Smart city infrastructure is developing faster than security tools and many of the components that make up smart cities are vulnerable to cyber attacks, according to a new study which explains how security can be tightened up.
Kaspersky Lab found vulnerabilities in digital kiosks and interactive terminals that could potentially expose private user data and be used to spy or spread malicious code. The researchers also looked at speed cameras and their supporting infrastructure and discovered that malicious users could easily access these cameras and manipulate the data collected.
Parking payment terminals, ticket terminals in cinemas, bicycle rental spots, and booking and information terminals at airports all look different but inside most of them are the same, Kaspersky Lab explained. Each terminal is either a Windows-based or an Android-based device, with special software that gives the user easy access to specific features while restricting access to other features of the device’s operating system, including launching a web browser and virtual keyboard.
Accessing these functions provides an attacker with opportunities to compromise the system. The research showed that almost any digital public kiosk contains one or more security weaknesses which allow an attacker to access hidden features of the operating system.
“Some public terminals we’ve investigated were processing very important information, such as user’s personal data, including credit card numbers and verified contacts (for instance, mobile phone numbers),” said Denis Makrushin, security expert at Kaspersky Lab. “Many of these terminals are connected with each other and with other networks. For an attacker they may be a very good surface for very different types of attacks — from simple hooliganism, to sophisticated intrusion into the network of the terminal owner. Moreover, we believe that in the future public digital kiosks will become more integrated in other city smart infrastructure, as they are a convenient way to interact with multiple services. Before this happens, vendors need to make sure that it is impossible to compromise terminals through the weaknesses we’ve discovered.”
To prevent malicious activity on public devices that have a touch interface, Kaspersky Lab recommends that the interactive shell should have no extra functions that enable the operating system’s menu to be called (such as right mouse click, links to external sites, etc). The application itself should be launched using sandboxing technology and the operating system session should be launched with the restricted privileges of a regular user, making it more difficult to install new applications.
Creating a unique account with a unique password on each device also helps prevent attackers who have compromised one terminal from using the password they have cracked to access other similar devices.
To protect speed cameras, Kaspersky Lab recommends a full-scale security audit and penetration testing. For security reasons, none of these cameras should be visible from the internet, the company said.
Kaspersky Lab concluded: “The number of new devices used in the infrastructure of a modern city is gradually growing. These new devices in turn connect to other devices and systems. For this environment to be safe for people who live in it, smart cities should be treated as information systems whose protection requires a custom approach and expertise.”