We've been doing a lot of stories lately about civic infrastructure. We did one this week on the energy grid in North America. And it all comes back to this idea that we have a very, very big problem. Our infrastructure, the thing that we count on to deliver All of the things that we need to maintain our society, electrical power, energy, water, all of those things, are incredibly rigid and incredibly vulnerable.
I've done a lot of stories on nation state sponsored hackers that are totally embedded into our infrastructure. We know they're there. The question is, is what they're doing there, is that gathering intelligence? Or is that a dress rehearsal for a greater threat? And what would happen if that infrastructure was brought to a halt? And so rather than inundate you with surveys, studies, stories, I do that through the week.
One of the things that opened my eyes was an interview I did with an ethical hacker, Nick Aleks, as he walked us through a civic infrastructure through the eyes of a hacker. I'd say, I hope you enjoy this, but I think that would trivialize it. Take a look at it and see what you think. you arrive in a city, any other visitor would have come in by plane, or even train or maybe they drove in. If you're a regular tourist, you probably see the downtown, the city hall, other civic buildings.
You might see the office towers, the neighborhoods. And there may be parks and even a waterfront. And you're thinking about seeing the sights. Restaurants, clubs, museums, galleries, sports facilities. All the things there are to do. Not for you. You're a different type of visitor. You're a hacker. You didn't even need to arrive physically. Although you might be there. What's your first view of the city? Nick, what do you think? Yeah that's a great perspective to have.
What does a hacker see when when they look at a city and its infrastructure? Some of the things I see are very familiar. I see Networks, computers, data, very juicy data, but I see some unique things. I see capabilities, whether they're digital only or physical. The way I would look at a city is first by doing a network scan. Seeing what open wifi networks I have around me, what physical ports are open. Once I start lingering inside the network, are there any IP cameras available?
Do they have default credentials enabled? Is it possible to view the city from the same systems used to protect it? Are there gates, bollards, fences that can be remotely operated through web applications? These are all sort of things that I would be looking at. When, uh, putting on my hacker hood inside of our new modern cities. And we always see that we see this on TV, man but you're saying you could actually pick up the cameras.
You could actually realistically think about getting into a camera network and viewing what was happening around the city. Yes. As a penetration tester I go through The proper, ethical channels of evaluating smart infrastructure, critical infrastructure, OT, IOT devices, the exact same vulnerabilities and infrastructure misconfigurations that we have on our office networks and data centers is present.
And if I must say even in a worse condition in some of our critical infrastructure components, think about some of the recent trends and activities that we've been seeing with hospitals, libraries, casinos, and hotels, all facing ransomware incidents and attacks. Hackers are already in these networks and they're seeing that they are essentially a playground. There's endless targets to choose from. The networks are massive and the impacts are equally as massive.
Now, why would a bad actor target some of our cities? Number one, because You've got access to a plethora of data about tenants, employees, folks who are, inside some of these buildings and institutions, but you've also got these capabilities of like remotely unlocking essentially the front door or the gates to gain physical access into some of these facilities.
Some of the other reasons why bad actors have been targeting a lot of our infrastructure is also to use it as launching points for pivoting to other targets. Think of setting up an entire malicious botnet by just compromising the same vulnerability in all of the IP cameras in a particular facility. And then all those IP cameras being used to launch it. DDoS attack against your true targets. So there's a lot of different reasons why bad actors would jump into some of these networks.
Wow. And let's just take, so we've taken a look at the camera infrastructure and I presume we're not going to share enough to tell anybody how to do this sort of thing, but I presume most of it you're counting on. They're just default passwords, pretty easy to get past. A lot of the time. Default passwords are the way in which I get into a lot of these networks and particularly cameras, but there's a lot of cameras out there that are running very old firmware versions. They're very outdated.
They've got critical vulnerabilities that are just sitting there unpatched. And a lot of our third and fourth party suppliers. that provide these IOT or OT technologies to some of our facilities, they don't have an incentive to patch them. And so whether they're default credentials or just really low hanging fruit vulnerabilities that have known CVEs for years, these are some of the ways in which we get into some of these smart IOT, OT devices.
