Security flaws have been found in major city infrastructure such as flood defences, radiation detection and traffic monitoring systems.
A team of researchers found 17 vulnerabilities, eight of which it described as "critical".
The researchers warned of so-called "panic attacks", where an attacker could manipulate emergency systems to create chaos in communities.
The specific flaws uncovered by the team have been patched.
“If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” wrote Daniel Crowley, from IBM’s cyber research division, X-Force Red.
"While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere.”
The team plans to explain the vulnerabilities at Black Hat - a cyber-security conference - on Thursday.
It warned that a hacker could manipulate emergency systems to remove protections designed to protect or warn citizens about catastrophic events, creating a "panic attack".
Hawaii false alarm
A taster of what might occur came in January this year, when an alert warning Hawaiians of a missile attack was mistakenly sent out. In that instance, it was poor design of the system, coupled with human error, that created hysteria lasting around 38 minutes.
That incident prompted the X-Force Red team, along with cyber-security start-up Threatcare, to launch a probe looking at smart city defences.
They apparently weren’t the only ones. During the course of the team’s research, they found details of a flaw that an unknown hacker had discovered and seemingly inadvertently posted online.
“They tried to keep it for themselves,” Mr Crowley told the BBC.
"They appear to have failed. [But] it tells us that there are other people looking at these things, and not so that they can get them fixed.
"What they're doing with them, I don't know. But we're not the only ones looking.”
US director of national intelligence Dan Coats warned last month that the country was seeing daily cyber-attacks from Russia, China, Iran and North Korea.
“The warning lights are blinking red,” he said, adding that infrastructure targets were a focus for all four countries.
The team behind this latest research focused on three companies that make hardware for smart cities: Libelium, Echelon and Battelle. All three were receptive to the team’s discoveries, Mr Crowley said.
The researchers are now calling on city administrators to bring in outside expertise to test and assess the security of smart systems.
Threatcare’s Jennifer Savage told the BBC she felt politicians should be mindful of the fact that citizens are not given an individual choice over which of these technologies they use.
“In my own home I can choose not to have an [Amazon] Alexa if I want, I can choose not to have all these 'internet of things' devices - or I can choose very carefully which ones I want to trust.
"But when I walk outside my door and I'm in the city, suddenly I'm surrounded by choices other people have made for me."
She added: “As a security researcher I would like more input into what's getting deployed in my own city and the ability to review it and feel secure about the decisions that my city is making."
Follow Dave Lee on Twitter @DaveLeeBBC
Do you have more information about this or any other technology story? You can reach Dave directly and securely through encrypted messaging app Signal on: +1 (628) 400-7370