IBM has discovered 17 zero-day vulnerabilities in smart city systems which could debilitate core services.
At the Black Hat conference in Las Vegas on Monday, the cybersecurity firm's X-Force Red team of penetration testers and hackers demonstrated how old-school threats are placing the cities of the future at risk in the present day.
Smart city technology spending is predicted to hit $80 billion this year and become as high as $135 billion by 2021. Water and filtration systems, smart lighting, traffic controllers, utilities, and more all become intertwined in smart cities, which aim to make urban living more energy efficient, eco-friendly, and manageable.
However, connecting all of these critical elements can have devastating effects should something go wrong -- such as a successful cyberattack.
We've already seen the damage which can be caused when threat actors target core country systems, such as in the case of Ukraine's power grid, and unless security is considered every step of the way, every future city will be placed at similar levels of risk.
Together with researchers from Threatcare, IBM X-Force Red discovered that smart city systems developed by Libelium, Echelon and Battelle were vulnerable to attack.
Libelium is a wireless sensor network hardware manufacturer, while Echelon specializes in industrial IoT, and non-profit Battelle develops and commercializes related technologies.
According to IBM X-Force Red researcher Daniel Crowley, out of the 17 previously-unknown vulnerabilities discovered in systems used in four smart cities, eight are deemed critical in severity.
Unfortunately, many of the bugs were due to poor, lax security practices -- such as the use of default passwords, authentication bypass, and SQL injections.
In total, the researchers uncovered four instances of critical pre-authentication shell injection flaws in Libelium's wireless sensor network, Meshlium.
TechRepublic: Smart cities: A cheat sheet
In addition, Echelon's i.LON 100/i.LON SmartServer and i.LON 600 SmartServers, which are used for energy conservation, contained two critical authentication flaws, unencrypted communications issues, default credentials were in use, and plaintext passwords were uncovered.
When it comes to Battelle, the non-profit's V2I (Vehicle-to-Infrastructure) Hub, version 2.5.1, was also found wanting when it comes to adequate security.
The worst vulnerability discovered was a hard-coded administrator account, followed by permitted access to sensitive functionality without authentication, default API keys and authentication bypass, SQL injection security flaws and reflected XSS issues.
After rounding up the bugs which were immediately apparent in the various smart city systems, the team found that dozens -- and in some cases, hundreds -- of the vendor devices were left exposed to remote access online.
"Once we located an exposed device, using some standard Internet searches we were able to determine, in some instances, who purchased the devices and, most importantly, what they're using the devices for," the researchers added.
The findings were disclosed to Libelium, Echelon, and Battelle. IBM says all three were "responsive" and security patches have been issued to resolve the vulnerabilities.
Update 16.06 BST: A Libelium spokesperson told ZDNet:
"Several weeks ago Libelium was informed by IBM about some web vulnerabilities which had been found in the Meshlium Manager System. As Libelium considers security as a fundamental and essential core element for all its development projects new actions were taken immediately.
Responding to Libelium's commitment to the security of IoT devices, the company took action instantaneously and all vulnerabilities detected were automatically amended with a new software version released on August 1st which is ready to be downloaded from the Manager System.
Libelium truly appreciates IBM work in the detection as well as their responsible communication about this discovery."