All the Ways To Hack a Smart City

As cities embrace software and become smart, they also get more hackable.

|
Apr 8 2015, 2:00pm

​Image: Jen​s karlsson/Flickr

​In the fourth Die H​ard, a team of high tech terrorists hacks Washington D.C.'s traffic lights to cause a major jam all over the city, and makes computers explode remotely. The group almost hacks its way to chaos and destruction—if it wasn't for Bruce Willis' legendary action hero John McClane, who obviously prevails in the end.

The movie is an over the top flick made to shock and awe (don't worry, hackers can't make your computer explode). But some of the security issues it highlights since it came out in 2007 have already become reality. Last year, IOA​ctive security researcher Cesar Cerrudo dem​onstrated that it was pretty easy to hack into traffic control systems used all over the world, potentially causing dangerous traffic jams.

A year later, Cerrudo says that was only the beginning. Cities all over the world are embracing software that makes parking systems, traffic control, energy management and other systems smart—all technology to make cities smarter, meaning more connected, efficient and automated.

But on the flip side, smarter and connected often means hackable.

"It's a matter of time until someone launches an attack over some city infrastructure or system."

"It's a matter of time until someone launches an attack over some city infrastructure or system," Cerrudo told Motherboard. "Of course it's not something simple, but it's possible."

On Wednesday, Cerrudo published a pa​per on all the ways someone could hack a smart city. Most of the ways he described don't necessarily require a skilled hacker a la Die Hard 4.0. But rather, they're possible because vendors and city governments are simply overlooking or not even thinking about security when deploying these new technologies.

In this report, Cerrudo did not focus on any particular technology, but studied all the security issues that are common to many of these systems, such as lack of (or poorly implemented) encryption, the difficulty of patching complex systems when bugs are revealed, or the simple fact that city government lack resources to prepare and respond to cyberattacks.

The underlying problem, Cerrudo said, is that in many cases the manufacturers of these smart devices just don't know better.

"This is a global issue," Cerrudo said. "There are new vendors that used to do just hardware in the past, now they have to do software and don't know almost anything about security, they don't have the skills or the knowledge to make this new software secure."

The car industry is facing a similar problem. Cars are becoming computers on wheels, and hackers and security researchers have shown that the manufacturers don't know how to make them secure time and again in the last couple of years. That's why, for example, Tesla hired a well-known and respected Apple hacker to help secure its cars.

It'd be easy to dismiss Cerrudo's warning as theoretical or perhaps even a bit of FUD (fear, uncertainty, and doubt).

But the researcher backed up his claims with examples of computer bugs that in the past created big problems for cities. For example, a computer glitch was ​a k​ey factor in the famous 2003 blackout—the largest in North American history—that caused an estimate of $6 billion and caused 11 deaths. And in 2013, a bug caused a shut​down of the San Francisco public train system BART, trapping between 500 and 1,000 passengers.

"Imagine what could happen if an attacker could trigger bugs like these," Cerrudo wrote in the report.

"Just playing with a couple of intersections you can cause a big chaos."

There's even a precedent of a real city hack. In 2006, two Los Angeles traffic engineers were accu​sed of tampering with the city's traffic control system to mess with the light sequences at four main intersections of the city, causing a gridlock that lasted days.

"Just playing with a couple of intersections you can cause a big chaos," Cerrudo told Motherboard, adding that traffic control systems are probably the ones he would attack if he were a cyber criminal intent on messing up with a city.

But for Cerrudo, the point of his report is not to give criminals ideas, it's to get city officials and manufacturers to be more prepared for when hackers actually hit.

"The goal of this paper is to open people's minds, to open companies minds and government's too," Cerrudo said. "To see the problem and do something about it."