The document discusses security vulnerabilities in smart city transportation systems, including private parking meters, bike sharing systems, and public transit payment tokens and machines. It finds that parking meter tokens can have their configuration files and firmware modified due to a lack of digital signing on updates. Bike sharing tokens sent unencrypted payment information and could have funds drained. Public transit payment tokens and machines also lacked protection of sensitive data and authentication of firmware updates. The document advocates for improved security measures to prevent exploitation of these vulnerabilities.
The document describes a study that used Faster R-CNN, a deep learning approach, to detect road objects like vehicles, pedestrians, and traffic signs in Bangladesh. The researchers collected images to train a neural network to identify 19 object classes. Their model achieved 86.42% accuracy and was able to detect objects in various lighting and traffic conditions, though it struggled when objects were extremely close together. The study aims to help analyze traffic and potentially assist autonomous vehicles in Bangladesh.
Iirdem design and analysis of a smart helmet gsm based system against drunken...Iaetsd Iaetsd
1) The document describes a smart helmet system that uses an alcohol sensor and helmet sensor to prevent engine ignition if the rider is not wearing a helmet or has alcohol on their breath above the legal limit.
2) The system includes a helmet unit with sensors that transmit data via radio frequency to a bike unit, which controls the engine. If the sensors detect no helmet or high alcohol, a message is sent to authorities.
3) The goal is to reduce accidents from drunk or unhelmeted driving by automatically preventing engine ignition in unsafe conditions.
This document summarizes a major project report submitted by Abhilash Dandotiya and Sarthak Agrawal for their Bachelor's degree in Electronics and Communication Engineering. The project is titled "SMART HELMET" and aims to design a helmet that can autonomously detect accidents using a transmitter and receiver circuit along with a microcontroller. The microcontroller used is an ATMEGA 8 chip. The project involves designing printed circuit boards for the transmitter and receiver, interfacing a GSM module, and programming the microcontroller with C language to send SMS messages in the event of an accident detection.
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
Ведущий: Маттео Беккаро (Matteo Beccaro)
Доклад посвящен общим вопросам транспортной безопасности, мошенничества и технологических сбоев и будет интересен как профессиональным пентестерам, так и любителям. Докладчик рассмотрит несколько серьезных уязвимостей в реальных транспортных системах, в которых используется технология NFC, и продемонстрирует открытое приложение для тестирования таких систем со смартфона.
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...TanuAgrawal27
This document presents a final year project report on developing a smart traffic management system using Internet of Things (IoT) technologies. It aims to optimize traffic light timing based on real-time vehicle counting data from road sensors. The proposed system would use sensors, microcontrollers, and cloud computing to monitor traffic flow and congestion at intersections, and dynamically adjust light durations on each lane accordingly. This is expected to reduce traffic delays and minimize commuting costs compared to traditional fixed-time traffic light systems. The report outlines the hardware, software, methodology, algorithms, and challenges of implementing such an IoT-based smart traffic management system.
This document describes a MEMS-controlled accident reporting system that uses an accelerometer and GPS to detect vehicle accidents. When an accident occurs, the accelerometer detects vibrations and sends a signal to an ARM controller. The microcontroller then enables an airbag and sends a message with the accident location from the GPS to emergency contacts via GSM. The system aims to reduce response times and save lives by quickly notifying emergency services and relatives of accidents.
Vehicle to Vehicle Communication using Bluetooth and GPS.Mayur Wadekar
This document is a project report on vehicle to vehicle wireless communication using Bluetooth and GPS. It describes a system developed by four students to enable vehicles to share location data with each other using onboard GPS receivers and Bluetooth transmitters. The system aims to improve road safety by allowing vehicles to be aware of other nearby vehicles' positions. The report outlines the objectives, methodology, system components, implementation, performance analysis and applications of the proposed vehicle communication system.
This document is a PhD dissertation defense from Lara Codeca at the University of Luxembourg on dynamic vehicular routing in urban environments. The dissertation addresses two main research questions: 1) What is the impact of dynamic rerouting on traffic congestion in urban settings? 2) How can testing tools and a realistic traffic scenario be used to evaluate dynamic routing? The dissertation presents a selfish traffic optimization approach using dynamic rerouting that is able to mitigate the impact of traffic congestion on a global scale. It also describes the development of the Luxembourg SUMO Traffic scenario, a new general-purpose traffic scenario built to validate simulation results in a realistic urban environment.
