Researchers tested smart city systems from Libelium, Echelon, and Battelle and found 17 zero-day vulnerability in which 8 of them were rated as high severity.
The researchers decided to analyze the systems because of the incident in Hawaii which caused widespread panic after a false missile alarm was issued due to a human error.
“We found 17 zero-day vulnerabilities in four smart city systems — eight of which are critical in severity. While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass, and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment.”
After discovering the vulnerabilities, the researchers decided to develop exploits and check their potential impact on an attacking scenario. They found dozens of vendors devices exposed to remote access on the internet.
Researchers also demonstrated some examples to show the real threat. Hackers could manipulate the water level sensor to indicate flood in an area and create panic and attackers could also make the water level normal and prevent warning of an actual flood.
Hackers could also create a fake radiation leak alarm in an area near to Nuclear power plants and create widespread panic.
Hackers also could exploit these vulnerabilities create general chaos such as controlling traffic signals, set off building alarms or emergency alarms.
Researchers have notified the vulnerabilities to all the vendors, and they have released patches and update for all.
The full list of vulnerabilities discovered by the researchers is given below :
Meshlium by Libelium (wireless sensor networks)
- (4) CRITICAL — pre-authentication shell injection flaw in Meshlium (four distinct instances)
i.LON 100/i.LON SmartServer and i.LON 600 by Echelon
- CRITICAL — i.LON 100 default configuration allows authentication bypass – CVE-2018-10627
- CRITICAL — i.LON 100 and i.LON 600 authentication bypass flaw – CVE-2018-8859
- HIGH — i.LON 100 and i.LON 600 default credentials
- MEDIUM — i.LON 100 and i.LON 600 unencrypted communications – CVE-2018-8855
- LOW — i.LON 100 and i.LON 600 plaintext passwords – CVE-2018-8851
V2I (vehicle-to-infrastructure) Hub v2.5.1 by Battelle
- CRITICAL — hard-coded administrative account – CVE-2018-1000625
- HIGH — sensitive functionality available without authentication – CVE-2018-1000624
- HIGH — SQL injection – CVE-2018-1000630
- HIGH — default API key – CVE-2018-1000626
- HIGH — API key file web accessible – CVE-2018-1000627
- HIGH — API auth bypass – CVE-2018-1000628
- MEDIUM — reflected XSS – CVE-2018-1000629
V2I Hub v3.0 by Battelle
- CRITICAL — SQL injection – CVE-2018-1000631