Security researchers have warned of potentially catastrophic cyber “panic attacks” against smart city systems after revealing 17 new zero-day vulnerabilities.

Threatcare and IBM X-Force Red joined forces to test how resilient intelligent transportation systems, disaster management and the industrial Internet of Things (IoT) are to remote “supervillain-level” attacks.

They found 17 zero-days in systems from Libelium, Echelon and Battelle which included some basic issues such as default passwords, authentication bypass and SQL injections.

However, because these systems often perform crucial tasks there’s a real risk that a bad actor could cause mass panic by exploiting them.

Scenarios could include manipulation of water level sensors to report flooding in an area where there is none, or silencing sensors when there is a flood. Vulnerabilities could also be exploited to trigger radiation leak alarms, or alter traffic management systems to create gridlock in urban areas, the report claimed.

“After we found the vulnerabilities and developed exploits to test their viabilities in an attack scenario, our team found dozens (and, in some cases, hundreds) of each vendor’s devices exposed to remote access on the internet. All we did was use common search engines like Shodan or Censys, which are accessible to anyone using a computer,” IBM explained.

“We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks.”

The three vendors studied in this survey were described as “responsive” when contacted about the issues and have since released updates to fix the vulnerabilities highlighted.

However, IBM urged more rigorous testing of smart city systems including application scanning and red team exercises. It also suggested IP address restrictions when connecting smart city systems, use of SIEM to spot suspicious traffic and safer password and API key practices.