The document describes a study that used Faster R-CNN, a deep learning approach, to detect road objects like vehicles, pedestrians, and traffic signs in Bangladesh. The researchers collected images to train a neural network to identify 19 object classes. Their model achieved 86.42% accuracy and was able to detect objects in various lighting and traffic conditions, though it struggled when objects were extremely close together. The study aims to help analyze traffic and potentially assist autonomous vehicles in Bangladesh.
Iirdem design and analysis of a smart helmet gsm based system against drunken...Iaetsd Iaetsd
1) The document describes a smart helmet system that uses an alcohol sensor and helmet sensor to prevent engine ignition if the rider is not wearing a helmet or has alcohol on their breath above the legal limit.
2) The system includes a helmet unit with sensors that transmit data via radio frequency to a bike unit, which controls the engine. If the sensors detect no helmet or high alcohol, a message is sent to authorities.
3) The goal is to reduce accidents from drunk or unhelmeted driving by automatically preventing engine ignition in unsafe conditions.
This document summarizes a major project report submitted by Abhilash Dandotiya and Sarthak Agrawal for their Bachelor's degree in Electronics and Communication Engineering. The project is titled "SMART HELMET" and aims to design a helmet that can autonomously detect accidents using a transmitter and receiver circuit along with a microcontroller. The microcontroller used is an ATMEGA 8 chip. The project involves designing printed circuit boards for the transmitter and receiver, interfacing a GSM module, and programming the microcontroller with C language to send SMS messages in the event of an accident detection.
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
Ведущий: Маттео Беккаро (Matteo Beccaro)
Доклад посвящен общим вопросам транспортной безопасности, мошенничества и технологических сбоев и будет интересен как профессиональным пентестерам, так и любителям. Докладчик рассмотрит несколько серьезных уязвимостей в реальных транспортных системах, в которых используется технология NFC, и продемонстрирует открытое приложение для тестирования таких систем со смартфона.
Smart Traffic Management System using Internet of Things (IoT)-btech-cse-04-0...TanuAgrawal27
This document presents a final year project report on developing a smart traffic management system using Internet of Things (IoT) technologies. It aims to optimize traffic light timing based on real-time vehicle counting data from road sensors. The proposed system would use sensors, microcontrollers, and cloud computing to monitor traffic flow and congestion at intersections, and dynamically adjust light durations on each lane accordingly. This is expected to reduce traffic delays and minimize commuting costs compared to traditional fixed-time traffic light systems. The report outlines the hardware, software, methodology, algorithms, and challenges of implementing such an IoT-based smart traffic management system.
This document describes a MEMS-controlled accident reporting system that uses an accelerometer and GPS to detect vehicle accidents. When an accident occurs, the accelerometer detects vibrations and sends a signal to an ARM controller. The microcontroller then enables an airbag and sends a message with the accident location from the GPS to emergency contacts via GSM. The system aims to reduce response times and save lives by quickly notifying emergency services and relatives of accidents.
Vehicle to Vehicle Communication using Bluetooth and GPS.Mayur Wadekar
This document is a project report on vehicle to vehicle wireless communication using Bluetooth and GPS. It describes a system developed by four students to enable vehicles to share location data with each other using onboard GPS receivers and Bluetooth transmitters. The system aims to improve road safety by allowing vehicles to be aware of other nearby vehicles' positions. The report outlines the objectives, methodology, system components, implementation, performance analysis and applications of the proposed vehicle communication system.
This document is a PhD dissertation defense from Lara Codeca at the University of Luxembourg on dynamic vehicular routing in urban environments. The dissertation addresses two main research questions: 1) What is the impact of dynamic rerouting on traffic congestion in urban settings? 2) How can testing tools and a realistic traffic scenario be used to evaluate dynamic routing? The dissertation presents a selfish traffic optimization approach using dynamic rerouting that is able to mitigate the impact of traffic congestion on a global scale. It also describes the development of the Luxembourg SUMO Traffic scenario, a new general-purpose traffic scenario built to validate simulation results in a realistic urban environment.
This document summarizes a paper on practical attacks against HomePlugAV powerline communication devices. It begins by providing background on powerline communication technology and discussing the HomePlugAV specification. It then describes analyzing HomePlugAV networks using various tools to understand the protocols and encryption. The document outlines several practical attacks demonstrated, including intercepting network keys, bruteforcing passwords, and gaining remote memory access on devices once on the network. It concludes by discussing future work areas like firmware analysis and authentication message fuzzing.
