A year ago, Cesar Cerrudo flew to Washington, strolled over to Capitol Hill and pulled out his laptop. Then he began to hack the city’s traffic system.
The traffic lights – like so many he had tested before in Manhattan and elsewhere – were
wide open to attack. Cerrudo, an Argentine security researcher at IOActive Labs, an Internet security company, found he could turn red lights green and green lights red. He could have gridlocked the whole town with the touch of a few keys, or turned a busy thoroughfare into a fast-paced highway. He could have paralysed emergency responders, or shut down all roads to the Capitol.
Instead, Cerrudo approached the company that designs city traffic sensors, but does not encrypt the traffic running through them, in hopes executives would fix the security hole. When he was ignored, he blogged about the vulnerability in hopes that people would wake up to the issue and pressure cities to get it fixed. “What I found is that cities are filled with security problems that could have a very direct and physical impact on our lives,” Cerrudo said.
He is hacking into cities’ traffic infrastructure as security flaws in municipal technology networks are becoming a growing problem. For the last three years, government officials – and security specialists long before them – have warned that malicious hackers could shut down so-called smart cities, where network sensors connect traffic, water, waste and air management systems and the electric grid online to increase efficiency. As it stands, no comprehensive system exists for vetting security and responding to cyber-attacks at the municipal level.
Spending on smart city technology is also soaring around the globe. In Saudi Arabia, $70 million has been poured into a project to build four smart cities. In South Africa, $7.4 billion has been funnelled into a smart city project that is underway. By 2023, spending on smart cities will reach $27.5 billion, according to an estimate by Navigant Research.
“It’s going to be a machine planet pretty soon,” said David Jordan, the chief information security officer for Arlington County, Virginia. “They’re going to be telling us what to do if nobody starts paying attention.”
Already, incidents involving computer bugs in traffic systems have caused havoc, with one such bug closing down San Francisco’s public train system two years ago, trapping passengers underground. In 2006, during a labor strike, two Los Angeles traffic engineers were accused of hacking smart traffic light systems at only four major Los Angeles intersections. The ensuing gridlock lasted four days, clogging entries to Los Angeles International Airport and turning major intersections into parking lots.
Yet the Obama administration, which has called cyber-security a top priority, has failed to persuade regulators that the threat to the nation’s critical infrastructure is real.
Cyber-security legislation stalled in the Senate after Republicans argued that mandating basic security for the private companies that oversee the nation’s dams, water treatment facilities and the power grid would be too onerous.
After a Republican filibuster, President Barack Obama signed an executive order two years ago that set cyber-security recommendations for companies that oversee the country’s critical infrastructure like utilities, dams and bridges. Yet the order lacked teeth because, without legislation, the recommendations are voluntary.
That is where hackers like Cerrudo have stepped in, hoping to illustrate the extent of the problem by breaking into the systems themselves. He has demonstrated how 200,000 control sensors for traffic flow in major cities like New York, San Francisco and Washington were open to attack. Because vendors did not encrypt the data running through their systems, Cerrudo could intercept and alter traffic sensors from 1,500 feet away, or even by drone.
Cerrudo is also hacking away at public apathy about security issues by using another tack: He is starting a non-profit initiative, Securing Smart Cities, that aims to bring together security researchers and officials in the public and private sectors to tackle the vulnerabilities in increasingly connected cities, before another 50 billion devices go online in the next five years.
“This is where everyone lives, including myself, and I am tired of pointing out the problem without offering a solution,” Cerrudo said.
He and his colleagues are aiming for defences like encryption and passwords, and a proper process for patching holes like the ones discovered in traffic sensors.
Ideally, cities will start tracking access to their systems, run regular tests to look for loopholes and set up emergency response teams that can solicit vulnerability reports from hackers, coordinate patches and share that information across cities. They also want to create manual overrides for all smart city systems, in the event attackers take control.
Fear, uncertainty and doubt
Security researchers have long been accused of fostering “FUD,” an acronym for fear, uncertainty and doubt, to sell their products. As a result, Cerrudo said he and others had purposely set up their initiative as a non-profit project. “We are not selling anything,” he said. “The technologies are broad, the problem is huge, and we didn’t want to point out problems without offering solutions. The only way to solve this is going to be collaboration.”
The potential for damage, he and others said, has already eclipsed the hypothetical. Last
year, a Russian hacking group, known to researchers as Dragonfly and Energetic Bear, was found to be probing power networks in the US and Europe.
In 2013, the Homeland Security Department acknowledged that the energy industry became the most-targeted sector for hackers in the United States, accounting for 56 per cent of the 257 attacks reported to the agency that year.
And last year, the agency acknowledged in a report that “a sophisticated threat actor” had broken into a public utility’s control system using a simple attack. The attacker just guessed the password to a system that never should have been plugged into the Internet in the first place, the agency said.
Just how far Cerrudo can take his initiative is open to debate. A year after publishing his findings on traffic sensor research, Cerrudo tested San Francisco’s traffic light system and found that the city had still not encrypted its traffic sensor data, leaving the city wide open to attack.
“Every day, cities incorporate a new ‘smart’ technology, without any testing,” he said. “What they don’t realise is that they are putting citizens and businesses at risk. If that technology is not protected, people will suffer the consequences.”