The Municipality of The Hague identified a growing issue regarding the privacy and security risks of vulnerable IoT devices that could impact its citizens. There are webcams streaming from sensitive locations to the world, such as in children’s bedrooms, often without their owners’ knowledge. Vulnerable connected devices could make you a part of a global botnet, abused for all kinds of malicious purposes. In addition, more advanced equipment such as solar panel control systems could even cause a local blackout when abused on a large scale.
Together with Cybersprint, the Municipality developed the Smart City Cyber Resilience monitor to measure the size and potential impact of this problem. This resulted in a real-time dataset of potentially exploitable devices that could impact both the privacy and safety of the citizens of The Hague. Still, the biggest challenge is yet to come: how can we warn the owners and get the devices secured?
“In the physical world, it is taken for granted that the Municipality addresses social challenges and risks for its citizens. The Hague also takes this responsibility in the digital world by addressing privacy and security risks for its citizens.”
The Municipality of The Hague invited more organizations with experience on this subject to join the discussion: the Prosecutor’s Office, TU Delft, Zerocopter, and the Dutch Institute for Vulnerability Disclosure (DIVD) joined Cybersprint to tackle the problem of vulnerable IoT devices. What once was simply a piece of hardware has become a potential weapon in the growing problem of cybercrime. When a criminal takes control of your camera and uses it in a large-scale distributed denial of service attack (DDoS) against a financial institution, are you complicit in the attack? Should the Prosecutor’s Office, Police, and provider proactively warn the citizens of crimes waiting to happen?
What Happens When a Device Is Not Updated
If (or more likely: when) a device is not updated, it poses a security risk. Users might not be aware of these risks as nobody is warning them, there is no mechanism (yet) to inform consumers of security best practices for these devices.
When a device does get hacked, several organizations come into action to warn the provider that one of their users participates in online attacks, leading to the shutdown of the internet connection of that user. Being disconnected because of a vulnerable IoT device can have a lot of negative consequences. To prevent such scenarios, the IoT device security lifecycle diagram aims to gather and combine all relevant guidelines, standards, technologies, and organizations for solving these challenges.
The Hague is a front-runner in cyber security. Since 2017, the ‘Hâck The Hague’ event has been organized where hackers are challenged to hack the Municipality’s digital infrastructure and the environments of some of its suppliers. The events have drawn attention from hackers worldwide. Moreover, they have made an impact by discovering security weaknesses in various commonly used software and hardware products, making the Municipality more cyber resilient. In 2021 the next edition of Hâck The Hague will be organized. Click here for a first impression on HTH2021.
Still a Lot of Vulnerabilities
Today, there are around 3200 vulnerable IoT devices within The Hague. Around 2000 are consumer devices like open cameras, home storage devices, and misconfigured routers. An open camera means that the camera is listed on public websites showing live streams of unprotected devices. Out of the 3200 vulnerable devices, 220 devices are control systems for physical devices such as solar panels, which could have a serious impact on physical security if compromised.
TU Delft has deployed a monitor to track infected IoT devices in the Netherlands and has identified which devices are being exploited by criminals. As of August 2020, more than 4,000 IoT devices were infected in the Netherlands with malware supporting DoS attacks. Only around 2 percent of these were located in The Hague. These devices are under the control of cybercriminals who misuse. While the majority of infections correspond to surveillance devices such as security cameras and digital video recorders, it is only a matter of time before malware developers target additional vulnerable devices, underlining the need for effective security measures.
This article originates from: https://emagazine.one-conference.nl/iot-security-and-privacy-risks-in-a-smart-city/