A Security Dilemma for Smart Devices
Wireless-connected devices offer financial benefits for local governments, but they come at a price.
In 2009, three men got their hands on one of San Francisco’s smart parking meters and in three days were able to break into its electronic system and figure out how to use the meter without paying. The hackers weren’t thieves but part of a group of security researchers who wanted to find the weaknesses in this promising new technology.
Smart parking meters are growing in popularity. Dozens of cities, including Chicago, Los Angeles, New York, San Francisco and Washington, D.C., have launched smart meter pilot projects or full-scale deployments. Overall, cities spent $1.8 billion on smart parking meters in 2014, according to RnR Market Research, and it’s easy to see why.
Payments are electronic, so human coin collectors are no longer necessary. Motorists like them, not just because it’s easier to pay with credit cards and/or smartphones, but because the meters can alert drivers when a parking space is free. Governments like them because the technology allows them to adjust the cost of the parking space depending on the time of day, while also feeding the city a steady stream of data about use and revenue for analysis.
Smart parking meters can do this because they have computer microchips and are connected wirelessly to the Internet. But as the hackers from San Francisco showed, the security for these devices can also be compromised -- sometimes quite easily.
In January, the Federal Trade Commission (FTC) issued a report calling for strong data and privacy protection for the growing number of devices connected to the Internet. Without better safeguards built into the devices, serious security and privacy risks could undermine confidence in the devices and sensors. About 4.9 billion consumer, manufacturing and utility connected devices are in use now, according to Gartner, a technology research firm. That number is expected to rise to 25 billion by 2020.
While the report primarily focused on consumer confidence in everything from home thermostats to wireless health devices, the same concern applies to government -- especially local governments. Besides smart parking meters, cities are installing sensors and cameras in a growing range of locations -- from buildings to street lamps -- that do things like monitor air pollution and traffic as well as surveillance for public safety.
The nation’s 2,000 municipal utilities are also eager to use Internet-connected smart meters to measure water and electrical use, as well as monitor the flow of electricity and water and help spot problems quickly. More than 40 percent of utilities hope to have smart meters installed in the next three years, according to Greentech Media Research.
But Internet-connected utility meters and sensors are vulnerable to security breaches too. In 2012, the Federal Bureau of Investigation warned that smart meter hacking may cost utility companies $400 million a year. Most of the problems involved meter fraud, where hackers digitally break into the meters and are able to reduce power bills substantially, but some fraudsters managed to fake readings so that electricity bills showed no power consumption at all.
Experts say the reason security is a problem lies in the tiny computers embedded in the devices. Their processing power is limited compared to a laptop or even a smartphone, and there’s often only rudimentary security software in place to protect the data. When these devices are connected to the Internet, hackers can exploit the security flaws online and commit fraud or steal data from afar.
The hackers who broke into the smart parking meters found none of the information on the microchip was encrypted, which made it easy to unlock the data and commit possible fraud. In 2014, HP Security Research released a report that found 70 percent of the most popular smart devices are vulnerable to being hacked or compromised.
The FTC has called for companies to institute security measures as part of their development process for Internet-connected devices and sensors, “rather than as an afterthought.” Government should also make sure they buy and use the best technology when it comes to using Internet-connected devices, says Dan Lohrmann, a former chief security officer for the state of Michigan and an executive with Security Mentor, Inc.
If governments want to reduce the risk of a security flaw in a smart meter project, they need to make sure they research the technology and educate themselves on the issues concerning Internet connected devices.
“This is a fast-moving phenomenon, so government CIOs and public officials should begin establishing policies around these devices now,” said Lohrmann. “Don’t wait.”
The one thing government shouldn’t try to do is ban the use of Internet-connected devices. Government has tried to do that before -- with bringing tablets and smartphones to work -- and it hasn’t worked, explained Lorhmann.
“Any attempt to hold back the use of new technology will lead to camps of resistance,” he said. “It’s better to get in front of the issue through polices and best practices."