If medical equipment isn’t a big enough target for you, why not hack a city?

A while ago I went on one of my familiar rants. The subject was how ridiculously easy it is to hack medical equipment, with medical device maker Meditronic’s pace maker programming devices being the concrete example. Even though I wrote the post in August, it’s still very relevant. Just a couple of days ago,  Meditronic made headlines again when they issued a statement saying that their CareLink line of pace maker programming devices is actually vulnerable to attacks.

The first news of vulnerable Meditronic equipment dropped during the annual Black Hat conference in Las Vegas. But medical equipment was not the only Black Hat target. Far from it. Another interesting subject of hacking was “smart” cities.

Not So Smart.

One of the talks, titled “Outsmarting the Smart City” (PDF), discussed attacks against multiple smart city devices from different categories of smart city technology. The three researchers went on a tour of Austin, Texas, where they identified infrastructure that was part of the city’s CityUp initiative.

Austin CityUP is a smart city consortium of companies, organizations, and individuals collaborating to advance Austin through smart city techniques, including digital technologies, data collection, analytics, and modeling.

www.austincityup.org

What they found was that many of the devices connected to the smart city infrastructure was vulnerable to very basic attacks. They were configured with default credentials, allowed authenticated API calls, communicated in plain text, had hard-coded admin accounts, or even no authentication at all.

Echelon i.LON SmartServer.
Echelon i.LON SmartServer: Default credentials, unauthenticated API calls, plaintext communications, and authentication bypass.

Chaos, Panic, pandemonium.

So someone can play around with a city’s infrastructure. Does it really matter? Why, yes, indeed. Take the Battelle V2I Hub, for instance. It’s manages vehicle to infrastructure communication. The device has several vulnerabilities, a hard-coded admin account, and XSS being the most prominent ones. With access to the V2I Hub, an attacker can track vehicles, send false safety messages, and report non-existent traffic to the city’s infrastructure. Imagine this being used manipulate Huston traffic during rush hour.

Another device the researchers found in Huston is the Libelium Meshlium. The device can be used for a range of tasks, from detecting gas leaks and floods, to monitoring air quality. Unfortunately, it doesn’t require authentication, and is vulnerable to shell command injection. These vulnerabilities can be used to create false sensor data, and hide real sensor data. Want to cause wide spread panic? Manipulate the sensors to detect a fake poisonous gas leak. Want to be a very effective terrorist. Cause a poisonous gas leak, and suppress the sensor data.

Amateur Hour.

The medical equipment is easy to hack is bad. Very bad. But that “smart” city infrastructure suffers from the same, moronic vulnerabilities is a major disaster waiting to happen. It definitely feels like amateur hour.

Security seems like it’s a distant after-thought for manufactures like Battelle, Echelon, and Libelium. Their device are supposed to make a city’s infrastructure safer, more efficient, and generally better for the citizens.

The way it looks now, the reality is that the catastrophically bad security in these devices make them outright dangerous to use. If your city is employing smart city technologies, I certainly hope they had the wits perform a proper security audit before the devices were put into use.

Chances are they didn’t, though. Good luck, and good night.