This document is a project report that describes the design and implementation of a microcontroller-based password protected home appliance. The system uses an ATmega8 microcontroller to control a keypad, LCD display, buzzer, and relay. When the correct four-digit password is entered on the keypad, the relay activates to power the appliance and a message is displayed on the LCD. If an incorrect password is entered, the buzzer sounds and access is denied. The report provides details on the hardware components, software code, and circuit diagrams.
This thesis examines the wireless security of mobile applications, with a focus on banking apps, on the Android platform. The author conducted a static code analysis of apps on the Google Play Store and found widespread security flaws in how apps validate SSL certificates for secure connections. To address false positives from the static analysis, the author developed a method using dynamic code analysis and manual log file analysis to identify the critical code sections for certificate validation. The goal is to evaluate security and reduce false positives from the static analysis tool.
This document provides a literature survey of security threats in mobile ad hoc networks (MANETs). It begins by describing different types of wireless networks and standards. It then discusses the features, vulnerabilities, and applications of MANETs. The document analyzes security threats from each layer of the protocol stack: physical, link, network, and transport. Specific attacks like eavesdropping, jamming, and wormholes are examined. Finally, the document provides an overview of using agents and multi-agent systems to address wireless security challenges.
This document presents a final report on quality of service parameters for internet service provision in Europe. It discusses what users want from the internet in terms of speed, reliability and cost of access. It then outlines various technical aspects that affect quality of service, such as downstream and upstream performance and latency. Finally, it proposes a set of 21 parameters to measure ability to connect, downstream/upstream connectivity, cost, and other factors like outages. The parameters were developed through interviews with internet service providers and other stakeholders. The goal is to provide individuals and businesses tools to evaluate the quality of service they receive from their internet provider.
A prototype of IOT Car Parking System that allows drivers to effectively find the vacant parking spaces is been designed and implemented in this report . By periodically learning the parking status from the sensor networks deployed in parking lots, the drivers are allowed to access this information with their personal communication devices and exactly know which parking slots are vacant. This particular application uses internet of things for accessing the information with their mobile phones. This system has the potential to simplify the operations of parking systems, as well as alleviate traffic congestion caused by parking searching and would definitely make people follow the traffic rules and ensure safety. The developed system is reliable, low cost and user friendly
1) The document describes a TCP traffic monitoring and debugging tool created as a bachelor's thesis project. The tool aims to help cloud providers better understand application needs by determining metrics and statistics of TCP connections.
2) Key aspects of the tool include inferring important TCP connection variables like congestion window, combining these with socket-level traffic logs, and a Linux kernel module. Sendbuffer advertising is used to test the tool's accuracy in detecting application-limited connections.
3) The tool seeks to identify network problems by monitoring TCP connections and determining the limiting factor (bandwidth, latency etc.). It displays statistics like RTT, retransmissions and other counters to help cloud operators optimize traffic.
This document is a project report on a Smart Street System. It describes a system that aims to automate street lighting and enable real-time monitoring of streets. The system connects all streetlights to a central server using IoT. This allows the lights to be controlled remotely and usage to be analyzed. Sensors detect factors like light levels and motion to automatically adjust brightness or turn lights on/off. Video cameras monitor streets for unusual activities which are reported. The project aims to improve energy efficiency of street lighting and enhance security.
User-Driven Cloud Transportation System for Smart Drivingamg93
A user-driven pattern of ITS based on cloud computing technology named user-driven cloud transportation system (CTS) foe smarter user of transportation network.
The document describes the design of an autonomous vehicle (T.O.M 3.0) that can track and catch a target. The vehicle uses a Parallax Ultrasonic Ping Sensor to avoid obstacles and a CMUcam4 camera to detect and track a red-colored target. It is programmed using Arduino boards to control four motors for movement in different directions. The goals are to first locate a stationary red target and then track and follow a moving red target (RC car). PID and logic control algorithms are implemented using sensor feedback to maneuver the vehicle and achieve the tracking and catching objectives.
This thesis seeks to improve communication between a host computer and onboard peripherals of an existing low-cost robot used for teaching autonomous systems at University of Innsbruck. Several prototypes were evaluated to find the best solution, including a microcontroller board and single-board computers. The final solution uses an ATmega32 microcontroller programmed to read data from an Android phone and control the robot. Firmware was written for the microcontroller along with an Android application. This improved the robot's modularity and provides easy-to-use interfaces for students.
