Smart City Security - The Real-World Risks & Challenges

Smart City Security - The Real-World Risks & Challenges

Keynote presentation for the 6th International Cyber Crime Conference (IC3) held in Abu Dhabi.


Mark Stanislav

March 16, 2016


  1. 2.

    High-Level Goals of Smart City Initiatives • Performance: Can we

    resolve inefficiencies of a given system through the use of real-time analysis of passive data sources to change how the system works? • e.g. Traffic sensors used to resolve traffic congestion via machine learning
 • Cost Savings: Can a system determine when the value it provides to a user is being out weighed by the financial cost to provide it and disrupt operations? • e.g. HVAC units that are temporarily interrupted when power costs are high
 • Convenience: Can a system enable users to spend less time managing the individual components of its deployment and rather automatically act for them? • e.g. Parking meters that will start/stop billing by proximity of a user’s phone
  2. 5.


    Can we trust sensor data? • Was a command altered? • Where is data collected? • Is information encrypted? • How do we identify users? • Are passwords enough? • How is control delegated? • Can we mitigate abuse?
  3. 7.

    Sensor Networks and the Challenge of Integrity • The trust

    that sensors implicitly have within a control network allow for abuse • If the sensor reports a result, how & why should a system decide it’s not valid? • When sensor nodes communicate and/or repeat data, can we trust it? • Each type of sensor inherently has a way to abuse the validity of what it “sees” • Is there a traffic jam? Or did someone only convince the road sensor there is? • Communications between sensors and controllers must have full integrity • Can we manipulate a sensor controller to believe sensors are speaking to it?
  4. 8.

    A Couple Methods to Abuse Sensor Networks • Manipulation: Alter

    the contents of a transmission “in flight” of either wired and/or wireless sensors to change the intent or target to allow the attacker greater influence • e.g. Intercept and change a message to say “car present” to “car not present” • Spoofing: Determine an identifier that is associated with a valid network sensor and fraudulently claim to be that sensor to send transmissions that are regarded as true • e.g. Sniff Wi-Fi traffic for hardware addresses of valid sensors and steal one Many connected technologies and protocols do not appropriately ensure that messages are unique, have a verifiable source, or have cryptographic validity
  5. 9.

    Attacking IEEE 802.15.4 Traffic Sensor Networks Cesar Cerrudo of IOActive

    demonstrated his ability to abuse the lack of integrity in both
 firmware and communications for sensor technology powering over 200,000 devices For ~$100 USD, Major Traffic Disruptions Can Occur
  6. 11.

    • Smart Cities require broader and more complex cryptographic trust

    anchors than the web (e.g. browsers) in order to scale and provide differing levels of assurance • How do we ensure end-to-end communications across vendors who have never before spoken to one another and end-users who don’t know each other exist? • Even modern protocols (e.g. ZigBee) often natively lack appropriate key exchange mechanisms to ensure that passive ease droppers cannot intercept communications • In many cases, infrastructure components don’t even use encryption at all • Are the devices we deploy today capable of performing the necessary operations? • Bugs in libraries occur (e.g. Heartbleed) and we must be able to quickly update! Cryptographic Infrastructure on Scale
  7. 12.

    Broken by Default: Bluetooth Low Energy In 2013, Mike Ryan

    exposed that Bluetooth Low Energy (LE) effectively had zero usable
 key exchange handling. This was only recently resolved in BTLE 4.2 and unlikely used. Passive Attackers Are Able to Crack Cryptography in Seconds
  8. 13.

    A Few Thoughts on Smart Cities and Privacy • Data

    aggregation from Smart City sensors will be both one of the greatest uses of truly ‘Big Data’ and also pose a crisis of citizen privacy it it were mishandled • This is especially true as more governments embrace progressive ‘open data’ initiatives, where they intentionally publish data that could contain information that was not adequately decoupled, redacted, or obscured to protect identities • In 2007, AOL released “anonymized” data of search engine results that were not redacted in a complex enough manner and allowed people to be determined • The aggregate of different sensor networks will ultimately result in Smart City awareness of how citizens “live their life,” which could impede their privacy • Where did individuals go? How long did they stay? What did they do?
  9. 15.

