This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.theguardian.com/cities/2014/may/21/smart-cities-future-stupid-hack-terrorism-watchdogs

The article has changed 2 times. There is an RSS feed of changes available.

Version 0 Version 1
Smart or stupid: will our cities of the future be easier to hack? Smart or stupid: will our cities of the future be easier to hack?
(4 months later)
News News update: cyber terrorists have hacked into the electricity company supplying a residential area of the city and caused a blackout. They’ve sent an email with their demands to restore power - it’s a significant amount of money. The city’s cyber defenders have been tasked with retaking control of the compromised machines and restoring power to citizens.
update: cyber terrorists have hacked into the electricity company Don’t panic. Not yet, anyway. This isn’t a real city. Nor is it a scene from Watch Dogs, Ubisoft’s much-hyped new game in which hacker Aiden Pearce takes control of Chicago’s infrastructure (from traffic lights to private data) via the smartphone in his pocket.
supplying a residential area of the city and caused a blackout. Instead, the scenario comes from CyberCity, a virtual urban environment set up by US government contractor Counter Hack to train officials in the threats facing our ever more computer-controlled cities. Trainees access the networked devices running the city from a remote location, but there is a physical aspect too: a six-by-eight-foot, 3D model of CyberCity with all the facilities you’d expect.
They’ve sent an email with their demands to restore power - it’s It might look like something a father and son would build in the garage, but it’s a significant piece of work. The aforementioned cyber defenders are genuine US defence personnel, testing their abilities to counter digital attacks on critical urban infrastructure. When they successfully hack into the terrorists’ systems and switch the power back on, the white lights of the model CyberCity turn on again. For an added dose of “realism”, the CyberCity Sentinel, the city’s official newspaper, publishes an article on its website explaining that the mysterious power outage has been resolved.
a significant amount of money. The city’s cyber defenders have been CyberCity should be a wakeup call to city planners the world over, showing that much of today’s systems-management infrastructure is vulnerable to digital attack. The machines that the mock terrorists have disabled are based on industrial software used by real-world critical infrastructure providers, known as “supervisory control and data acquisition” (SCADA) tools and “programmable logic controllers” (PLCs).
tasked with retaking control of the compromised machines and “We try to make it as realistic a deployment as we can,” says Counter Hack founder Ed Skoudis. “The engineer who designed our power grid is someone who designs power grids for military bases.”
restoring power to citizens. Skoudis and other security experts are deeply concerned about the safety of SCADA tools. He says many of their protocols (the rules and commands that govern the way computers handle data and human access) “suck”, and that cities are littered with vulnerable software and hardware. This is no future threat, Skoudis adds; they are open to attack right now.
Don’t To prove the point, a researcher from security consultancy IOActive recently showed that vulnerabilities in road sensors relaying information to traffic lights could be exploited to turn them from red to green, or keep them on a certain colour. The potential impact is all too obvious: traffic carnage and deadly accidents.
panic. Not yet, anyway. This isn’t a real city. Nor is it a scene The researcher, Cesar Cerrudo, took to the streets of Washington DC to trial the potential hacks, without actually causing any harm. He says the biggest problem is that manufacturers producing much of the kit for today’s “smarter” cities do not have the adequate security skills to ensure they are safe from attack. (Skoudis concurs that traffic light systems, in particular, have shown an “egregious lack of security” during his CyberCity tests.)
from Watch Cerrudo believes many other systems that manage key bits of urban infrastructure will be proven just as vulnerable. He plans to look at streetlights in upcoming research: “Most of the products we take a look at are insecure; they have vulnerabilities and allow hackers to compromise them.”
Dogs, Ubisoft’s much-hyped new game in which hacker Aiden Many of the weaknesses are basic, he says: devices often don’t do adequate validation of the data being sent to them, failing to check whether malicious streams of information are being sent rather than legitimate bits and bytes determining their functions.
Pearce takes control of Chicago’s infrastructure “The main problem is that these systems are blindly trusting the data they get,” Cerrudo adds. “They don't know if it's real or fake, yet they take actions and decisions based on that data. It's a very broad problem.”
(from traffic lights to private data) via the smartphone in his CyberCity’s training missions, which are determined by what the customer (ie the US government) wants, highlight where there are real and present threats to urban areas. One includes a challenge for cyber warriors to derail a train carrying a radiological bomb by hacking into the SCADA system controlling the track’s switching functions. There’s also a cafe where imagined bankers and doctors go to get a coffee and have their smartphones hacked over a public wireless broadband network.
pocket. Future missions will probably include so-called “Kobayashi Maru” scenarios, named after the Star Trek training exercises in which Starfleet Academy cadets are tested to the limit by the lack of a winning solution. “We have an elementary school in CyberCity; you're not supposed to touch it because you get in big trouble if little kids get hurt or killed,” Skoudis explains. “We've talked about creating a mission where the only way to achieve the goal is to violate that rule. It's an interesting measurement to see if a cyber defender is willing to go that far.”
