Editorial N°13 – Smart city : Innovations and security

Promising a bright future, the smart city concept has become a race for innovation, in which municipalities are trying to compete: connecting equipment (streetlights, traffic lights, charging stations, etc.), creating smart districts, better environmental management (zero waste city) are all new attributes that focus above all on the comfort of citizens. While some countries are more advanced than others, particularly the capitals of northern Europe (Copenhagen, Stockholm, Oslo) and Asian cities (Shanghai, Songdo, Tokyo, Yokohama), the hyper-connection creates a certain imbalance: indeed, the progress induced by new technologies must not obscure that of IT risks. Because all innovation has its dark side. The smart city is often conceived as a giant network capable of spying on each individual (this is already the case in some countries…).

Let us take the case of Singapore, which has pushed the concept of centralisation to its limits, partly thanks to its status, which has only one level of governance and its semiauthoritarian one-party system, where more than 80% of the population lives in publicly owned housing, the CNIL points out. Even in highly connected countries, revolt is on the rise. “In Songdo, people are starting to disconnect because they feel constantly watched,” says Clotilde Cazamajour, a partner in the law firm Urbanlaw. Moreover, while smart cities are perceived by their promoters as a competitive tool to attract businesses, how can these cities diversify knowing that they will use the same information technologies whether in Oslo, Amsterdam, Dijon or Songdo? In addition to this somewhat frightening vision, there is also the hyper-connection and the problems that this causes. The connected city has become an open door to cyber attacks because the vulnerabilities of these devices are numerous: lack of encryption, lack of partitioning, poorly configured systems, shared password lists on the network, trivial passwords on some local or domain accounts, obsolete and vulnerable systems, etc.

In 2016, Denis Legezo, a researcher at Kaspersky Lab, conducted a study on road traffic sensors in Moscow. He had developed a scanner that allowed him to connect via Bluetooth to the sensors. He was able to retrieve traffic information and even send them different commands. For his part, safety researcher Sébastien Dudek, from Synacktiv, presented an analysis of charging stations for electric cars at the Hack 2019 conference. Each terminal forms, with the cars connected to it, a PLC local network. In theory, communications within each kiosk network are well secured using AES encryption. But in reality, there is a design flaw in the association procedure that allows you to collect the AES encryption keys from any terminal, and therefore to connect to them. The risk of this vulnerability is that a hacker could collect session data exchanged within a kiosk network. It could also attempt to attack the terminal itself and, through a vulnerable or misconfigured service, go back to the operator’s network.

These piracy attempts perfectly illustrate the Manichean character of the hyper-connection in metropolitan areas. Tomorrow, it is the hacking of artificial intelligence that we must fear. Many examples have shown how easy it is to fool it, for example by modifying traffic signs… In addition to these risks of hacking, there is the problem of personal data. The explosion of the Big Data increases their sometimes “abusive” harvest: for example, the Linky communicating meters, which will equip about 35 million households by 2021, are particularly intrusive since they make it possible to establish each household’s schedule minute by minute. Better still: thanks to the “electronic signature” of each device, Enedis (formerly ERDF) is able to know the brand and consumption of your washing machine.

Given the constant evolution of new technologies within cities, it is likely that future cyber attacks will take on new dimensions. Faced with this situation, all stakeholders must consult each other in order to respond appropriately to limit the risks. The legislation in place can already serve as a regulatory framework for condemning acts of computer piracy: GDPR, Cybersecurity Act, Network and Information Security (NIS) directive, etc.