Master of Science in Communication Technology by Torstein Bjørnstad
With the growth of the Internet a lot of dierent services has emerged. These services
are often accompanied by some kind of security system. Since most of these services
are stand-alone systems, a whole range of dierent authentication systems have been
developed. Each using one of several kinds of authentication, with one or more proofs
of identity. The SIM card used in mobile phones is an identifying token, containing
strong authentication mechanisms. If services could utilize the SIM for authentication
it would provide both a more secure solution, in addition to increased simplicity for
the user.
This master thesis builds on a project that investigated how the security properties of
a system can be improved by adding an extra factor to the authentication process
something the user has, or more specically the GSM SIM card. That project
concluded by suggesting an overall design for a VPN Authentication System based on
the security mechanisms in GSM. This thesis continues that work by analyzing that
design, and describing the implementation of a prototype utilizing the mechanisms
available.
This document summarizes the design and development of a laser sensor interface and tire DOT code scanning software. A laser sensor was selected to scan tire DOT codes due to its ability to create distance profiles of tire surfaces. A communication interface was built using a microcontroller, RS485 transceiver, and USB-to-serial converter to connect the laser sensor to a PC. Software was developed in C++ to control the sensor and acquire DOT code scans, and image processing techniques were explored in MATLAB and OpenCV to preprocess scan data. The laser sensor interface and scanning software provide an effective solution for reading important tire information like production dates from their DOT codes.
Comparative Analysis of Personal FirewallsAndrej Šimko
This thesis describes the analysis of 18 personal firewalls. It discovers the differences in their behaviour while they are under various techniques of port scanning and Denial of Service (DoS) attacks. With port scanning, the detection ability, time consumption, leaked port states and obfuscation techniques are analysed. With using different DoS attacks, performance measurements of CPU and network adapter are taken. The potential of firewall fingerprinting based on the different behaviour across multiple products is also addressed.
Ibm mobile first in action for mgovernment and citizen mobile services redbupbechanhgmail
This document discusses how IBM's MobileFirst platform can support mobile government (mGovernment) solutions. It provides an overview of mGovernment and its advantages over traditional eGovernment. Key capabilities for a successful mGovernment implementation are also examined, including provisioning, security, governance, compliance, analytics, APIs, and the mobile application development lifecycle. The document then introduces IBM's MobileFirst portfolio and its components that address many of the capabilities needed for mGovernment, such as the MobileFirst Platform for app development, MobileFirst Protect for security, and Experience One for analytics.
This document studies machine-to-machine (M2M) communication for cdma2000 networks. It identifies key M2M characteristics and use cases. It also evaluates potential requirements and system enhancements needed to support M2M services over cdma2000 networks, including improvements to transmission efficiency, reliability, coverage, terminal management, and core network functions. The goal is to determine how cdma2000 networks can effectively support the large-scale deployment of M2M devices and applications.
This white paper discusses the evolution from circuit-switched to packet-based core networks. It notes that most modern communications, including voice calls, video, and file transfers, are delivered via packets. However, some core networks have not fully converged on packet transport, still relying on legacy circuit-switched infrastructure that is more costly and complex. The paper examines different transport technologies and argues that a fully packet-based approach using next-generation packet switches can optimize costs while improving scalability, manageability and bandwidth utilization compared to hybrid circuit-packet networks.
UMTS is the 3G cellular technology standardized in Europe. It uses W-CDMA for its air interface and builds upon the existing GSM infrastructure, making it compatible with 2G networks. The basic UMTS network architecture consists of user equipment connecting to an access network, which connects to the core network and other networks. The access network uses Node B base stations and radio network controllers. The core network uses many of the same components as GSM like mobility management.
This document describes a project that aims to demonstrate computational offloading using a robot built with Lego Mindstorms EV3 parts. The robot will perform face tracking using a webcam and offload parts of the face tracking algorithm when the CPU becomes overloaded. A GUI will allow the user to manually trigger offloading and view its effects. The project aims to explore how offloading can improve responsiveness for low-power systems like robots.