    2016 Technology with 1976 Authentication • We all have learned,

    either first hand or through the media, that using a password has become insufficient to protect against malware, phishing, and other easy attacks • The web site has aggregated 290 million accounts from publicly leaked data breaches since only 2010 — this is a drop in the bucket • Two-factor authentication (e.g. hardware token + password) is necessary to further our capability to safely identify users who are connecting to various control systems • This increase in security must be measured against convenience, however, and have a focus on requiring users to authenticate on high-risk transactions or sensitive data • Requiring context-specific, device-aware authentication reduces overall friction
  10. 16.

    A Shift in Identity from Humans to Everything Daniel Miessler

    realizes that identity, whether human or machine, must be abstracted to
 a functional level that allows for complex relationships to occur among disparate objects In a Smart City, the human is just another variable in an equation
  11. 17.

    Creating an Identity Web of Trust via Hardware • PricewaterhouseCoopers

    performed a consumer survey that found… • The Smart City will require that citizens each possess numerous on- person technologies that can provide higher assurance levels of the identity for any individual — effectively a personal area network of trust • How will Smart Cities manage all of the authentication credentials and device identifiers? Will they leverage third-parties (e.g. social media)?
 “82% were concerned that wearable tech will invade their privacy and 86% expressed concern that wearable tech will make them more vulnerable to security breaches, a concern that outweighed any of the benefits named.”
  12. 19.

    • Smart City excellence will be based on the capabilities

    of individual technologies that are able to expose interfaces to leverage the depth of their overall functionality • Cars, bulbs, and locks will be abstracted away into purpose-based primitives • Authorization is difficult even for small scopes, let alone at the scale of a Smart City • How do we track who can do what? How is that arbitrated? What about logging? • Much like our problem to manage Smart City confidentiality, authorization in future deployments will need to be managed on a scale that we’ve never seen achieved • We truly must have humans and machines each be able to accomplish tasks that do not require individual authorization or have vendor-specific knowledge Flexibility is the Nemesis of Simplicity
  13. 20.

    Capabilities Can Scale for Attackers, Too Vulnerable Technologies Interwoven is

    an Attacker’s Dream • If This Then That (IFTTT) is a popular web service that connects unrelated platforms • The problem IFTTT helps solve is the need for users to perform actions based on the results of other platforms — sound familiar? • Authorization in this model is entirely based on initial trust when a user authenticates to a service — Smart Cities need granularity! • e.g. Allow Mark to turn on light bulbs in his house, his office, and Mike’s house
  14. 21.


    adjust your office’s thermostat? Pay for it. • Using a water fountain on the street? Pay for it. • Need to use a private facilities bathroom? Pay for it. • Determine ads to show a person as they walk by • Use environmental sensors to suggest activities • Provide tourist narration based on a phone’s settings MICRO PAYMENTS HOME INTEGRATION How do these features alter our evolving Smart City security needs? • Automatically set citizen’s home thermostat settings • Integrate home camera feeds into security monitoring • Home owner across town? Close & lock entry points.
  15. 22.

    Four Large Challenges for Smart City Security 1. Build tamper

    resistant-and-evident technologies, at physical & digital levels, to provide assurances that all communications and functionality remain trusted • A mixture of trusted computing hardware, digital signatures, and message queues 2. Building a comprehensive & decentralized cryptographic backend that allows unrelated technologies/vendors to securely communicate with minimal setup • Consider what the Bitcoin blockchain can be used for beyond simply currency 3. Managing the identity of humans & machines on scale, with awareness of the authentication context, proximal technologies, and risk profile of certain actions • Social media + wearables are just step one towards building a web of digital trust 4. Allow the real-time discovery of Smart City components, their capabilities, the authorizations an individual user and/or machine has, and provide direct access • The world is a massive Application Programming Interface (API) to be exposed
  16. 23.

    Securing Smart Cities (SSC) -
 Collaboration of individuals, companies,

    and organizations that collectively want to raise the bar for Smart City security through curated knowledge transfer
 The OTA’s IoT Trust Framework - Structured guidance to help the vendors of connected devices determine the goals and methods to ensure a higher level of secure engineering & privacy 
 Build It Securely -
 An initiative to provide secure-engineering guidance and technical resources to IoT vendors from world-class experts who provide their time and talent for free HELPING TO SECURE SMART CITIES