Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(Ab)using Smart Cities - the dark age of modern mobility

426 views

Published on

Opposing Force research presentation on Smart Cities security and Smart Mobility technologies penetration testing (DEF CON 24 | HITB GSEC Singapore 2016)

  • Be the first to comment

(Ab)using Smart Cities - the dark age of modern mobility

  1. 1. Matteo  Beccaro |  Matteo  Collura Singapore  – August  26th,  2016
  2. 2. About  us  || § Matteo  Beccaro § Founder &  Chief  Technology  Officer  at  Opposing  Force § The  first  Italian  company  specialize  in  offensive  physical  security § Twitter:  @_bughardy_  |  @_opposingforce § Web:  www.opposingforce.it
  3. 3. About  us  || § Doc.  Matteo  Collura § Bachelor  of  Science  in  Electronic  Engineering § Currently  studying  “Nanotech  for  ICT” at  Politecnico di  Torino § Twitter:  @eagle1753
  4. 4. Starting  from  May  2016,  we  are,   with Opposing  Force, members  of
  5. 5. Agenda  || § What  is  a  smart  city? § Smart  transport  systems § Smart  parking  meter § Bike  sharing § Public  transport § What’s  next?
  6. 6. Agenda  || § What  is  a  smart  city? § Smart  transport  systems § Smart  parking  meter § Bike  sharing § Public  transport § What’s  next?
  7. 7. What  is  a  Smart  City?
  8. 8. let’s  focus  on..
  9. 9. Smart  Transportation  Systems
  10. 10. Smart  transportation  systems  || § Smart  traffic  control § Smart  parking   § Smart  street  lighting § Smart  public  transport  system
  11. 11. taxonomy  for  smart transportation  systems
  12. 12. Citizens Smart  Traffic  Control Smart  Lighting  Control Smart  Transportation Smart  Parking  System
  13. 13. Smart  Traffic  Control Smart  Lighting  Control Smart  Transportation Smart  Parking  System Citizen
  14. 14. going  into  details…
  15. 15. Smart  transportation  systems  || Private transport Shared transport Public transport
  16. 16. Smart  transportation  systems  ||Physical  world  data Physical  world  data
  17. 17. Agenda  || § What  is  a  smart  city? § Smart  transport  systems § Smart  parking  meter § Bike  sharing § Public  transport § What’s  next?
  18. 18. Smart  parking  meter  – case  study  || MCU USB  port Display  port
  19. 19. Smart  parking  meter  – case  study  || Firmware  analysis: § No  integrity  checks § No  encryption  or   obfuscation § DFU  can  be  easily   obtained
  20. 20. Smart  parking  meter  – case  study  || Firmware  analysis  results: § Attackers  can  upload  a     malicious  firmware
  21. 21. Smart  parking  meter  – case  study  || Debug  interfaces: § JTAG  port § SWD  port § Debug  traces
  22. 22. Smart  parking  meter  – case  study  || CLIENT  DOMAINEDGE  DOMAIN CLOUD  DOMAIN USB GSM NFC
  23. 23. Smart  parking  meter  – case  study  || CLIENT  DOMAINEDGE  DOMAIN CLOUD  DOMAIN No  data   validation Trust  in  the  Edge  Device  provided  information
  24. 24. Smart  parking  meter  – case  study  || Communication  analysis: § No  integrity  checks § No  encryption § No  authenticity   checks
  25. 25. Smart  parking  meter  – case  study  || 𝐹𝑒𝑒 = 𝑝𝑟𝑖𝑐𝑒   𝑝 𝑒𝑟   𝑡 𝑖𝑚𝑒   𝑢 𝑛𝑖𝑡 ∗ 𝑓𝑎𝑟𝑒   𝑓 𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ∗ 𝑒𝑙𝑎𝑝𝑠𝑒𝑑   𝑠 𝑒𝑐𝑜𝑛𝑑𝑠 3600   𝑠 𝑒𝑐𝑜𝑛𝑑𝑠 + 𝑚𝑖𝑛𝑖𝑚𝑢𝑚   𝑓 𝑒𝑒 Usually  set  to  0 Displayed Not  displayed Displayed
  26. 26. Agenda  || § What  is  a  smart  city? § Smart  transport  systems § Smart  parking  meter § Bike  sharing § Public  transport § What’s  next?
  27. 27. Bike  sharing  – case  study  || Step  1. Step  2. Step  3.
  28. 28. Bike  sharing  – case  study  || Step  1. Step  2. Step  3.
  29. 29. Bike  sharing  – case  study  || Access  method: § Mobile  application § NFC  card
  30. 30. Bike  sharing  – case  study  || Mobile  application: § No  obfuscation § Hardcoded  vendor   credentials § Multiple  SQL  Injections
  31. 31. Bike  sharing  – case  study  || NFC  card: § MIFARE  Ultralight § UID  based § UID  is  also  printed   on  the  card
  32. 32. Bike  sharing  – case  study  || Step  1. Step  2. Step  3.
  33. 33. Bike  sharing  – case  study  || Physical  issue: § The  hook’s  sensor  is  not  very   precise § Unlock  a  bike  and  slowly   remove  it  from  the  hook § The  sensor  is  still  detecting   the  bicycle..
  34. 34. Bike  sharing  – case  study  || Physical  issue: § It  can  be  detected  by  the   central  system  IF I. The  bike  is  left  to  an  other   station II. A  bike  is  hooked  to  the   previous  station
  35. 35. Agenda  || § What  is  a  smart  city? § Smart  transport  systems § Smart  parking  meter § Bike  sharing § Public  transport § What’s  next?
  36. 36. Public  transport  – case  study  || Two  existing  systems “Online”  system“Offline”  system
  37. 37. Public  transport  – case  study  || Offline  system § Lock  Attack § Time  Attack
  38. 38. Public  transport  – case  study  || Lock  Attack § Abuse  MIFARE  Ultralight   functionality § Set  OTP  page  in  read-­‐only   mode § No  rides  are  removed Page Address Byte  # DEC HEX 0 1 2 3 0 0x00 UID 1 0x01 UID 2 0x02 UID Internal Lock   Bytes Lock   Bytes 3 0x03 OTP From  4  to 15 0x04  to  0x0F Data
  39. 39. Public  transport  – case  study  || Time  Attack § Abuse  of  multiple  rides   tickets § Reverse  engineer  the   stamping  date § Update  the  stamping  date   without  removing  rides
  40. 40. Public  transport  – case  study  || Online  system § Replay  Attack
  41. 41. Public  transport  – case  study  || Replay  Attack § Use  of  UID changeable  tickets  or   emulators § Bypass  “software”  encryption § Very  difficult  to  fix
  42. 42. Agenda  || § What  is  a  smart  city? § Smart  transport  systems § Smart  parking  meter § Bike  sharing § Public  transport § What’s  next?
  43. 43. smart  city  surveillance..
  44. 44. smart  water  management..
  45. 45. smart  city  lighting  system..
  46. 46. smart  traffic light  system..
  47. 47. …a  city?
  48. 48. Any  question? Don’t  be  shy..
  49. 49. engage@oposingforce.it  |  www.opposingforce.it  |  @_opposingforce

×