Cities are installing smart sensors, connected rubbish bins and networks of cameras at an amazing rate. The rush for the “Smart City” is on. As they install devices, cities must be cautious of the increased vulnerability to attack that leaving hardware in public can cause.
On every street corner, cameras and sensors are being installed. These networks are built to improve a city’s quality of life. They improve public safety with cameras, can monitor air quality and sense the weather.
In order to combat the wiring requirements of a city wide network, operators have turned to wireless networks. I’ve seen Firetide’s wireless mesh used locally, however there are a number of similar systems. These systems are usually placed on a city’s telephone poles and communicate wirelessly from pole to pole.
This type of mesh networking router will often have a number of ethernet ports, which are used to connect sensors and cameras. For example, a Firetide 7020 box has 3 Ethernet ports. However, these aren’t the same as the ports on your desktop computer. They carry power as well as data. This is known as Power over Ethernet (PoE). PoE lets you use a single cable to power and communicate with a camera, connected display or VOIP phone. This makes designing and installing networks much simpler.
Like any other ethernet port, PoE can be used as a way to access the network. Placing routers in public with exposed PoE ports lets anyone just walk up and plug in a computer. If these devices were physically locked or hidden from the public, this way of accessing the network would not work.
To take advantage of these exposed ports I’ve put together a custom linux computer can be attached to these routers. This type of device is known as a Dropbox. They are usually plugged into ports within building, however this device is designed to work outside. While other drop boxes use batteries or wall adaptors, this device was built specifically to connect to and be powered by Smart City routers.
The infiltration device is a dropbox that is attached to an exposed Power over Ethernet port. It contains a small Linux computer that can host a WiFi network. It’s powered using PoE and is custom built hardware. It’s affectionately named Edgar, after the famous poet Edgar Allan Poe.
Unlike other dropboxes, Edgar doesn’t need to be plugged into mains or rely on limited battery power. It takes its power from the target router’s PoE port, as a result you can place a computer within the target network indefinitely.
Edgar fits in a small, inconspicuous box. The device would not look out of place on telephone pole, which reduces chance of physical discovery.
Running the Attack
The installation of Edgar is the hardest part of the attack. It’s hard to be inconspicuous when accessing hardware that is meters in the air. Installing the device during business hours with high visibility clothing would be your best bet or, you could do it dressed as a ninja late at night.
Since Edgar would be placed in public, the attacker can simply set up, leave, and come back to grab the data from its WiFi network. Additionally, a 3G dongle can be easily added for remote access.
Edgar can support a number of security testing tools, such as nmap, ettercap, netcap, snort, openVAS. These let you sniff the network for sensitive data, access the sensors/cameras on the network, and even capture admin passwords.
Besides information gathering, this device could stage various attacks. An example would be when Washington D.C’s CCTV footage was scrambled and held for ransom. Additionally, research by Hioureas & Kinsey suggested that attackers could black out cameras and replace live video with pre-recorded data in order to misdirect police and destroy evidence of a crime.
City institutions, State/Federal Agencies and Police departments operate these city wide networks. This type of network infiltration could be used as a platform to launch further breaches.
Any number of different attacks could be carried out on network that hasn’t been setup correctly. However, there are a number of ways to mitigate the risks.
How to Stop this Attack
City institutions, State/Federal Agencies and Police departments operate these city wide networks. This type of network infiltration could be used as a platform to launch further breaches. Operators must be aware of the dangers of exposed hardware. They must physically lockdown their devices, configure their hardware correctly, and have tools on their networks to detect these types of attacks.
Physical security is often neglected. This could be a budget limitation or seen as unnecessary. However, this is the biggest deterrent to this form of attack. Make sure your equipment has no openly accessible ports and is in a locked box or behind a locked door.
Modern hardware comes with security measures that allow for ports to be disabled. These security measures are often turned off by default. Forgetting to tick a checkbox can allow these attacks to occur. Once this security failure is present it’s hard to block malicious devices from gaining access to the network.
Another approach is to use software to detect intrusions as they occur. These systems can catch suspicious behaviour within the network as it happens. When someone has accessed your network, in any way, the next thing they will do is try to maintain access and become an administrator. It is vital that you detect and contain the intrusion as it is detected.
Smart Cities will bring many advantages to the residents they serve. They can make us safer, get us to work quicker, and better inform us about our environment. As the networks expand around us those operating them need to pay attention to their security.
The method presented in this post can be mitigated through a combination of simple fixes. Hopefully this raises awareness of the dangers of poorly implemented networks.
This article covers the high level aspects of a network infiltration technique for the connected smart cities. The next post will follow my development and technical challenges in creating the Edgar dropbox.