Smart Cities Can Get Smarter in Protecting Residents

LinkNYC Wi-Fi kiosk on the street in New York City

LinkNYC Wi-Fi kiosk on the street in New York City littlenySTOCK / Shutterstock.com

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By John Michelsen
 

Connecting state and local government leaders

By John Michelsen

|

COMMENTARY | As cities and residents race to become more connected, we must consider how to protect public and private digital property.

Cities face increasing environmental pressures and infrastructure needs, along with growing demands from residents to deliver a better quality of life and to do so at a sustainable cost. Enter the smart city.

Smart cities encourage people to use transit during off-hours, change routes, use energy and water more efficiently, and reduce the strain on the healthcare system through preventive self-care. The result is not only a more livable city, but also a more equitable and productive place for people and businesses to operate.

Los Angeles. Chicago. Boston. New York. Las Vegas. Houston. San Francisco. As of 2018, 11 of the top 50 Smart Cities in the world were U.S. cities. And the number of smart cities continues to grow.

There are two necessary elements in developing a successful smart city that come together to build the necessary connectivity: standardized Wi-Fi and mobile devices.

Personal mobile devices already hold tons of our own and our families’ personal and financial data, as well as company information. As smart city solutions grow and connect with each passerby every day, imagine the amount of data and information found in the phones and apps of smart city residents and businesses. 

We protect our personal computers with antivirus, firewalls, VPNs, anti-spyware and every anti-X solution we can find. However, very few people do the same with their mobile devices, and only one smart city has taken the extra step of protecting its residents.

Hackers know this, making the mobile device the easiest attack vector to fully compromise an individual, organization or smart city.

The overwhelming majority of attacks—by our estimates, over 90%—start with the most used feature on a mobile device: the Wi-Fi connections. Unfortunately, Wi-Fi relies on mostly insecure protocols and standards, making them easy to impersonate or intercept, mislead and redirect traffic. When residents set their phone or laptop to automatically use the open WiFi at your local coffee shop, an airport, your cable-slash-telecom company or a major chain restaurant, there’s a good chance they could end up prey to hackers looking to monitor their online activity, or worse.

Most individual mobile users are completely unaware their devices are being attacked because there are very few, if any, telltale signs their device has been compromised. However, even the most cognizant users still have reason for concern. Every IoT device using the WiFi infrastructure in the smart city—traffic lights, sensors, public building entry systems and more—is susceptible to an attack.  

Every day, our company, Zimperium, detects six hundred million events. We process the most relevant events as network attacks and create what we call the Danger Zone—a real time map that can warn and prevent you from connecting to malicious WiFi networks. We separate these attacks into three types: low, elevated and critical threats.

In addition to your favorite coffee shop, restaurant and retailer offering free WiFi, most smart cities are offering free public WiFi to residents and citizens. Based on data from our mobile security application, zIPS, we are able to see how municipal and other WiFi networks have become a platform to stage an attack.

San Francisco’s public WiFi is straightforward (it's called SFWifi). The number of attacks we identified on this network over the course of the previous year was staggering: 1,619 on low threats and 47 critical threats on SFWifi. Low end threats are only potentially harmful, consisting of techniques attackers use to find possible victims and user proximity to potentially harmful connections. Critical threats, however, are when we know someone is compromising the data coming from the device.

While this is only a fraction of the more than 75,000 WiFi threats we detected through our zIPS users moving through San Francisco (most of these threats are imitating private WiFi providers), it illustrates the risks inherent in building public sector-provided digital services. And, as this data shown is specific to just WiFi attacks, it is conservative (in comparison to all of attacks) since only a percentage of the population uses zIPS.

Overall, this map of where we have detected and prevented attacks shows the prevalence of WiFi vulnerabilities and threats to mobile users: red is a critical threat, orange is elevated and yellow is low.

This is a problem that is far from unique to San Francisco: it’s a reality for every modern, connected urban space.

One city has taken action to attempt to resolve the tension between the explosion of “smart city” services and the security concerns of the modern connected city. In July 2017, Mayor de Blasio established New York City Cyber Command, charged with protecting city-owned systems, which deliver critical services to New Yorkers, and helping New Yorkers become safer in their digital lives.

In August 2018, New York City Cyber Command launched NYC Secure, a free smartphone application platform that helps New Yorkers protect their phones against cyber threats by identifying and issuing warnings to users when suspicious activity is detected or they connect to an unsecure Wi-Fi network. Zimperium built the NYC Secure app with the city.

Of note, NYC Secure does not collect or transmit any information to New York City or Zimperium, maintaining trust and individual resident privacy.

Beyond NYC Secure, there are WiFi security solutions available. If adhered to, they will help residents ensure they are connecting to a legitimate WiFi, but will not protect against a host of attack techniques ranging from malware detection to anomalies in processes to phishing attacks to device compromises and malicious profiles. This is why working with the right mobile security solution is your best bet—doing so ensures every person, and therefore the city, is properly protected.

For residents and public sector employees, here are a few things we all can do to prevent these kinds of attacks:

  1. Configure devices not to automatically connect to known networks. This can be done easily on iOS, but on Android it has to be done for each network. A workaround is to delete known networks periodically.
     
  2. Advise users not to connect to open WiFi networks or networks using weak encryption protocols.
     
  3. Since users will likely ignore recommendation number two, users should avoid activities involving credentials (email, social media, bank, etc). While hackers will still see the users traffic, it means they won’t capture their credentials (although hackers are still able to perform other kinds of attacks, like directing the user to a malicious website in which the user can be tricked to install malicious apps, etc).
     
  4. Use a Virtual Private Network (VPN), which will encrypt traffic and show an attacker a nice set of nonsense characters.

John Michelsen is the chief technology officer at Zimperium.

Smart city Case Studies
Powered By
Browse The Atlas full case study database or read more case studies about Smart city.
Geelong foreshore receives smart city upgrade to improve safety and declutter public spaces
Geelong VIC, Australia
Broadband & smart city services enhance visitor experience to Australia's most popular park
Sydney NSW, Australia
Building a People-Centered Smart City: San Antonio Aligns Tech with Resident & Staff Input
San Antonio, TX
BROWSE LOCAL GOV CASE STUDIES

NEXT STORY: State drone operations on the rise

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.