Instead, Nations across the world are now taking serious note of cities’ myriad weaknesses in the process increasing their own capability to disrupt connected infrastructure. Skoudis says he has had interest from the UK, Japan and numerous other countries. Many want their own CyberCities to defend and attack.
the scenario comes from CyberCity, Connected devices in cities pose a threat not only to people’s safety, but also to their privacy. James Lyne, global head of security research at IT experts Sophos, has uncovered a host of hackable, internet-enabled surveillance cameras, for example. In one case, he was able to see the digits being pressed on a chip-and-pin machine at a petrol station; the camera had no log-in or password set-up whatsoever. This meant anyone could have hacked the camera if they found its internet protocol address (the string of numbers used to identify a connected machine).
a virtual urban environment set up by US government contractor “The cameras were positioned over the cash register and credit card machines with suitable resolution to see card numbers, pins and even the sign-on code the staff member used for the cash register. This is one system of many out there, and an example of the basic old-style security failures that are still widespread,” Lyne warns.
Counter Hack to train officials in the threats facing our ever more His research also uncovered scores of vulnerabilities across CCTV cameras, webcams and even baby monitors. Of the 11 different camera products Lyne tested personally, three contained the much-publicised Heartbleed vulnerability, while four didn’t use any encryption at all, meaning a hacker could easily intercept data being sent to and from the cameras, including usernames and passwords.
computer-controlled cities. Trainees access the networked devices Finding hackable CCTV cameras has become considerably easier with the emergence of Shodan, a computer and device search engine. It can help anyone find a vulnerable machine, whether it’s a web server or a surveillance camera.
running the city from a remote location, but there is a physical “In short, gaining access to these systems en masse across the world is remarkably trivial,” Lyne says. “We are working through vulnerability fixes with vendors, but initial results have been slow. Exploitation of this kit is obscure but trivial compared to the modern PC, and cyber criminals succeed at that too.”
aspect too: a six-by-eight-foot, 3D model of CyberCity with all the Some city planners, at least, are taking the threat seriously. Colin Birchenall, lead architect for Glasgow City Council’s Future Cities demonstrator programme, says the project to add greater connectivity to the Glasgow area is being done with a security consultant on board, using best-practice guidance straight from GCHQ.
facilities you’d expect. “It's very much about understanding the nature of the information and services provided by the devices,” Birchenall explains, “then walking through the various components from devices themselves right through to back-end servers. Take it component by component, device by device.”
It Unlike in CyberCity, no real-world urban destruction has yet come about as the result of a cyber attack. However, as more and more machines are entrusted with managing cities’ infrastructure systems, the prospect of disruption and worse through hacking looks ever more likely. If they’re not careful, some smart cities of the future could end up looking pretty stupid.
might look like something a father and son would build in the garage,
but it’s a significant piece of work. The aforementioned cyber
defenders are genuine US defence personnel, testing their abilities
to counter digital attacks on critical urban infrastructure. When
they successfully hack into the terrorists’ systems and switch the
power back on, the white lights of the model CyberCity turn on again.
For an added dose of “realism”, the CyberCity Sentinel, the
city’s official newspaper, publishes an article on its website
explaining that the mysterious power outage has been resolved.
CyberCity
should be a wakeup call to city planners the world over, showing that
much of today’s systems-management infrastructure is vulnerable to
digital attack. The machines that the mock terrorists have disabled
are based on industrial software used by real-world critical
infrastructure providers, known as “supervisory control and data
acquisition” (SCADA) tools and “programmable logic controllers”
(PLCs).
“We
try to make it as realistic a deployment as we can,” says Counter
Hack founder Ed Skoudis. “The engineer who designed our power grid
is someone who designs power grids for military bases.”
Skoudis
and other security experts are deeply concerned about the safety of
SCADA tools. He says many of their protocols (the rules and commands
that govern the way computers handle data and human access) “suck”,
and that cities are littered with vulnerable software and hardware.
This is no future threat, Skoudis adds; they are open to attack right
now.
To
prove the point, a researcher from security consultancy IOActive
recently showed that vulnerabilities in road sensors relaying
information to traffic lights could be exploited to turn them from
red to green, or keep them on a certain colour. The potential impact
is all too obvious: traffic carnage and deadly accidents.
