Are smart city transport systems vulnerable to hackers?
It wasn’t so much the word, but its position that caused New Jersey photojournalist Lori Nichols to turn her car around on a highway near Atlantic City close to midnight to snap a photo.
The word was lit up in bulbs on a freestanding temporary sign – the type that normally says “road work ahead” or “slow down”.
The NJ.com reporter wrote a story about it the next day.
The sign stayed that way for several hours, she says. “When I had a chance to call the local police department, Hamilton Township in Atlantic County, it was around noon or 1pm, a person I spoke to did chuckle a little bit when I asked about the sign.
“He said that a few people had called in the morning about it, so I would feel comfortable saying the sign remained that way for at least eight hours but probably more like 10 or 12,” she says.
Yet, the prankster who seemingly gained easy access to an unlocked panel at the back of the sign could have typed out “mass shooting ahead” or “terrorist threat in area”, and produced an entirely different outcome.
And this was just one sign without any connectivity to the cloud. Imagine if hundreds of signs controlled centrally had been compromised. That could have created large-scale chaos.
Cybersecurity experts say we won’t have to imagine for much longer. It’s only a matter of time before hackers become interested in smart city transportation clouds.
Taking control of parking, traffic lights, signage, street lighting, automated bus stops and many other systems could be appealing to bad guys from many walks of life including political activists and terrorists.
Moscow has already experienced its first major transportation hack, albeit to make a serious point about security.
Denis Legezo, a researcher with Kaspersky Lab, was able to manipulate traffic sensors and capture data simply by looking up a hardware user manual that was readily available online from the sensor manufacturer.
A similar story comes from Cesar Cerrudo, the chief technology officer at security company IOActive Labs, who found vulnerabilities in systems used in the US, UK, France, Australia and China.
There’s a scene in Die Hard 4 where hackers create chaos by manipulating traffic signals with a few keystrokes. It’s not that easy, Mr Cerrudo wrote in a blog in 2014.
Even so, he discovered that it would have been possible to create havoc using cheap computer hardware.
Mr Cerrudo says: “I don’t think now we are seeing many attacks, maybe some isolated attacks on lower maintained systems. But everything indicates that in the future they will become common because cyber threats are continually evolving.
“As technology gets widely adopted, cybercriminals get more familiar with it and get more resources. Maybe they attack transportation systems and say, ‘If you want to keep running the system you have to pay up.'”
Since his “experiment” more than two years ago, there has been a huge investment in expanding smart city transportation technology around the world. America is no exception.
Columbus, in Ohio, was the recent winner of a $50m (£37.5m) prize offered by the US Department of Transportation. Prepaid cards and apps could allow residents to commute via bus and then arrange car and bicycle-sharing rides if needed.
The groundwork has already started, says Jeff Ortega, a spokesman for Columbus: “The city recently completed construction of the Traffic Management Center, which is a high-tech area that can manage and monitor traffic signals around the city together with a $76m upgrade of traffic signals.”
It is hoped emergency vehicles will be able to speed though intersections unhindered in the event of a major incident, and that more specialised bus routes can be offered to help low-income families get easier access to healthcare facilities.
Ultimately, it will mean a complex mix of new hardware and software that is secure enough to please city officials and the public.
Columbus has already been offered software from Sidewalk Labs, which shares the same parent company as Google, Alphabet.
But in return for top-notch security, it’s possible the “FLOW” transportation planning platform could have conditions attached, for instance an agreement that Sidewalk Labs share ownership of the data generated by the city and the right to process every transaction though its own payment system.
That idea raises many questions about the future control of cloud-based systems. Neither party would comment directly on the issue, pointing out that no contracts have been signed.
In Kansas City, Missouri, the new RideKC Streetcar runs 2.2 miles and is free to use.
The Smart City project also includes in-street parking sensors, which allow car owners to find spaces near the streetcar route, and cameras placed on lamp posts that monitor traffic conditions and trigger brightness controls on nearby lights if a pedestrian enters the area.
Kansas City made a conscious decision to make as much data as possible public. However, that doesn’t mean everything has to be stored in one location in cyberspace, says Tom Gerend, executive director at Kansas City Streetcar Authority and chairman of the Smart City Advisory Board.
“The cloud is used to store data from the Smart City installation [camera data, streetlights, and so on] but not for streetcar vehicle specific systems. Generally, we have separate services for the individual sub-systems and then aggregate and pool data that we want to make publicly accessible.”
But Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research, says there will be a bumpy road ahead as transportation hardware manufacturers start incorporating security measures into their products, often for the first time.
“We have a lot of companies making new devices for the [urban] Internet of Things that have not made computers or written software before. They are having to re-learn a lot of the lessons that the rest of the information technology industry learned over the past 20 years,” Mr Welch says.
This includes how to respond promptly to security threats and gather information about bugs that the public may report.
And IOActive’s Cesar Cerrudo says cities and governments around the world have to get their act together as well, particularly when it comes to the cloud and building systems that are multi-layered and supposedly strong enough to keep all but the most determined intruders out.
He says: “Governments are not enforcing cybersecurity in many ways. Vendors don’t have any reason to provide more secure solutions because governments do not test the security. They just have a checklist and believe whatever the vendors say.”
Mr Cerrudo warns that there is nothing smart about building a city that has the latest transportation technology, but leaving the infrastructure wide open to anyone who fancies a quick snoop around – or worse.