Opposing Force research presentation on Smart Cities security and Smart Mobility technologies penetration testing (DEF CON 24 | HITB GSEC Singapore 2016)
On June 14th, 2016, Matteo Beccaro (CTO of Opposing Force) discussed smart cities core technologies/systems security during the IoT TECH EXPO in Berlin.
This document summarizes a paper on practical attacks against HomePlugAV powerline communication devices. It begins by providing background on powerline communication technology and discussing the HomePlugAV specification. It then describes analyzing HomePlugAV networks using various tools to understand the protocols and encryption. The document outlines several practical attacks demonstrated, including intercepting network keys, bruteforcing passwords, and gaining remote memory access on devices once on the network. It concludes by discussing future work areas like firmware analysis and authentication message fuzzing.
This document is a project report that describes the design and implementation of a microcontroller-based password protected home appliance. The system uses an ATmega8 microcontroller to control a keypad, LCD display, buzzer, and relay. When the correct four-digit password is entered on the keypad, the relay activates to power the appliance and a message is displayed on the LCD. If an incorrect password is entered, the buzzer sounds and access is denied. The report provides details on the hardware components, software code, and circuit diagrams.
This thesis examines the wireless security of mobile applications, with a focus on banking apps, on the Android platform. The author conducted a static code analysis of apps on the Google Play Store and found widespread security flaws in how apps validate SSL certificates for secure connections. To address false positives from the static analysis, the author developed a method using dynamic code analysis and manual log file analysis to identify the critical code sections for certificate validation. The goal is to evaluate security and reduce false positives from the static analysis tool.
This document provides a literature survey of security threats in mobile ad hoc networks (MANETs). It begins by describing different types of wireless networks and standards. It then discusses the features, vulnerabilities, and applications of MANETs. The document analyzes security threats from each layer of the protocol stack: physical, link, network, and transport. Specific attacks like eavesdropping, jamming, and wormholes are examined. Finally, the document provides an overview of using agents and multi-agent systems to address wireless security challenges.
This document presents a final report on quality of service parameters for internet service provision in Europe. It discusses what users want from the internet in terms of speed, reliability and cost of access. It then outlines various technical aspects that affect quality of service, such as downstream and upstream performance and latency. Finally, it proposes a set of 21 parameters to measure ability to connect, downstream/upstream connectivity, cost, and other factors like outages. The parameters were developed through interviews with internet service providers and other stakeholders. The goal is to provide individuals and businesses tools to evaluate the quality of service they receive from their internet provider.
A prototype of IOT Car Parking System that allows drivers to effectively find the vacant parking spaces is been designed and implemented in this report . By periodically learning the parking status from the sensor networks deployed in parking lots, the drivers are allowed to access this information with their personal communication devices and exactly know which parking slots are vacant. This particular application uses internet of things for accessing the information with their mobile phones. This system has the potential to simplify the operations of parking systems, as well as alleviate traffic congestion caused by parking searching and would definitely make people follow the traffic rules and ensure safety. The developed system is reliable, low cost and user friendly
1) The document describes a TCP traffic monitoring and debugging tool created as a bachelor's thesis project. The tool aims to help cloud providers better understand application needs by determining metrics and statistics of TCP connections.
2) Key aspects of the tool include inferring important TCP connection variables like congestion window, combining these with socket-level traffic logs, and a Linux kernel module. Sendbuffer advertising is used to test the tool's accuracy in detecting application-limited connections.
3) The tool seeks to identify network problems by monitoring TCP connections and determining the limiting factor (bandwidth, latency etc.). It displays statistics like RTT, retransmissions and other counters to help cloud operators optimize traffic.
This document is a project report on a Smart Street System. It describes a system that aims to automate street lighting and enable real-time monitoring of streets. The system connects all streetlights to a central server using IoT. This allows the lights to be controlled remotely and usage to be analyzed. Sensors detect factors like light levels and motion to automatically adjust brightness or turn lights on/off. Video cameras monitor streets for unusual activities which are reported. The project aims to improve energy efficiency of street lighting and enhance security.
User-Driven Cloud Transportation System for Smart Drivingamg93
A user-driven pattern of ITS based on cloud computing technology named user-driven cloud transportation system (CTS) foe smarter user of transportation network.
The document describes the design of an autonomous vehicle (T.O.M 3.0) that can track and catch a target. The vehicle uses a Parallax Ultrasonic Ping Sensor to avoid obstacles and a CMUcam4 camera to detect and track a red-colored target. It is programmed using Arduino boards to control four motors for movement in different directions. The goals are to first locate a stationary red target and then track and follow a moving red target (RC car). PID and logic control algorithms are implemented using sensor feedback to maneuver the vehicle and achieve the tracking and catching objectives.
