The week of August 2, 2015

How to hack a city—and why we should

By Jonathan Keane

No one thinks about the servers and infrastructure that run cities: at least, not until something goes wrong, like flooding, blackouts, or gridlock. Information security professionals, however, are becoming increasingly conscious of how a connected city can be vulnerable to attack—and they’re beginning to think about how to make them more secure.

Through smart technologies, wireless connectivity, and the burgeoning Internet of Things, cities and critical infrastructure have been getting a technological makeover in recent years. Amsterdam is exploring several open-source projects and cities like Barcelona, Spain are revamping energy grids and traffic lights. But those new initiatives open up new vulnerabilities.

At security conferences last year, for example, Cesar Cerrudo, chief technology officer of security firm IOActive, demonstrated myriad problems with traffic-light systems. He showed how attackers could target the sensors embedded in streets that send data to traffic control systems. Light cycles could be altered to cause gridlock and send cars into wrong lanes or streets, potentially leading to car accidents.

That may sound like an abstract threat, but infrastructure attacks are already happening. In 2014, a steel mill in Germany was attacked by cyberaggressors who stole login details, via emails loaded with malware, and gained control of the plant’s control systems. (Of course, this recalled the Stuxnet virus crafted by the U.S. and Israel to target Iran’s uranium enrichment plants.) The damage from the attack on the steel mill was never quantified in detail, but the official report described it as “massive,” where a blast furnace could not be shut down properly.

Cities, like any complex system, are potentially susceptible to hacking. The important question is just how susceptible?

Researchers have been thinking about such threats, and at this year’s Black Hat security conference, researchers from Drawbridge Networks and the U.S. Military Academy at West Point are presenting “Pen Testing a City.” “Penetration testing” is security jargon for finding vulnerabilities an attacker could exploit, and cities, like any complex system, are potentially susceptible to hacking. The important question is just how susceptible?

A city is not a single entity—it’s an ecosystem, explained Tom Cross, CTO of Drawbridge Networks. And the bigger the city, the greater the complications.

“Once you determine the scope, there are all types of surface areas that you’re looking at, and not just computers connected to the Internet. You’ve got a lot of wireless networks,” Cross said. “There are a lot of unique surface areas that exist in a city that a typical organization doesn’t have.”

He could point to examples of those unique areas for attack, like when Kaspersky Lab found significant flaws in networked surveillance cameras. The cameras are often Internet-enabled, allowing authorities to remotely monitor footage. In one case, however, the cameras used in an unnamed city were found to be transferring data unencrypted. Most worryingly, the researchers found that the cameras do actually have robust security measures; they just weren’t being sufficiently used. A poorly configured surveillance-camera network could be open to tampering, which could impede law enforcement.

The Kaspersky researchers found that vulnerability because they could connect to the surveillance-camera network via the Internet. But more often, municipal systems aren’t open to independent testing. That means vulnerabilities aren’t being discovered and patched fast enough. “If those systems aren’t getting a sufficient amount of security auditing, there are vulnerabilities that a sophisticated attacker could surface,” Cross said.

“Cities are deploying technology that has more vulnerabilities in it. The vulnerabilities in those technologies haven’t been shook out yet.”

And over time, city systems often become a patchwork of old and new technology. “People build new systems and deploy them, and then they end up going back and refining them,” Cross noted. That presents two different types of problems. The new technology is often untested. “It means that cities are deploying technology that has more vulnerabilities in it,” Cross added. “The vulnerabilities in those technologies haven’t been shook out yet.”

But obsolete technology can bring its own vulnerabilities. “There’s a major city in the United States that still uses Netscape Enterprise Server version 6, which was released in 2001. It’s not supported anymore,” Cross said. (IOActive’s Cerrudo has claimed that Dubai’s Burj Khalifa, the world’s tallest building, runs its systems on Windows XP. Burj Khalifa management did not respond to a request for comment.)

So who are these attackers? Cross says that thus far, cities have benefited from the fact that their systems are hard to access: Casual hackers trolling for new targets may not expend the effort. But, he says, “If you are concerned about nation-state actors, they can get access to those systems.”

Again, that’s not merely an abstract threat. In 2007, the Estonian government fell prey to distributed denial-of-service (DDoS) attacks believed to be coming from Russia, stemming from a dispute over the relocation of a Soviet statue. Estonian government sites, banks, and broadcasters were all hit. Estonia accused the Russian government of orchestrating the attack, a claim Moscow denied. A year later, a single ethnic Russian was convicted and fined for his involvement in the attack.

“The reason those attacks had such a significant impact on Estonia is that a lot of their government and public services infrastructure is brand new and it was all Internet-based,” Cross said. Estonia, sometimes referred to as e-Estonia, is known for its online voting and e-government services, for example. “Because they had all this new technology, they were very dependent upon the Internet working well in order for their government to work well.” That created vulnerability to attack.

“Cities should be doing pen tests. They should be doing them across the board instead of just in silos.”

But attackers don’t have to be suspected nation-state hackers, or target new and sophisticated systems. Again, because cities are so complex, there are often multiple areas open to attack. In September 2013, a 3 1/2-mile traffic tunnel in Haifa, Israel, was shut down by a cyberattack that struck the tunnel’s surveillance cameras and traffic control systems—twice. The first attack caused a 20-minute delay. The next day, the system shut down during the morning rush hour and remained down for eight hours. Hackers “similar to the Anonymous hacking group” were initially blamed, given the group’s history of targeting Israeli sites, though the company managing the tunnel later denied any attack had taken place. Just months before, Israeli officials claimed that a failed cyberattack on Haifa’s water system had been launched by the Syrian Electronic Army.

Tom Cross, for one, thinks cities need to be doing more to secure their infrastructure. “I think cities should be doing pen tests, and that’s the point of our paper. They should be doing them across the board instead of just in silos. They need to think from a big picture perspective,” he said. That would mean simulating attacks or system crashes and clearly delegating responsibility across the IT team.

Security firm IOActive also recommends a “checklist-type cyber security review,” which gives cities a guide to proper encryption standards and authorization. Other recommendations include wider education for city workers, speedier patch times, 24/7 responses in emergencies, and the establishment of a city-specific CERT (computer emergency response team).

Japan’s government has adopted a similar approach as it prepares for the 2020 Olympics by establishing a new cybersecurity strategy team. The government has been holding cybersecurity drills across its departments to back up national security, and it intends to train up to 50,000 citizens, both private and public sector, and improve their computer skills by 2020 to raise information security standards and protect against exploits and attacks, including attacks on websites and Olympic event ticket sales systems.

Communication among city executives will be key, Cross said. With computer technology becoming an integral part of how a city functions every day, that technology needs to be as robust and resilient as we can make it. And we need to prepare for the eventuality of even our best-designed, most rigorously tested systems breaking down.

“The bottom line,” Cross said, “is it’s a real problem, and it needs to be a priority.”

Illustration by J. Longo