for example, a hypothetical successfully deployed cyberattack. We all have witnessed the damage that can be caused when hackers threaten core systems in a nation, as in the case of Ukraine’s electricity grid, and unless smart city developers take cyber security as a serious matter for the future, every smart city environment will be under considerable threats.

Enterprise network security experts responsible for this research found that the systems developed by Libelium, Echelon and Battelle are vulnerable to several attacks. Libelium is a hardware manufacturer for wireless networks, while Echelon specializes in industrial Internet of Things (IoT), and Battelle develops and commercializes related technologies.

Out of the 17 vulnerabilities discovered in the systems used in four smart city environments, eight are considered critical; many of the flaws were due to poor security practices, such as the use of default passwords, lack of SQL injection and weak authentication processes.

  • Researchers discovered four critical shell injection flaws prior to authentication in the Libelium Wireless sensor network, Meshlium.
  • Echelon servers, which are used for energy conservation, contained two critical authentication flaws, unencrypted communications problems, and default credentials.
  • In the case of Battelle, the hub with 2.5.1software version also has severe security problems.

The most serious vulnerability discovered was a coded admin account, followed by access allowed to sensitive features on the system without prior authentication, default API keys, and authentication omission, security failures of SQL injection and reflected XSS problems.

After submitting the vulnerability report, the enterprise network security specialists team found that dozens (and in some cases, hundreds) of these vendors’ devices were exposed to online remote access. Subsequently, the manufacturers recognized their mistakes and began launching the update patches to cover the vulnerabilities.