This thesis seeks to improve communication between a host computer and onboard peripherals of an existing low-cost robot used for teaching autonomous systems at University of Innsbruck. Several prototypes were evaluated to find the best solution, including a microcontroller board and single-board computers. The final solution uses an ATmega32 microcontroller programmed to read data from an Android phone and control the robot. Firmware was written for the microcontroller along with an Android application. This improved the robot's modularity and provides easy-to-use interfaces for students.
Master of Science in Communication Technology by Torstein Bjørnstad
With the growth of the Internet a lot of dierent services has emerged. These services
are often accompanied by some kind of security system. Since most of these services
are stand-alone systems, a whole range of dierent authentication systems have been
developed. Each using one of several kinds of authentication, with one or more proofs
of identity. The SIM card used in mobile phones is an identifying token, containing
strong authentication mechanisms. If services could utilize the SIM for authentication
it would provide both a more secure solution, in addition to increased simplicity for
the user.
This master thesis builds on a project that investigated how the security properties of
a system can be improved by adding an extra factor to the authentication process
something the user has, or more specically the GSM SIM card. That project
concluded by suggesting an overall design for a VPN Authentication System based on
the security mechanisms in GSM. This thesis continues that work by analyzing that
design, and describing the implementation of a prototype utilizing the mechanisms
available.
This document summarizes the design and development of a laser sensor interface and tire DOT code scanning software. A laser sensor was selected to scan tire DOT codes due to its ability to create distance profiles of tire surfaces. A communication interface was built using a microcontroller, RS485 transceiver, and USB-to-serial converter to connect the laser sensor to a PC. Software was developed in C++ to control the sensor and acquire DOT code scans, and image processing techniques were explored in MATLAB and OpenCV to preprocess scan data. The laser sensor interface and scanning software provide an effective solution for reading important tire information like production dates from their DOT codes.
Comparative Analysis of Personal FirewallsAndrej Šimko
This thesis describes the analysis of 18 personal firewalls. It discovers the differences in their behaviour while they are under various techniques of port scanning and Denial of Service (DoS) attacks. With port scanning, the detection ability, time consumption, leaked port states and obfuscation techniques are analysed. With using different DoS attacks, performance measurements of CPU and network adapter are taken. The potential of firewall fingerprinting based on the different behaviour across multiple products is also addressed.
Ibm mobile first in action for mgovernment and citizen mobile services redbupbechanhgmail
This document discusses how IBM's MobileFirst platform can support mobile government (mGovernment) solutions. It provides an overview of mGovernment and its advantages over traditional eGovernment. Key capabilities for a successful mGovernment implementation are also examined, including provisioning, security, governance, compliance, analytics, APIs, and the mobile application development lifecycle. The document then introduces IBM's MobileFirst portfolio and its components that address many of the capabilities needed for mGovernment, such as the MobileFirst Platform for app development, MobileFirst Protect for security, and Experience One for analytics.
This document studies machine-to-machine (M2M) communication for cdma2000 networks. It identifies key M2M characteristics and use cases. It also evaluates potential requirements and system enhancements needed to support M2M services over cdma2000 networks, including improvements to transmission efficiency, reliability, coverage, terminal management, and core network functions. The goal is to determine how cdma2000 networks can effectively support the large-scale deployment of M2M devices and applications.
This white paper discusses the evolution from circuit-switched to packet-based core networks. It notes that most modern communications, including voice calls, video, and file transfers, are delivered via packets. However, some core networks have not fully converged on packet transport, still relying on legacy circuit-switched infrastructure that is more costly and complex. The paper examines different transport technologies and argues that a fully packet-based approach using next-generation packet switches can optimize costs while improving scalability, manageability and bandwidth utilization compared to hybrid circuit-packet networks.
UMTS is the 3G cellular technology standardized in Europe. It uses W-CDMA for its air interface and builds upon the existing GSM infrastructure, making it compatible with 2G networks. The basic UMTS network architecture consists of user equipment connecting to an access network, which connects to the core network and other networks. The access network uses Node B base stations and radio network controllers. The core network uses many of the same components as GSM like mobility management.
