Hackable Speed Cameras Highlight Risk Of Rush Toward IoT-Enabled 'Smart' Cities

from the if-you-build-it-(poorly)-they-will-come dept

We've been talking at length about how the lack of security in the Internet of Things space is seen as a sort of adorable joke, but isn't always a laughing matter. While the hillarious stupidity of some of the "smart" products flooding the market is undeniable, the reality is that the abysmal state of security in "IoT" devices (read: little to none) is creating millions of new attack vectors every year. And as Bruce Schneier recently warned, it's only a matter of time before the check comes due, and these vulnerabilities contribute to hacking attacks on core infrastructure resulting in notable fatalities.

Refrigerators that leak your Gmail credentials are one thing, but this looming calamity is going to be made notably worse by the rush toward "smart" cities. The same hardware vendors that can't bother to secure their consumer-side hardware haven't done a much better job securing the gear they're shoveling toward cities under the promise of a better, more connected tomorrow. Case in point: Kaspersky Lab researchers have discovered that a significant number of city speeding cameras are, you guessed it, easily hackable:
"According to Vladimir Dashchenko and Denis Makrushin from Kaspersky Lab, these devices can be easily manipulated. The results were published in a security conference paper about the security hazards in smart cities...The Russian researchers were using the Shodan search engine to explore the security implications of the "smart city" fad. They hypothesized that the rush to deploy high-tech, "Internet of things" devices to improve the municipal infrastructure often meant that security was left behind.
And they were right. Except security wasn't just subpar on speed cameras made by vendors like Redflex Traffic Systems. In many instances it didn't exist whatsoever:
"We decided to check that passwords were being used," Dashchenko and Makrushin wrote. "Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well."
The researchers noted that even in not-so-smart cities, the cameras are already processing gigabytes of citizens' data with little to no protection. Worse, the researchers found that given these cameras are tied to larger networks, hackers could potentially gain access to databases of stolen vehicles and add or remove vehicles from said lists. Their full paper, Fooling The Smart City (pdf), is worth taking a look at, and highlights how a significant number of kiosks -- used for everything from ticket sales to bicycle rentals -- are also vulnerable.

The result isn't just an exponential explosion in vulnerabilities. These compromised devices are now being used in historically massive new DDoS attacks, that appear to be getting larger by the day. On the heels of the recent, record-setting 620 gigabit-per-second DDoS attack against Brian Krebs (which was fueled in part by compromised IoT devices), a new attack this week launched against a French web host peaked at an incredible 1.1 terabits per second, driven in part by -- you guessed it -- hacked security cameras.

Krebs subsequently noted this week that the source code for the IOT-fueled DDoS that took down his website has been released, all but guaranteeing that mammoth, even larger attacks fueled by not-so-smart cars, not-so-smart locks, and not-so-smart power outlets are about to become the norm.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brian krebs, ddos, hackable, iot, speed cameras


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Mr Big Content, 4 Oct 2016 @ 3:34pm

    But These Wonderful Gadgets Are GUARANTEED Secure

    Their for, anybody who hacks into them is icto fapso a TERRORRORIST!!!

    link to this | view in thread ]

  2. icon
    Pronounce (profile), 4 Oct 2016 @ 4:03pm

    Internet Kill Switch

    I'm sure there are those looking to use some real world catastrophe to justify legislating an Internet Kill Switch. Maybe these DDoS attacks will be that impedes.

    link to this | view in thread ]

  3. identicon
    bob, 4 Oct 2016 @ 4:05pm

    prepare for the contests and glory

    Looks like the race is on to see who can send the largest DDOS attack.

    Kind of reminds me of speed week at the Utah salt flats.

    I'll put Guinness World Records on notice.

    link to this | view in thread ]

  4. icon
    That One Guy (profile), 4 Oct 2016 @ 5:22pm

    "But... that's illegal!"

    I for one don't believe a single word of it, I mean everyone knows that hacking is illegal, and as such no-one ever does it. Why would companies spend time and money protecting against a mythical threat that never happens when The Law is protection enough.

