Story image

'Modern cities' may be smarter, but they're not much safer

21 Sep 16

'Modern cities' may make up thousands of different components that keep people safe and convenient, but they also come with huge vulnerabilities, new research from Kaspersky Lab has found.

Digital kiosks, interactive terminals and even speed cameras are vulnerable to attacks, putting people at risk - and the researchers have proven it through a number of experiments.

The resarchers found that many kiosks used to pay for services and entertainment are full of bugs and vulnerabilities that could be used to expose private information. Speed cameras aren't immune, as they found hackers can access cameras and manipulate the data.

“Some public terminals we’ve investigated were processing very important information, such as user’s personal data, including credit card numbers and verified contacts (for instance, mobile phone numbers),” said Denis Makrushin, security expert, Kaspersky Lab.

Many of these terminals are connected with each other and with other networks. For an attacker they may be a very good surface for very different types of attacks – from simple hooliganism, to sophisticated intrusion into the network of the terminal owner," Makrushin continues.

The amount of devices used in modern cities doesn't end there, with movie theater ticket terminals, bike rental terminals, government organisation self-service kiosks, and airport kiosks all run a Windows or Android-based device, offering hackers easy access to terminals.

Hackers can then load or block access to functions, launch virtual keyboards and web browsers, offering full control of a public kiosk and giving direct access to hidden operating system features.

The company cites one example in which a terminal contained a 'print' command at an e-government kiosk. Attackers could intercept the print window and gain access to the help dialogue. This could allow access to the control panel and eventually compromise the entire system for malware, printed document information and more.

"We believe that in the future public digital kiosks will become more integrated in other city smart infrastructure, as they are a convenient way to interact with multiple services. Before this happens, vendors need to make sure that it is impossible to compromise terminals through the weaknesses we’ve discovered," Makrushin says.

Kaspersky researchers also demonstrated how speed cameras can be exploited using a Shodan search engine. IP addresses can be accessible from the web, and some aren't even password protected, allowing full control to almost anyone with internet access.

“In some cities, speed control camera systems track certain lines on the highway - a feature which could be easily turned off. So if an attacker needs to shut down the system at a certain location for a period of time, they would be able to do that," says Vladimir Dashchenko, security expert, Kaspersky Lab.

"Considering that these cameras can be, and sometimes are, used for security and law enforcement purposes, it is really easy to imagine how these vulnerabilities can assist in crimes like car theft and others. It is therefore really important to keep such networks protected at least from direct web access,” Daschenko concludes.

SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.
What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.