'Modern cities' may make up thousands of different components that keep people safe and convenient, but they also come with huge vulnerabilities, new research from Kaspersky Lab has found.
Digital kiosks, interactive terminals and even speed cameras are vulnerable to attacks, putting people at risk - and the researchers have proven it through a number of experiments.
The resarchers found that many kiosks used to pay for services and entertainment are full of bugs and vulnerabilities that could be used to expose private information. Speed cameras aren't immune, as they found hackers can access cameras and manipulate the data.
“Some public terminals we've investigated were processing very important information, such as user's personal data, including credit card numbers and verified contacts (for instance, mobile phone numbers),” said Denis Makrushin, security expert, Kaspersky Lab.
Many of these terminals are connected with each other and with other networks. For an attacker they may be a very good surface for very different types of attacks – from simple hooliganism, to sophisticated intrusion into the network of the terminal owner," Makrushin continues.
The amount of devices used in modern cities doesn't end there, with movie theater ticket terminals, bike rental terminals, government organisation self-service kiosks, and airport kiosks all run a Windows or Android-based device, offering hackers easy access to terminals.
Hackers can then load or block access to functions, launch virtual keyboards and web browsers, offering full control of a public kiosk and giving direct access to hidden operating system features.
The company cites one example in which a terminal contained a 'print' command at an e-government kiosk. Attackers could intercept the print window and gain access to the help dialogue. This could allow access to the control panel and eventually compromise the entire system for malware, printed document information and more.
"We believe that in the future public digital kiosks will become more integrated in other city smart infrastructure, as they are a convenient way to interact with multiple services. Before this happens, vendors need to make sure that it is impossible to compromise terminals through the weaknesses we've discovered," Makrushin says.
Kaspersky researchers also demonstrated how speed cameras can be exploited using a Shodan search engine. IP addresses can be accessible from the web, and some aren't even password protected, allowing full control to almost anyone with internet access.
“In some cities, speed control camera systems track certain lines on the highway - a feature which could be easily turned off. So if an attacker needs to shut down the system at a certain location for a period of time, they would be able to do that," says Vladimir Dashchenko, security expert, Kaspersky Lab.
"Considering that these cameras can be, and sometimes are, used for security and law enforcement purposes, it is really easy to imagine how these vulnerabilities can assist in crimes like car theft and others. It is therefore really important to keep such networks protected at least from direct web access,” Daschenko concludes.