That means hackers could potentially hijack the devices, either to create panic or to prevent the devices from detecting when a real emergency exists, says Daniel Crowley, research director at IBM X-Force Red, a security-testing unit.
“I think the danger there is that when you’re relying upon sensor data for safety reasons, and that sensor data can be corrupted either to hide when an emergency situation is happening or to create fake emergency situations and cause panic, there’s obvious danger there,” Crowley says.
The researchers say they found a total of 17 vulnerabilities across systems used in smart-city technology from Libelium, Echelon and Battelle. Each of the vendors has released patches to fix the bugs, which the researchers are announcing at the Black Hat security conference, in Las Vegas.
To test the systems, the researchers began by dissecting firmware they were able to obtain online, then later acquired some of the systems after spotting potential vulnerabilities, says Jennifer Savage, a security researcher at Threatcare. They also used specialized search engines such as Shodan and Censys, which crawl internet of things devices in order to find examples of where the devices are being used in the real world. That allowed researchers to notify relevant agencies about the risks involved.
Government agencies utilizing the systems include a European country using some of the devices for radiation testing and a U.S. city using them for traffic monitoring, the researchers say.
Some warnings systems have already been used by hackers, at least to cause mischief. Last year, a prankster set off emergency sirens across Dallas for more than 90 minutes, and hackers have previously hijacked TV emergency signals and tampered with digital road-warning signs.
Even benign malfunctions of emergency systems can have serious consequences: Earlier this year, an erroneous ballistic-missile alert caused panic across Hawaii after an apparent mistake during a drill.
The researchers advise agencies and companies implementing smart-sensor systems to restrict IP addresses permitted to connect to the devices and to safeguard passwords and digital keys used to gain access. They should also use standard security tools and hire outside testers to verify that the systems are secure, the researchers say.
After all, unlike home-automation systems, people often have little direct control over what systems installed by their local governments could have an impact on their lives.
“You can choose to have IoT devices in your home or not,” says Savage. “You can’t really decide for your whole city.”