Security experts reveal hidden dangers in the devices that help run neo-modern cities.

You see a flash of orange out of the corner of your eye in downtown Portland, Oregon. It’s not the fall leaves, but instead the city’s new bike share program—bright orange bikes for rent in some of Portland’s busiest neighborhoods.

To sign up, you can use a smart kiosk on the streets, just like some of the kiosks popping up so you can pay for parking, buy movie tickets, and even use a public toilet, in some places.

These kinds of kiosks, however, may be vulnerable to crooks. And a new report from security researchers shows people using smart city kiosks should be worried.

“Yes, absolutely,” said Denis Makrushin of Kaspersky Lab to Archer News. “You need to be aware, when you use a public device—kiosk—that it could potentially have been compromised by a cyber criminal.”

That credit card number you just entered, along with your personal info, may be on its way to the black market.

Hackable

Smart kiosks are computers. Did the developers take precautions to keep crooks from raiding these computers that often sit out, unattended, day and night?

Cybersecurity researchers Denis Makrushin and Vladimir Dashchenko found that many kiosks are hackable, along with other building blocks of the new smart city. 

In some cases, crooks could simply walk up and tap the keyboard until they get past the kiosk function and get into the inner workings of the system, according to the research.

Credit card slot at smart kiosk.

What do they want?

In the case of bike rentals, the attackers might start with the customer database.

“Such a database would have an especially high market value, since it contains verified e-mail addresses and phone numbers,” the researchers wrote.

The crooks could install malware that will intercept your data as you enter it, or they might even add their own credit card number entry form to the kiosk screen, according to Makrushin and Dashchenko.

“It is highly probable that users deceived by the cybercriminals will enter this information alongside their names, phone numbers and e-mail addresses,” they said. 

What can you do?

Don’t enter the full details of your payment card, recommended Makrushin.

“Don’t provide your CVV2/CVC2 card number, as this is not required to make a payment in a kiosk,” he said. “If you have the opportunity to pay with cash, take it.”

The CVV2—card verification value 2—and CVC2—card verification code 2—are the security numbers printed on the back of most credit cards.

Some smart city systems—like Portland’s bike share program, BIKETOWN—allow you to make payments through the program website, which would allow you to avoid the kiosk.

Archer News contacted BIKETOWN to ask about its cybersecurity. The company that runs BIKETOWN, Motivate, referred us to its technology provider, Social Bicycles. Social Bicycles founder Ryan Rzepecki said he is reaching out to the company CTO in Europe for information.

BIKETOWN’s privacy policy reads, “We maintain administrative, technical and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.”

Bike-sharing smart kiosk in Portland, Oregon.

Not just kiosks

Other smart city devices are vulnerable, too, according to the researchers.

Some taxis have screens installed for riders.

“Passengers in the back seat can use these devices to watch advertising, weather information, news and jokes that are not really funny,” the researchers said.

Also not funny—the fact that researchers found that attackers can hack in and remotely control the camera, snapping pictures or making videos.

“A successful attack can disrupt a terminal’s operation and cause direct financial damage to its owners,” they said. “Additionally, a hacker can use a compromised terminal to hack into others, since terminals often form a network.”

“After this, there are extensive possibilities for exploiting the network—from stealing personal data entered by users and spying on them (if the terminal has a camera or document scanner built into it) to stealing money (if the terminal accepts cash or bank cars),” they added.

Speed cameras

The researchers also investigated traffic cameras that can track the flow of cars, and in some cases, detect if you’re breaking the law.

They discovered speed cameras with no protection.

“Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users,” they said. 

That may not seem critical at first, but the researchers said criminals could also reprogram the cameras at will—perfect for a post-crime getaway.

“They can disable vehicle detection on some or all lanes along their route or monitor the actions of law-enforcement agents chasing them,” Makrushin and Dashchenko said.

They could also get in to law enforcement databases of stolen cars and add or delete the vehicles they want, according to the researchers.

Why so vulnerable?

Smart cities are developing faster than security tools, according to Makrushin and Dashchenko.

“The developers of some vulnerable devices are fixing the issues, but not as fast as possible,” Makrushin said.

When they do create a fix or a patch for each of the kiosks or devices, they have to find a way to implement it.

“And this can be impossible to achieve for all devices from an architectural point of view,” he said.

Challenges

Running a smart city can be challenging. Running it securely, even more so.

Cities add new layers of technology on top of old, said Gary Hayslip, chief information security officer for the City of San Diego.

“First, cities are massive and they never throw out any information,” he wrote on Dark Reading Monday. “That means that there is data being stored on outdated technology from 20 years ago that might not be secure; obviously, 20 years ago, no one was concerned about being hacked.”

 Also, cities never shut down.

 “San Diego runs 24 hours a day, 7 days a week, and 365 days out of the year, which means that from a security standpoint, you can’t take the network offline or rip and replace old technology with new technology without interrupting the daily business operations of the city and its people,” he said in his post.

Staying smart

A smart city is more than just kiosks and speed cameras.

In Barcelona, Spain, for example, sensors monitor garbage levels in city waste bins to optimize garbage truck routes. Sensors in pavement tell drivers where to find open parking spots. If a street is empty at night, street lights will dim to use less energy.

Barcelona puts smart sensors on some streetlights to allow them to dim if the street is empty.

“The number of new devices used in the infrastructure of a modern city is growing gradually,” Makrushin said. “These new devices, in turn, connect to other devices and systems.”

“For this environment to be safe for the people who live in it, smart cities should be treated as information systems whose protection requires a customized approach and expertise,” he said.”

San Diego’s information security chief recommended that cities assess their networks, identify security gaps, adopt new policies and procedures to fill the gaps, and create a comprehensive security program.

Even with these steps, smart cities will need to be on guard for years to come.

“It’s taken me nearly three years to get a complete picture of San Diego’s overall security posture, and the one thing I can’t reinforce enough is that the security lifecycle never ends; you will always be assessing for risk, which means you will always be monitoring your network,” Hayslip said.