Can you, besides controlling the, these IOT devices, can you launch to somewhere else in the network from there? Is that, it's just really play time with those devices. Yeah. Bingo. It's not just having. Compromise the confidentiality, integrity, or availability of those particular systems themselves.
But because a lot of these networks are very flat and they're not isolated from one another, it's really easy for a bad actor to laterally move from an IP camera to a local security guard workstation to the local baz building automation systems. Within a network because there aren't a lot of these best practices of segregation between some of these networks. So lateral movement is pretty prevalent.
And you talked about just doing a regular scan from around, but a friend of mine who's also a security guy, just loved. to check out the local Wi Fi networks because they were so easy to get into. I presume people in coffee shops and using Wi Fi all around are at least pretty easy to get into and start to pick up the traffic that's going back and forth to the city office itself. So there's multiple different entry points, Wi Fi being one of them.
A lot of the networks might be freely available to local customers or tenants or employees. Bluetooth is also another. Big way in another way in which bad actors can get into these networks and the ones that, that techniques that I've used is just running a show Dan search for a particular geography and a facility.
This is how you can essentially get to the heart of a lot of these IOT devices through a public facing like IP address more and more, I guess people are, we have all of the systems that run transit traffic, all of that sort of thing, are they vulnerable as well? 100%. These transit traffic systems, a lot of them are connected with IP in their back ends, but they'll also use radio frequency technology.
As we all know, the flipper zero is getting a lot of coverage right now for being banned here in Canada.
And I've got my own thoughts about that, that, that policy decision, but radio is also a really big technology used in a lot of our critical infrastructure and certain technology that isn't thinking about some of the attack avenues in which a bad actor will manipulate either wireless protocols or physical access to some of these systems, because a lot of these critical junction boxes smart meters. They've got just a tiny little insecure lock.
And so if you can't get into it wirelessly or remotely, sometimes just having a little lock pick is another way in to a lot of these server rooms racks. And that's where you can easily plug in something like a Raspberry Pi that phones home to your computer. command and control server. And from there, you're able to laterally move from the network because you're breached into that trusted boundary which is just a small little tiny lock.
These are really tiny and relatively cheap and yet sophisticated computers. Yep. And they're pretty discreet as well, especially when you put a little piece of tape on them that says IT. Do not remove. Oh, gosh. Yeah. That's like walking around with a clipboard. Nobody's going to stop you, or I guess it's a tablet. Now you walk around with a tablet instead of a clipboard. Yep. But there's a lot of other technology that The pen testers are using now to evaluate the facilities.
It's not just the raspberry pies. You talked about the flipper. Can we just chat about that for a second? Then we'll then move on to the other ones. Cause the flippers made the news. It's been outlawed by the Canadian government because supposedly you could hack a car with it. Provided your car was from the 1990s or earlier, those things are relatively easily available still, right? Yes. I have to give it out to the folks who developed the flipper zero.
They built out a product that was Really easy to use and easy to advertise and market on things like tick tock, where I'm sure some of the politicians and folks who have banned it first got wind of it, but the actual technology behind the flipper zero. It's essentially just a radio. These are things that, we've had for a while in the hacker community, hack RF, yardstick ones, SDRs, software defined radios.
These are all technologies that are also out there that aren't banned, which could be used to break into a lot of our radio frequency supported infrastructure. Now cars, especially modern ones use rolling codes, which make it really hard for just a flipper zero, that's not. Using active jamming to break into a vehicle, but that doesn't mean that device or using. Radio frequency tools to do replay attacks, isn't going to open up a gate or a bollard that has a static code associated with it.
So doing these radio frequency replay attacks is also another way that bad actors can try to manipulate their digital and physical surroundings. Another great one that I absolutely love using in a lot of these smart building facilities are drones. Drones are a little eye in the sky, they can even have a raspberry pi associated with them. So I don't have to be in the parking lot with my laptop trying to break into the wireless network.
I can just fly a drone from a kilometer away, drop it on top of the roof of the facility, start running some scans and start capturing some packets. Drones are also another great way to to break into some of these these smart buildings. Wow. Before we get to the buildings, and I do want to get there, but the whole, the municipal infrastructure is generally based on ways that serve the citizen, either for websites you sign up for hockey games, all those sorts of things.