    If, for the sake of argument you accept that despite The Law making such actions illegal people and groups still do them(impossible I know, but bear with me) then clearly the proper response is not to burden an already unfairly burdened company by insisting on any sort of 'security', but to make the law even harsher, in the sure expectation that that will deal with the theoretical 'criminals' who are breaking the current law and hacking into the devices/services.

    link to this | view in thread ]

  5. identicon
    zulkhar nain, 4 Oct 2016 @ 10:02pm

    Re: But These Wonderful Gadgets Are GUARANTEED Secure

    ipso facto

    link to this | view in thread ]

  6. icon
    That Anonymous Coward (profile), 5 Oct 2016 @ 12:40am

    Security costs to much.
    The penalties, if they ever come, are paltry.
    We can't judge corporations for cutting corners to make money, they have to worry about shareholder value.
    The CEO might get fired if things are bad enough but the giant golden parachute makes the landing soft, and more corporations will court the CEO to make them lots of money too.

    link to this | view in thread ]

  7. identicon
    haxxo3r 1000, 5 Oct 2016 @ 2:00am

    it's a feature

    SV has not done a single innovative thing since the mid 90's when they got DARPA and DoD money and they have been working to retard innovation and progress ever since, thanks poindexter and bush 1 for starting the stupid

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 5 Oct 2016 @ 4:57am

    Re: Re: But These Wonderful Gadgets Are GUARANTEED Secure

    Its a parody post, ie: intentionally stupid as it mocks certain other posters

    link to this | view in thread ]

  9. identicon
    Lurker Keith, 5 Oct 2016 @ 5:05am

    Watch_Dogs = what not to do, not something to copy

    Watch_Dogs was a game, not an instruction manual. If anything, it was a WHAT NOT TO DO demonstration. The entire point of Watch_Dogs was that a "smart" city was the worst idea ever AND would be a hackers' playground.

    Why does the world keep taking entertainment things making fun of what not to do, & treat them as a guide on how to do things? Shouldn't they have learned SOMETHING by now?

    Seriously, what sane anything could copy Ubisoft, at this point, anyway?

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 5 Oct 2016 @ 5:55am

    Re: Watch_Dogs = what not to do, not something to copy

    In Watch_Dogs, the character has access to the back door of every device in the city. With some of the actual devices, it is impossible to install a back door, but only because they do not have any walls.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 5 Oct 2016 @ 6:49am

    Hackable drones?

    Surely I can't be the first to have thought of this.

    (This just in.)

    Oh, wait! Hollywood got there first, in 2014, with 24: Live Another Day.

    link to this | view in thread ]

  12. icon
    Whatever (profile), 5 Oct 2016 @ 7:30am

    Karl, there is a very basic difference between a "hacked" device and one that can have it's normal functionality access remotely: What you can do with it.

    Unless someone specifically changed the firmware on the cameras or otherwise changed the software that it is running, they can only do what the device could do to start with. For the traffic cameras, that means seeing the video portion including it's location information.

    Turning it into a DDoS bot would require a big step up the ladder to actually change the unit's basic function, such as blindly sending the video feed to a given IP (to create junk traffic). That would require a hack much beyond just noting a lack of a password.

    Again, good try, but just like with cable, you seem to be beating the IoT drum a little to hard and often.

    link to this | view in thread ]

  13. identicon
    I.T. Guy, 5 Oct 2016 @ 8:36am

    Re: Watch_Dogs = what not to do, not something to copy

    As I ponder getting WD2... That's exactly what came to mind.
    http://www.ign.com/videos/2016/09/23/15-minutes-of-watch-dogs-2s-high-tech-gadgets

    Are we not that far away?

    link to this | view in thread ]

  14. icon
    Oa.sys (profile), 5 Oct 2016 @ 8:55am

    Re: Watch_Dogs = what not to do, not something to copy

    I'm a little sad I was beaten to the punch, here. But hey, on the bright side this means Dedsec will show up any day now to save us, right?

    Right?

    link to this | view in thread ]

  15. identicon
    Caroline, 6 Oct 2016 @ 1:34am

    Re: "But... that's illegal!"

    And what about foreign countries that hack your speed camera's for ddos attacks, how will they react on a harsher law?
    My guess: NOT

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 6 Oct 2016 @ 6:29am

    Re:

    Yeah, that would never happen, nothing to see here - move along.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.