Risks and potential vulnerabilities:
Smart cities use IoT to convert everything to its smarter version. At the heart of a smart device is a microcontroller that has a networking module and other required modules connected to it. This interconnection of smart devices will provide:
- Remotely manageable traffic systems, electric grids, sewage systems, etc.
- Surveillance that needs no supervision to detect suspicious activities and events.
- Household appliances that can be controlled and managed using the owner’s voice.
- Smart homes that will send a mail/SMS to the owner if someone tries to break in.
The problem is that since IoT is a relatively new technology, the awareness related to secure implementations is rare. This is supplemented by the fact that security researchers are able to find poorly secured IoT devices including CCTV cameras on IoT search engines like Censys or Shodan and then completely take over them as administrator. Some of the devices are found to have no security at all. Not a good sign to begin with.
Exploitation Scenario:
Considering the poor state of security, it is not hard to guess the obvious consequences of exploitation:
- Security alarms going off for no reason creating unnecessary panic.
- The critical system controls getting inaccessible due to DOS attacks.
- People being spied on by compromised CCTV camera or baby monitor.
- Attackers can try privilege escalation after compromising a device to get access to a higher criticality device by exploiting the trust policy between these two.
- Attackers can also try database attacks to retrieve sensitive data stored on databases shared to these devices.
- These predictions could be scary enough for one to drop the idea of living in a smart city. But as with all other cyber problems, there are highly efficient solutions available to prevent these problems from happening.
Prevention and Mitigation:
- Providing developers with references and resources to help them understand potential security issues and best practices to avoid them.
- Establishing organizations dedicated to the development of security posture in the field of IoT. (Like we have OWASP for web applications security).
- Promoting the policy of IoT solution implementation only after a thorough vulnerability assessment and penetration testing.
- Educating end users about setting strong passwords and avoiding phishing attacks.
- Encouraging developers to provide frequent software updates that patch potential vulnerabilities as a part of their support and maintenance.
Apart from introducing comfort and information-security/access-control issues, smart cities will provide many jobs, many opportunities for technical advancements and above all a great launchpad for humans to become more productive.