How vulnerable are most of those systems? They're they're pretty vulnerable. The ones that I've seen, at least a lot of these systems don't have security as a top requirement when they're being built out and developed. And they tend to have a lot of outdated vulnerabilities misconfigurations a lot of the time there's.
Not a lot of budget with some of these projects and they'll bring in third party contractors or firms to quickly, rapidly build out a prototype, which then tends to go into production and be used. And these applications that store customer information need to really Think about how to secure it from an encryption perspective and how to even try to detect an attack or malicious activity that could come from like a bad actor scanning it or trying to abuse any of their endpoints.
But yeah, I tend to see that a lot of these applications are vulnerable to just some of the basic attacks that, that pentesters will use. Stepping back a little bit more on our tour, you've got all of these operational facilities. One of the ones I've read a lot about water treatment facilities, all of those automated facilities like that, that are seem to be fair game and being attacked. There've been a number of attacks on, on water systems and other places. And this is, Serious stuff.
We depend on these things to function well, to provide us with fresh water and other services. Relatively easy to get to, relatively easy to get into, it seems. Yeah. Some of these these systems, these PLC controllers that are connected to workstations, they've got a lot of vulnerabilities associated with them. Now I know that there's a vendors in this space that, do their best to. to patch some of these systems, such as Siemens and other vendors that operate in these spaces.
But these are prime targets for nation state hackers. They are looking for ways to break into our critical infrastructure to cause damage to Canadians. And these vendors are really going up against a group of hackers who are well funded. Who have all the patience in the world and who really are motivated to get into some of these facilities from a strategic perspective. And so it's really a difficult problem. It's a tough job to have that sort of adversary to be defending yourself against.
And it's really going to take a collective approach of inviting the hackers to continuously test some of these critical infrastructure components that run our water, our lights, our hydro. But then also collaborating with the public sector and the private sector. I don't want to miss one point. And that is so many of our buildings now are smart buildings. Does that create the vulnerability that I think it does? Yes, it does. And this is definitely my specialty, smart buildings.
They are all the rage here in Toronto, just like a car with all of its smart buildings. Bells and whistles and features consumers are actively engaged and looking for the next best iPhone and looking for that sort of technology chase in their everyday life, whether it be in vehicles or in what we're now seeing an increasing adoption of smart buildings. Folks don't understand is that a lot of these smart buildings are not really thinking about security as a top priority.
They come with a lot of different technologies, a lot of different IOT devices that are all interconnected in a flat network, just like in some of the civic and critical infrastructure items that we discussed, but they don't have the Big it security departments, that awareness is not there at the condo board levels. They don't really know what the impacts could be.
If their smart building were to be hacked and worse yet, they probably wouldn't even know if a bad actor was in their smart building network until it was too late. Some of the biggest impacts and risks that smart buildings face is obviously the information about the tenants can be exfiltrated. It can be complete ransomware of the facility itself. Think about a, an elevator that's shut down as there's folks inside of it.
And a ransom note pops up on the smart screen saying, pay this amount of money in this Bitcoin, or else I'm not opening up this elevator for you. There could be real equipment damage as a part of some of these. Smart building attacks, reputational damages, and even like risk to the safety or lives of the tenant and employees in these buildings. I think that it's not going to become a top of mind concern for a lot of tenants and manufacturers until something really bad happens and it's too late.
And you've talked about flat networks, which I presume means The networks where people can travel horizontally. They can get from one device to the other very easily. You're not segmented. You're not, nothing's segmented off so that you easily skip from one place to another. And that's normally how hackers come in. They'll come in and they'll find various places, check things out, spend a long time there and figure everything out so they can mass a mass attack in there.
And I don't want to be a. An alarmist or anything, but is it possible that somebody would be thinking about getting a number of buildings that they were going to command and execute that all at once? A lot of these networks are just ripe for the hacking and they are open and flat. And we've seen a lot of bad actors in the past use this method of collecting a bunch of compromised targets, either through malware or actively exploiting vulnerabilities to launch these. Massive botnet attacks.
