HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »
HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »

Hackable Speed Cameras Highlight Risk Of Rush Toward IoT-Enabled 'Smart' Cities

from the if-you-build-it-(poorly)-they-will-come dept

We've been talking at length about how the lack of security in the Internet of Things space is seen as a sort of adorable joke, but isn't always a laughing matter. While the hillarious stupidity of some of the "smart" products flooding the market is undeniable, the reality is that the abysmal state of security in "IoT" devices (read: little to none) is creating millions of new attack vectors every year. And as Bruce Schneier recently warned, it's only a matter of time before the check comes due, and these vulnerabilities contribute to hacking attacks on core infrastructure resulting in notable fatalities.

Refrigerators that leak your Gmail credentials are one thing, but this looming calamity is going to be made notably worse by the rush toward "smart" cities. The same hardware vendors that can't bother to secure their consumer-side hardware haven't done a much better job securing the gear they're shoveling toward cities under the promise of a better, more connected tomorrow. Case in point: Kaspersky Lab researchers have discovered that a significant number of city speeding cameras are, you guessed it, easily hackable:
"According to Vladimir Dashchenko and Denis Makrushin from Kaspersky Lab, these devices can be easily manipulated. The results were published in a security conference paper about the security hazards in smart cities...The Russian researchers were using the Shodan search engine to explore the security implications of the "smart city" fad. They hypothesized that the rush to deploy high-tech, "Internet of things" devices to improve the municipal infrastructure often meant that security was left behind.
And they were right. Except security wasn't just subpar on speed cameras made by vendors like Redflex Traffic Systems. In many instances it didn't exist whatsoever:
"We decided to check that passwords were being used," Dashchenko and Makrushin wrote. "Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well."
The researchers noted that even in not-so-smart cities, the cameras are already processing gigabytes of citizens' data with little to no protection. Worse, the researchers found that given these cameras are tied to larger networks, hackers could potentially gain access to databases of stolen vehicles and add or remove vehicles from said lists. Their full paper, Fooling The Smart City (pdf), is worth taking a look at, and highlights how a significant number of kiosks -- used for everything from ticket sales to bicycle rentals -- are also vulnerable.

The result isn't just an exponential explosion in vulnerabilities. These compromised devices are now being used in historically massive new DDoS attacks, that appear to be getting larger by the day. On the heels of the recent, record-setting 620 gigabit-per-second DDoS attack against Brian Krebs (which was fueled in part by compromised IoT devices), a new attack this week launched against a French web host peaked at an incredible 1.1 terabits per second, driven in part by -- you guessed it -- hacked security cameras.

Krebs subsequently noted this week that the source code for the IOT-fueled DDoS that took down his website has been released, all but guaranteeing that mammoth, even larger attacks fueled by not-so-smart cars, not-so-smart locks, and not-so-smart power outlets are about to become the norm.

Filed Under: brian krebs, ddos, hackable, iot, speed cameras


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Lurker Keith, 5 Oct 2016 @ 5:05am

    Watch_Dogs = what not to do, not something to copy

    Watch_Dogs was a game, not an instruction manual. If anything, it was a WHAT NOT TO DO demonstration. The entire point of Watch_Dogs was that a "smart" city was the worst idea ever AND would be a hackers' playground.

    Why does the world keep taking entertainment things making fun of what not to do, & treat them as a guide on how to do things? Shouldn't they have learned SOMETHING by now?

    Seriously, what sane anything could copy Ubisoft, at this point, anyway?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.