tisements targeted to us for blood pressure medications based on heart-rate readings from our
smart watches, or ads for anti-insomnia drugs based on data collected about what time we
usually turn off our IoT-based lighting systems.
As people start to use more IoT devices that they want to integrate and automate using
platforms and frameworks provided by companies such as Google and Apple, information col-
lected from various sensors in these devices will become available. This data, which will be
used for marketing and stored across multiple cloud architectures, will be a gold mine for
malicious agents who have previously been limited to gathering data from online platforms
such as email and social networking sites. Besides privacy concerns, the ability of a threat
agent to tamper with this information may have health or physical safety implications if the
altered information is consumed by other IoT devices. It is likely that such violations of secu-
rity and privacy will frighten and enrage customers, who will demand the ability to granularly
track what data is being collected and how it’s being used, and the ability to opt out.
Targeting Smart Cities
In May 2013, security researchers Billy Rios and Terry McCorkle hacked into the building con-
trol system of Google’s Australian headquarters. The building was found to use the Tridium
Niagara AX platform, which allows administrators to remotely control physical security
alarms, physical access, and heating and air conditioning systems. They were able to obtain
access by using the default administrator password of anyonesguess. This password was
stored in a configuration file that the researchers obtained by exploiting a vulnerability in the
system that exposed this information to unauthenticated users. Tridium systems are popular
around the world, and the researchers claimed to have been able to use the Shodan tool to
locate more than 25,000 such systems exposed to the Internet.
Besides industrial-grade connected systems like those exploited by Rios and McCorkle, we
are starting to see a substantial increase in adoption of consumer-grade IoT devices such as
the ones explored in this book thus far. The concept of the smart city (also discussed in Chap-
ter 7) combines the use of industrial- and consumer-grade IoT devices to effectively manage
energy, healthcare, transport, and waste across a geographical location: smart parking meters
and traffic lights in communal spaces coexist with consumer-grade IoT devices installed in
homes and directly configurable by citizens (such as lighting, door locks, and cars).
Researcher Cesar Cerrudo’s paper “An Emerging US (and World) Threat: Cities Wide Open to
Cyber Attacks” covers attack vectors against industrial-grade connected devices that will sup-
port the upcoming emergence of the smart city. Currodo’s research and the devices presented
in this book will set the stage for attack vectors encompassing smart cities based on various
categories of interconnected devices and services.
Efforts by society to construct smart cities are likely to include a curated selection of inter-
connected devices to provide for consistency and scalability. This brings the drawbacks of mono
culture into the discussion. In living species, an advantage of monoculture is low variability
TARGETING SMART CITIES 245