Checkmarx is a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing

Smart Cities: Can My City be Hacked?

Our connected devices make life easier on us as individuals, and the conveniences afforded to us by connecting technology to the physical world around us are compounded when we expand the reach from individuals to a greater population, – entire cities.


While cities have been adapting new technologies that connect the physical world to the digital world for decades, the rate at which they do so is reaching new heights, and the technologies themselves are far more advanced. These technologies, and the greater amount of connectivity they allow for, are opening cities up for the greater good…as well as the greater evil.



The Promise and Potential of the Smart City


The technological advancements posed by the Internet of Things have far-reaching benefits for the cities who adopt them. ‘Smart Cities’, or ‘Intelligent Cities’, as they’re called, integrate devices with physical infrastructure, which allow the cities to streamline communication, cut costs, provide better services to citizens through automation and more accurate data collection and analysis, and enables these cities to better plan for the future.


For example, traffic lights and parking sensor technologies improve traffic patterns and reduce both parking issues and the carbon dioxide emissions caused by them. Smart trash cans inform the city when they need to be emptied, smart water pipes can measure quality, leakage, and more, and bus and train stops let passengers know when their ride is set to be there, in real-time. Cities around the world, including Barcelona, Washington DC, Chicago, London, and Seoul, have adopted these and other technologies as they make the transformation to become Smart Cities.


Something’s Missing….


Yet as governments worldwide are embracing the Internet of Things to become ‘Smart Cities,’ there’s the major issue of security in the Internet of Things that has mostly been left unaddressed until recent years.


The sheer scale of city-wide connectivity allows much more room for a single security vulnerability to wreak havoc on the residents and governments that have adopted these technologies. As security strategist Cesar Garlati told SCMagazine, “While the chips and sensors found in many of these devices are so small that security may not have felt like an ‘issue’, the proliferation of them now, especially the amount needed to create and maintain a smart city, means that it could become a real problem.” As more cities adopt more Smart City technology to replace or upgrade existing infrastructure, the risks they carry will only grow and compound.


We’ve already seen how IoT hacks on a smaller scale can cause major issues, such as the infamous Jeep hack, when security researchers remotely paralyzed the car on the highway, and when hackers were able to steal hundreds of millions of dollars worth of electricity through ‘smart meters’, and when smart refrigerators were found to be susceptible to having the owner’s Gmail accounts compromised. In 2014, security researchers at the University of Michigan were able to hack traffic lights of nearly 100 intersections they found to have no security controls at all. And just this last April, hackers attacked the official warning system in Dallas, creating city-wide panic as all 156 of the city’s emergency sirens blasted off in the middle of the night.


Worse still, all the way back in 2006, a couple of traffic engineers working for the city of Los Angeles found themselves accused of tampering with traffic control systems of four main intersections throughout the city, which caused several days of gridlock before the system could be repaired. These attacks are nothing new – so why aren’t cities doing more to protect themselves and their citizens when implementing Smart technologies on a much grander scale? The difference between hacked refrigerators and hacked critical infrastructure has enormous implications for the cities employing these smart technologies.  It’s time for so-called ‘Smart Cities’ to wisen up to security, as well.


Current Concerns Surrounding Smart Cities:


In order to fix the security concerns facing Smart Cities, we first need to look at the issues they currently face. Here’s a breakdown of the biggest concerns surrounding the security of Smart Cities:


  • Lack of proper security testing


Security is, unfortunately, rarely a business goal, but when a product hinges on being able to provide city-wide services that include critical infrastructure, it needs to be. The lack of security testing both on the parts of the vendors and the governments who employ Smart City technologies is a major issue that will come to haunt both parties in the future. As one security researcher found, “[Smart Cities] do a lot of tests for functionality on the system and devices, but they don’t do any security testing… So, basically, they are trusting the vendors.”


  • Lack of Smart City CERT and security teams


Building off the first concern of proper security testing, the next concern is the absence of Computer Emergency Response Teams, or CERTs in Smart Cities. As dependence on IoT within governments grows, so too should the number of security professionals tasked with testing and properly securing these technologies. In addition, cities all have emergency protocols in place for events like hurricanes, earthquakes, and terrorist attacks, but emergency response protocols for security attacks are still lacking.


  • Complexities in deploying patches and system updates


There needs to be a sense of shared responsibility between government bodies and Smart City tech vendors in ensuring the security of devices. Until recently, that responsibility has been mostly shirked by both parties, which has led to the current insecure ecosystem.  Currently, updates and patches are hard, if not impossible, to roll out due to the complicated layers of Smart City infrastructure.


  • Poor security practices in Smart City technology


Cesar Cerrudo, the CTO of a security research firm, has done extensive research on the security of Smart City technologies. He’s found that “many firms selling smart systems were failing to build in effective security, such as encryption – a significant problem when so many services transmit their data wirelessly.” Even worse, many vendors refuse to sell their products to security companies – Cerrudo’s company included – who would be their best bet in finding and resolving found vulnerabilities, other than the necessary security testing (which is, as discussed above, so rarely done), in ensuring the release of secure products. Security by obscurity is a risky bet, and one that could create even more complex issues later down the line. As Cerrudo discovered in his research, there are 200,000 vulnerable traffic control sensors used in cities like London, Washington DC, and Melbourne, and told the Register that “we constantly find very vulnerable technology being used…for critical infrastructure without any security testing.”


  • Lack of regulations surrounding Smart City technology


Because of the relative newness of Smart Cities and the technology used to run them, there has not been a concentrated effort to regulate their security. This lack of a greater body that both governments and Smart technology vendors means that nobody truly has responsibility over the security of Smart City infrastructure.


Considerations in Keeping Smart Cities Secure

1. Smart City technology vendors need to implement strong security testing during development, while the cities who adopt the technologies need to implement security testing in production, ensuring that the different moving parts interact securely with each other. The burden of security should be shared between the two bodies. SAST (Static Application Security Testing) should be included in testing protocols of both vendors and governments. In addition, IAST (Interactive Application Security Testing) is another maturing tool that can be used in detecting vulnerabilities that could harm Smart Cities.


2. Any city adopting smart technology should also create a CERT (Computer Emergency Response Team) to swiftly handle vulnerabilities, thwart attacks, and work with IoT vendors to create more secure devices and fix security issues faster. City security teams can also ensure that strong authentication and encryption protocols have been put in place to help prevent these issues in the first place.

3. Currently, there are guidelines put forth by the global Securing Smart Cities initiative, which represents a great step forward, but guidelines are simply not enough. There needs be a regulatory body much like PCI-DSS and HIPAA to put the pressure on IoT Smart City technology manufacturers in ensuring the products they sell to governments and individuals alike are well-secured. We know that the hefty fines and penalties imposed on companies in the e-commerce and medical industries through PCI and HIPAA work, and this can be a major stepping stone for securing the IoT industry, as well.


Estimates put the number of connected devices worldwide to 50 billion in 2020. As more of the world’s physical infrastructure is connected to the digital world, both vendors and governments need to be aware of the security risks that come with the conveniences and better services afforded by Smart City technology.


Continue reading:

Jump to Category