As more and more machines are entrusted with managing city infrastructure systems, the prospect of disruption – and worse – through cyber-terrorism appears ever more real.
News update: cyber terrorists have hacked into the electricity company supplying a residential area of the city and caused a blackout. They’ve sent an email with their demands to restore power – it’s a significant amount of money. The city’s cyber defenders have been tasked with retaking control of the compromised machines and restoring power to citizens.
Don’t panic. Not yet, anyway. This isn’t a real city. Nor is it a scene from Watch Dogs, Ubisoft’s much-hyped new game in which hacker Aiden Pearce takes control of Chicago’s infrastructure (from traffic lights to private data) via the smartphone in his pocket.
Instead, the scenario comes from CyberCity, a virtual urban environment set up by US government contractor Counter Hack to train officials in the threats facing our ever more computer-controlled cities. Trainees access the networked devices running the city from a remote location, but there is a physical aspect too: a six-by-eight-foot, 3D model of CyberCity with all the facilities you’d expect.
It might look like something a father and son would build in the garage, but it’s a significant piece of work. The aforementioned cyber defenders are genuine US defence personnel, testing their abilities to counter digital attacks on critical urban infrastructure. When they successfully hack into the terrorists’ systems and switch the power back on, the white lights of the model CyberCity turn on again. For an added dose of “realism”, the CyberCity Sentinel, the city’s official newspaper, publishes an article on its website explaining that the mysterious power outage has been resolved.
CyberCity should be a wakeup call to city planners the world over, showing that much of today’s systems-management infrastructure is vulnerable to digital attack. The machines that the mock terrorists have disabled are based on industrial software used by real-world critical infrastructure providers, known as “supervisory control and data acquisition” (SCADA) tools and “programmable logic controllers” (PLCs).
“We try to make it as realistic a deployment as we can,” says Counter Hack founder Ed Skoudis. “The engineer who designed our power grid is someone who designs power grids for military bases.”
Skoudis and other security experts are deeply concerned about the safety of SCADA tools. He says many of their protocols (the rules and commands that govern the way computers handle data and human access) “suck”, and that cities are littered with vulnerable software and hardware. This is no future threat, Skoudis adds; they are open to attack right now.
Researcher Cesar Cerrudo found serious vulnerabilities when he took to the streets of Washington DC to trial potential hacks.
To prove the point, a researcher from security consultancy IOActive recently showed that vulnerabilities in road sensors relaying information to traffic lights could be exploited to turn them from red to green, or keep them on a certain colour. The potential impact is all too obvious: traffic carnage and deadly accidents.
The researcher, Cesar Cerrudo, took to the streets of Washington DC to trial the potential hacks, without actually causing any harm. He says the biggest problem is that manufacturers producing much of the kit for today’s “smarter” cities do not have the adequate security skills to ensure they are safe from attack. (Skoudis concurs that traffic light systems, in particular, have shown an “egregious lack of security” during his CyberCity tests.)
Cerrudo believes many other systems that manage key bits of urban infrastructure will be proven just as vulnerable. He plans to look at streetlights in upcoming research: “Most of the products we take a look at are insecure; they have vulnerabilities and allow hackers to compromise them.”
Many of the weaknesses are basic, he says: devices often don’t do adequate validation of the data being sent to them, failing to check whether malicious streams of information are being sent rather than legitimate bits and bytes determining their functions.
“The main problem is that these systems are blindly trusting the data they get,” Cerrudo adds. “They don’t know if it’s real or fake, yet they take actions and decisions based on that data. It’s a very broad problem.”
CyberCity’s training missions, which are determined by what the customer (ie the US government) wants, highlight where there are real and present threats to urban areas. One includes a challenge for cyber warriors to derail a train carrying a radiological bomb by hacking into the SCADA system controlling the track’s switching functions. There’s also a cafe where imagined bankers and doctors go to get a coffee and have their smartphones hacked over a public wireless broadband network.
Future missions will probably include so-called “Kobayashi Maru” scenarios, named after the Star Trek training exercises in which Starfleet Academy cadets are tested to the limit by the lack of a winning solution. “We have an elementary school in CyberCity; you’re not supposed to touch it because you get in big trouble if little kids get hurt or killed,” Skoudis explains. “We’ve talked about creating a mission where the only way to achieve the goal is to violate that rule. It’s an interesting measurement to see if a cyber defender is willing to go that far.”
Nations across the world are now taking serious note of cities’ myriad weaknesses – in the process increasing their own capability to disrupt connected infrastructure. Skoudis says he has had interest from the UK, Japan and numerous other countries. Many want their own CyberCities to defend – and attack.
Connected devices in cities pose a threat not only to people’s safety, but also to their privacy. James Lyne, global head of security research at IT experts Sophos, has uncovered a host of hackable, internet-enabled surveillance cameras, for example. In one case, he was able to see the digits being pressed on a chip-and-pin machine at a petrol station; the camera had no log-in or password set-up whatsoever. This meant anyone could have hacked the camera if they found its internet protocol address (the string of numbers used to identify a connected machine).
“The cameras were positioned over the cash register and credit card machines with suitable resolution to see card numbers, pins and even the sign-on code the staff member used for the cash register. This is one system of many out there, and an example of the basic old-style security failures that are still widespread,” Lyne warns.
His research also uncovered scores of vulnerabilities across CCTV cameras, webcams and even baby monitors. Of the 11 different camera products Lyne tested personally, three contained the much-publicised Heartbleed vulnerability, while four didn’t use any encryption at all, meaning a hacker could easily intercept data being sent to and from the cameras, including usernames and passwords.
Finding hackable CCTV cameras has become considerably easier with the emergence of Shodan, a computer and device search engine. It can help anyone find a vulnerable machine, whether it’s a web server or a surveillance camera.
“In short, gaining access to these systems en masse across the world is remarkably trivial,” Lyne says. “We are working through vulnerability fixes with vendors, but initial results have been slow. Exploitation of this kit is obscure but trivial compared to the modern PC, and cyber criminals succeed at that too.”
Some city planners, at least, are taking the threat seriously. Colin Birchenall, lead architect for Glasgow City Council’s Future Cities demonstrator programme, says the project to add greater connectivity to the Glasgow area is being done with a security consultant on board, using best-practice guidance straight from GCHQ.
“It’s very much about understanding the nature of the information and services provided by the devices,” Birchenall explains, “then walking through the various components … from devices themselves right through to back-end servers. Take it component by component, device by device.”
Unlike in CyberCity, no real-world urban destruction has yet come about as the result of a cyber attack. However, as more and more machines are entrusted with managing cities’ infrastructure systems, the prospect of disruption and worse through hacking looks ever more likely. If they’re not careful, some smart cities of the future could end up looking pretty stupid.
This article originally appeared in The Guardian.