X-Force Red in Action: Spotlight on Smart City Security With Daniel Crowley

Listen to this podcast on iTunes, Soundcloud or wherever you find your favorite content.

On this week’s episode of X-Force Red in Action, Daniel Crowley, research baron at X-Force Red, stops by to discuss his work on smart city security. Crowley recently gave a standout talk at Black Hat 2018, titled “Outsmarting the Smart City,” in which he detailed his team’s efforts to compromise technologies commonly found in smart cities.

As for the results of this exercise, Crowley puts it simply: When it comes to mature security, smart cities “have a long way to go.”

What Happens When Security Heroes Play Supervillain?

Crowley and his research team, which included fellow X-Force Red team member Mauro Paredes, as well as Jennifer Savage of Threatcare, aimed to see just how quickly they could become “supervillains” by hacking smart city technologies such as network and transportation connectors. Turns out, it didn’t take long; they discovered more than 450 i.Lon devices exposed to the internet at large and vulnerable to complete takeover, while many vehicle-to-infrastructure (V2I) hubs included hardcoded admin credentials.

Crowley’s team was able to download V2I source code freely, but took a black box approach to proprietary technology such as i.Lon and Meshlium. In each case, the team found firmware and software that were vulnerable to attack. According to Crowley, once these flaws were discovered and reported, most manufacturers quickly issued patches and updated users.

How to Improve Smart City Security

So, what can manufacturers and users do to strengthen smart city security when they don’t have the X-Force Red experts around to help? For manufacturers, Crowley recommends making security a part of the development process. This means including easy ways to update and patch devices, especially since some of these devices are literally embedded in concrete. In addition, manufacturers must create devices with initially secure configurations, such as encryption by default and mandatory password requirements.

Meanwhile, end users deploying smart city technology should demand evidence of security: Did the vendor conduct penetration testing and threat analysis? Were issues remediated?

Finally, it’s critical to restrict device access, since more users means more potential points of failure.

To learn more about the 17 security vulnerabilities that Crowley and team discovered during their smart city hacking research, read the complete white paper, “The Dangers of Smart City Hacking.”

Never miss a new episode of X-Force Red in Action! Subscribe to the SecurityIntelligence Podcast on iTunes or your favorite podcast platform.

Anshul Garg

Portfolio Marketing Manager, IBM

Anshul Garg is the Product Marketing Manager for IBM Security Services, focusing on X-Force Red. Anshul has a Master of...