The
researcher, Cesar Cerrudo, took to the streets of Washington DC to trial the potential hacks, without actually causing any harm. He
says the biggest problem is that manufacturers producing much of the
kit for today’s “smarter” cities do not have the adequate
security skills to ensure they are safe from attack. (Skoudis concurs
that traffic light systems, in particular, have shown an “egregious
lack of security” during his CyberCity tests.)
Cerrudo
believes many other systems that manage key bits of urban
infrastructure will be proven just as vulnerable. He plans to look at
streetlights in upcoming research: “Most of the products we take a
look at are insecure; they have vulnerabilities and allow hackers to
compromise them.”
Many
of the weaknesses are basic, he says: devices often don’t do
adequate validation of the data being sent to them, failing to check
whether malicious streams of information are being sent rather than
legitimate bits and bytes determining their functions.
“The
main problem is that these systems are blindly trusting the data they
get,” Cerrudo adds. “They don't know if it's real or fake, yet
they take actions and decisions based on that data. It's a very broad
problem.”
CyberCity’s
training missions, which are determined by what the customer (ie the
US government) wants, highlight where there are real and present
threats to urban areas. One includes a challenge for cyber warriors
to derail a train carrying a radiological bomb by hacking into the
SCADA system controlling the track’s switching functions. There’s
also a cafe where imagined bankers and doctors go to get a coffee and
have their smartphones hacked over a public wireless broadband network.
Future
missions will probably include so-called “Kobayashi Maru”
scenarios, named after the Star Trek training exercises in which
Starfleet Academy cadets are tested to the limit by the lack of a
winning solution. “We have an elementary school in CyberCity;
you're not supposed to touch it because you get in big trouble if
little kids get hurt or killed,” Skoudis explains. “We've talked
about creating a mission where the only way to achieve the goal is to
violate that rule. It's an interesting measurement to see if a cyber
defender is willing to go that far.”
Nations
across the world are now taking serious note of cities’ myriad
weaknesses – in the process increasing their own capability to
disrupt connected infrastructure. Skoudis says he has had interest
from the UK, Japan and numerous other countries. Many want their own
CyberCities to defend – and attack.
Connected
devices in cities pose a threat not only to people’s safety, but also to their privacy. James Lyne, global head of security
research at IT experts Sophos, has uncovered a host of hackable,
internet-enabled surveillance cameras, for example. In one case, he
was able to see the digits being pressed on a chip-and-pin machine at
a petrol station; the camera had no log-in or password set-up
whatsoever. This meant anyone could have hacked the camera if they
found its internet protocol address (the string of numbers used to
identify a connected machine).
“The
cameras were positioned over the cash register and credit card
machines with suitable resolution to see card numbers, pins and even
the sign-on code the staff member used for the cash register. This is
one system of many out there, and an example of the basic old-style
security failures that are still widespread,” Lyne warns.
His
research also uncovered scores of vulnerabilities across CCTV
cameras, webcams and even baby monitors. Of
the 11 different camera products Lyne tested personally, three
contained the much-publicised Heartbleed
vulnerability, while four didn’t use any encryption at all,
meaning a hacker could easily intercept data being sent to and from
the cameras, including usernames and passwords.
Finding
hackable CCTV cameras has become considerably easier with the
emergence of Shodan, a computer and device search engine. It can help
anyone find a vulnerable machine, whether it’s a web server or a
surveillance camera.
“In
short, gaining access to these systems en masse across the world is
remarkably trivial,” Lyne says. “We are working through
vulnerability fixes with vendors, but initial results have been slow.
Exploitation of this kit is obscure but trivial compared to the
modern PC, and cyber criminals succeed at that too.”
Some
city planners, at least, are taking the threat seriously. Colin
Birchenall, lead architect for Glasgow City Council’s Future
Cities demonstrator programme, says the
project to add greater connectivity to the Glasgow area is being done
with a security consultant on board, using best-practice guidance
straight from GCHQ.
“It's
very much about understanding the nature of the information and
services provided by the devices,” Birchenall explains, “then
walking through the various components … from devices themselves
right through to back-end servers. Take it component by component,
device by device.”
Unlike
in CyberCity, no real-world urban destruction has yet come about as
the result of a cyber attack. However, as more and more machines are
entrusted with managing cities’ infrastructure systems, the
prospect of disruption and worse through hacking looks ever more
likely. If they’re not careful, some smart cities of the future
could end up looking pretty stupid.
• Why smart cities need an urgent reality check• Why smart cities need an urgent reality check