Unlearned Lessons of the Past and the (Not So) Secure Smart City of the Future

The concept of the city of the future is both inspiring and frightening. 

Many of the promises associated with the vision of the “smart city” are certainly going to come to fruition. It’s pretty clear now that some level of autonomous driving, always connected vehicles are in our collective future. And everything from household toasters to city infrastructure systems are going to be sensor enabled and Internet connected.

But I think, unfortunately, barring some drastic and unprecedented information security intervention and intra-industry cooperation, the digital roadway to the smart city of the future is going to have quite a few deep and scary potholes.

Why? Because the tech and various equipment industries are making the very same mistakes we’ve witnessed before, numerous times, in various new waves of technology. We’ve seen it with general-purpose software and operating systems, and we’ve seen it with the very protocols that drive the web, and then the systems that power web commerce.

In each of those waves of technology, security was added after the software, products, or protocols were built. With productivity software, for instance, programing languages like Visual Basic and application-specific macros ran with virtually no controls whatsoever – and we were all targeted by viruses and worms that took advantage of those flaws. With the Internet, there was no real authentication built into TCP/IP or web browsers. The result: Phishing, adware, worms and viruses galore. And we are still suffering for the lack of information security foresight today.

Why are we reviewing all of this? Because those designing and building the components of smart cities appear to be making many of the same mistakes we witnessed in the not so distant past.

And just like then the warnings came for years and years before massive amounts of ecommerce and financial system hacking took place – and it all went unheeded.

This New York Times story, Smart City Technology May Be Vulnerable to Hackers, details the story of a security researcher that is eerily reminiscent of the mindset security researchers encountered when uncovering vulnerabilities in operating systems and enterprise software in the late 1990s. Last year, the researcher found and then warned cities that data coming from their sensors could be captured by anyone and that the data wasn’t encrypted. The researcher warned that he could change the display on the city’s electronic signs and even control traffic lights.

More recently, Jai Vijayan, in Vulnerable Smart City Devices Can Be Exploited To Cause Panic, Chaos, covered how False alerts about floods, radiation levels are just some of the ways attackers can abuse weakly protected IoT devices,

According to Vijayan’s report: “the tested systems fell into three broad categories: industrial IoT, intelligent transportation systems, and disaster management devices. The products included those used for warning planners about water levels in dams, radiation levels near nuclear plants, and traffic conditions on highways.”

“The exercise unearthed 17 zero-day vulnerabilities, eight of them critical, in four smart city products from three vendors — Libelium, Echelon, and Battelle. Using common search engines like Shodan and Censys, the IBM and Threatcare researchers were able to discover between dozens and hundreds of these vulnerable devices exposed to Internet access,” he reported.

The same is true with the makers of more consumer-facing IoT devices – many of which will be connected to the systems that help to manage smart cities. Last fall I watched a panel at a security conference where all of the panelists detailed how device makers are largely failing to threat model and build IoT devices that are secure and resilient.

What does all of this mean? When security protocols were ignored in the past, we paid the price in disruptive and malicious viruses and worms, endured massive denial of service attacks on banks and financial institutions, government and other crucial sites. We’ve seen hundreds of millions of records breached since 2005, and thousands of enterprises and government agencies have had intellectual property or customer records stolen. It’s been a mess.

And while all of those security shortcomings has created a relative field day for online criminals and wrongdoers, it will look in retrospect, relatively calm if the same types of crime and shenanigans are made possible through similar device and systems protocols in our physical world.

Imagine false positive alarms that scatter fire departments or law enforcement in the wrong direction. Looters and criminals are known to start diversionary crimes and fires, doing so electronically would only make their task less dangerous and potentially easier. Or, what if it’s not a white hat security researcher that points out flaws in the traffic control system, but malicious attackers?  Or, instead of web site defacements, we see political messages on hacked electronic traffic or road signs.

What if our electrical grid is attacked, and we endure rolling brownouts in the dead of winter or during the hottest weeks of summer? There is little sense in going on with doomsday scenarios. The downside, with a little thought invested, is crystal clear and limited only by imagination. Fortunately, the answer is just as clear – but our institutions must have the will and foresight to follow through and design smart city systems to be resilient and secure.

That’s going to take everyone involved to make it happen. We, as citizens and residents of these cities, are going to have to demand it. It’s going to require our governments, local, state, and federal - those that procure this equipment - to also demand it be designed and deployed securely. They will have to place the appropriate amount of pressure on the manufacturers to take the necessary steps to develop equipment that ships secure and can be deployed and managed securely.

And, of course, it’s going to take the security community to also hold these equipment makers to task and vet the inherent security of the devices and management software, or the global rush to smart cities may not look so smart after all.