So I wouldn't be surprised if there are a lot of bad actors that are already in some of these smart buildings, sitting there, collecting data, waiting for the right opportunity to potentially launch an attack against a target of theirs. It's a difficult problem. I think that one of the things that folks should really look at is continuously monitoring and detecting for anomalies in these networks, but there's nothing stopping a bad actor from sitting in a network for a really long time.
The other thing with cities and, because I was talking to somebody, a CISO for quite a large firm, and I was talking about the fact that I live in a very small town, there's still a lot of manual, there's still a lot of paper around here, and I was laughing about, the security by obscurity type of thing. He said don't kid yourself. He said a lot of these smaller towns could be equally impacted by an attack. So it's not just a big city thing.
This is something where most civic infrastructures are vulnerable. So he took off the hacker hoodie for a minute and let's go through and say, because I don't want to leave everybody with this. But I did want to give that assessment because I think it's a fair one that our cities are far more vulnerable than we think and the smarter they get, the more vulnerable they are. What are the things that. That most should be done by in civic infrastructure.
What would you do first putting on your Nick the defender hat this time? But the first thing that I would do is really, as I mentioned before, build that collaboration piece. This is not a problem that can be solved by. Any one particular party. I think that building awareness with tenants, consumers, developers, system integrators, and operators of some of these facilities is going to take time, but we need to work together in order to do it.
So putting together the right forums and the right committees to do and having more events like this are really the first step in solving this crisis. Okay. So getting that discussion and getting people involved in it, getting you said, hackers or people who've got the expertise to actually understand the vulnerabilities of the systems, getting those discussions going, what are the next things that people should be doing?
Yeah. Some of the other things that folks should be doing especially in the smart building side is just ensure that default credentials are not set on a lot of these IoT devices. Okay. Just change the default password. That's one of the lowest hanging fruit that like even allow some of the most junior of hackers to get into a network and really cause havoc. So ensure that devices are configured properly and also kept up to date. When a vendor. Third party, fourth party does push out a patch.
Take the time out to upgrade some of these devices. Finally, as you're looking to either move from, your smart building to another smart building, following the best practices for like how to wipe your data, properly clean it up, do factory resets. That's also really important. You want to make sure that you're always cleaning up your data and also requesting that your data be deleted. If some of these smart systems are collecting and putting into the cloud.
I think from a developer and system integrator perspective as I mentioned, bringing in hackers is really great throughout the process, but thinking about security from day one. And I think that if. If you are building technology, that's going to go into a lot of our critical infrastructure facilities, water treatment plants, or you're building technology for smart buildings. Thinking about security from day one means do a threat modeling exercise.
That's where you map out, what your solution or what your system looks like, talking about what the data flows look like, what the different user roles. But then think about what could go wrong. I ask everyone to put on their hacker hood and think about the worst possible case scenarios of, okay, how could we compromise the confidentiality of the system, the integrity or the availability of it, and try to address that in your final product or in your system.
And then please invest in, in patching and upgrading these systems. Once they're out there in the wild, we need to get out of this vicious cycle of just shipping a really poor product that's insecure. And instead of fixing it, Saying, Oh, we've got the 2. 0 version, which you should buy instead, which has, a little bit better security. That's something we really need to break. And I think we need to start voting with our wallets when it comes to vendors that really take security seriously here.
Yeah. And for your OT or your operational technology or your, that, that sort of technology that you've got out there, people should be. Doing reviews of these to see what security enhancements are possible for the, I know there's been a lot of work done to to bridge the OT gap. It's not, it's no longer, these systems are no longer as unprotected as it can be unless you've got old ones.
Or maybe you're just not spending the time and energy on, or I don't have time and energy, but you're not investing the time or the money to upgrade them. Is that's something that people should be looking at as well? Yes. Yeah. 100%. Take the time out, take the energy to invest in security for our OT systems. Bring in a fresh set of of eyes on the problem as well. And then I'll bring in, the the hackers that are used to breaking into them and let them tell you exactly where and how they do that.
This is going to allow us to fall forward in this sort of problem rather than staying stagnant. So that would be my best advice. That was my conversation with Nick Aleks. I hope you enjoyed it. Let me know what you think. Thanks for spending part of your weekend with us. We'll be back to you on Monday morning