Story image

'Modern cities' may be smarter, but they're not much safer

21 Sep 2016

'Modern cities' may make up thousands of different components that keep people safe and convenient, but they also come with huge vulnerabilities, new research from Kaspersky Lab has found.

Digital kiosks, interactive terminals and even speed cameras are vulnerable to attacks, putting people at risk - and the researchers have proven it through a number of experiments.

The resarchers found that many kiosks used to pay for services and entertainment are full of bugs and vulnerabilities that could be used to expose private information. Speed cameras aren't immune, as they found hackers can access cameras and manipulate the data.

“Some public terminals we’ve investigated were processing very important information, such as user’s personal data, including credit card numbers and verified contacts (for instance, mobile phone numbers),” said Denis Makrushin, security expert, Kaspersky Lab.

Many of these terminals are connected with each other and with other networks. For an attacker they may be a very good surface for very different types of attacks – from simple hooliganism, to sophisticated intrusion into the network of the terminal owner," Makrushin continues.

The amount of devices used in modern cities doesn't end there, with movie theater ticket terminals, bike rental terminals, government organisation self-service kiosks, and airport kiosks all run a Windows or Android-based device, offering hackers easy access to terminals.

Hackers can then load or block access to functions, launch virtual keyboards and web browsers, offering full control of a public kiosk and giving direct access to hidden operating system features.

The company cites one example in which a terminal contained a 'print' command at an e-government kiosk. Attackers could intercept the print window and gain access to the help dialogue. This could allow access to the control panel and eventually compromise the entire system for malware, printed document information and more.

"We believe that in the future public digital kiosks will become more integrated in other city smart infrastructure, as they are a convenient way to interact with multiple services. Before this happens, vendors need to make sure that it is impossible to compromise terminals through the weaknesses we’ve discovered," Makrushin says.

Kaspersky researchers also demonstrated how speed cameras can be exploited using a Shodan search engine. IP addresses can be accessible from the web, and some aren't even password protected, allowing full control to almost anyone with internet access.

“In some cities, speed control camera systems track certain lines on the highway - a feature which could be easily turned off. So if an attacker needs to shut down the system at a certain location for a period of time, they would be able to do that," says Vladimir Dashchenko, security expert, Kaspersky Lab.

"Considering that these cameras can be, and sometimes are, used for security and law enforcement purposes, it is really easy to imagine how these vulnerabilities can assist in crimes like car theft and others. It is therefore really important to keep such networks protected at least from direct web access,” Daschenko concludes.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.