At this point, it seems like every so-called consumer smart device—from routers and baby monitors to connected thermostats and garage door openers—has been shown to have vulnerabilities. But that same security crisis has also played out on a macro scale, exposing municipal works and public safety sensors to manipulation that could destabilize traffic lights, undermine radiation sensors, or even create a calamity like causing a dam to overflow because of tainted water level data.

Researchers from IBM Security and data security firm Threatcare looked at sensor hubs from three companies—Libelium, Echelon, and Battelle—that sell systems to underpin smart city schemes. Smart city spending worldwide is estimated to reach about $81 billion globally in 2018, and the three companies all have different areas of influence. Echelon, for example, is one of the top suppliers of smart street lighting deployments in the world.

Fundamentally, though, the systems the researchers analyzed are similar. By setting up an array of sensors and integrating their data, a municipality can get more nuanced insight into how to solve interconnected problems. These sensors monitor things like weather, air quality, traffic, radiation, and water levels, and can be used to automatically inform fundamental services like traffic and street lights, security systems, and emergency alerts.

'When they fail, it could cause damage to life and livelihood.' Daniel Crowley, IBM X-Force Red

That last one might sound familiar; an accidental missile alert in January sent Hawaii's residents scrambling, while a hack set off Dallas's tornado sirens last year. In fact, those incidents and others like it inspired Daniel Crowley of IBM X-Force Red and Jennifer Savage of Threatcare to investigate these systems in the first place. What they found dismayed them. In just their initial survey, the researchers found a total of 17 new vulnerabilities in products from the three companies, including eight critical flaws.

“The reason we wanted to focus on hubs was that if you control the central authority that runs the whole show then you can manipulate a lot of information that’s being passed around,” Crowley says. “It appears to be a huge area of vulnerability, and the stakes are high when we’re talking about putting computers in everything and giving them important jobs like public safety and management of industrial control systems. When they fail, it could cause damage to life and livelihood and when we’re not putting the proper security and privacy measures in place bad things can happen, especially with a motivated and resourced attackers.”

The researchers found basic vulnerabilities, like guessable default passwords that would make it easy for an attacker to access a device, along with bugs that could allow an attacker to inject malicious software commands, and others that would allow an attacker to sidestep authentication checks.

Many smart city schemes also use the open internet, rather than an internal city network, to connect sensors or relay data to the cloud, potentially leaving devices exposed publicly for anyone to find. Simple checks on IoT crawlers like Shodan and Censys yielded thousands of vulnerable smart city products deployed in the wild. The researchers contacted officials from a major US city that they found using vulnerable devices to monitor traffic, and a European country with at-risk radiation detectors.

"I live in a city that’s starting to implement smart city devices," Threatcare's Savage says. "We bought a house here and we can choose not to have IoT devices in our home, we can go out of our way to buy a dumb TV not a smart TV. But I can’t control if there are street lights with cameras baked into them right outside my house and I have no control over the vehicle hub that my city might be using. It gets to me as a security researcher that a city might be making these types of decisions for me."