This document describes a project that aims to demonstrate computational offloading using a robot built with Lego Mindstorms EV3 parts. The robot will perform face tracking using a webcam and offload parts of the face tracking algorithm when the CPU becomes overloaded. A GUI will allow the user to manually trigger offloading and view its effects. The project aims to explore how offloading can improve responsiveness for low-power systems like robots.
Similar to (Ab)using Smart Cities - Whitepaper (20)
Opposing Force research presentation on Smart Cities security and Smart Mobility technologies penetration testing (DEF CON 24 | HITB GSEC Singapore 2016)
On June 14th, 2016, Matteo Beccaro (CTO of Opposing Force) discussed smart cities core technologies/systems security during the IoT TECH EXPO in Berlin.
The document discusses Near Field Communication (NFC) technology and security issues related to NFC-based ticketing systems. It provides an overview of common NFC card standards like MIFARE Classic and Ultralight, describes vulnerabilities that have been found in their cryptographic protections. The document outlines a reference architecture for modern ticketing systems and examines security weaknesses in each component. It then introduces several tools that can be used to evaluate such systems, including the HydraNFC, Proxmark3, and NFCulT Android app created by Opposing Force. Attack techniques like lock, time and reply attacks are explained as ways to exploit NFC tickets and bypass validation mechanisms.
The document outlines an electronic access control workshop focusing on attacking NFC and RF-based systems. It discusses the history and components of access control systems, including tokens, readers, controllers and backends. Specific NFC card technologies like MIFARE Classic, MIFARE Ultralight and HID iClass are examined, noting many have been broken or have shared encryption keys. The document then proposes a methodology for penetration testing NFC access systems and reviews tools like HydraNFC, ProxMark3 and ChameleonMini that can emulate NFC cards or sniff RF transmissions.
Do you know how many Bluetooth-enabled devices are currently present in the world? With the beginning of the IoT (Internet of Things) and Smart Bluetooth (Low energy) we find in our hands almost a zillion of them.
Are they secure? What if I tell you I can unlock your Smartphone? What if I tell you I'm able to open the new shiny SmartLock you are using to secure your house's door? In this talk we will explain briefly how the Bluetooth (BDR/EDR/LE) protocols work, focusing on security aspects. We will show then some known vulnerabilities and finally we will consider deeply undisclosed ones, even with live demonstrations.
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsRosie Wells
Insight: In a landscape where traditional narrative structures are giving way to fragmented and non-linear forms of storytelling, there lies immense potential for creativity and exploration.
'Collapsing Narratives: Exploring Non-Linearity' is a micro report from Rosie Wells.
Rosie Wells is an Arts & Cultural Strategist uniquely positioned at the intersection of grassroots and mainstream storytelling.
Their work is focused on developing meaningful and lasting connections that can drive social change.
Please download this presentation to enjoy the hyperlinks!
This presentation by Thibault Schrepel, Associate Professor of Law at Vrije Universiteit Amsterdam University, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by Yong Lim, Professor of Economic Law at Seoul National University School of Law, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
This presentation by Juraj Čorba, Chair of OECD Working Party on Artificial Intelligence Governance (AIGO), was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...SkillCertProExams
• For a full set of 760+ questions. Go to
https://skillcertpro.com/product/databricks-certified-data-engineer-associate-exam-questions/
• SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
• It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
• SkillCertPro updates exam questions every 2 weeks.
• You will get life time access and life time free updates
• SkillCertPro assures 100% pass guarantee in first attempt.
This presentation by Nathaniel Lane, Associate Professor in Economics at Oxford University, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
Carrer goals.pptx and their importance in real lifeartemacademy2
Career goals serve as a roadmap for individuals, guiding them toward achieving long-term professional aspirations and personal fulfillment. Establishing clear career goals enables professionals to focus their efforts on developing specific skills, gaining relevant experience, and making strategic decisions that align with their desired career trajectory. By setting both short-term and long-term objectives, individuals can systematically track their progress, make necessary adjustments, and stay motivated. Short-term goals often include acquiring new qualifications, mastering particular competencies, or securing a specific role, while long-term goals might encompass reaching executive positions, becoming industry experts, or launching entrepreneurial ventures.
Moreover, having well-defined career goals fosters a sense of purpose and direction, enhancing job satisfaction and overall productivity. It encourages continuous learning and adaptation, as professionals remain attuned to industry trends and evolving job market demands. Career goals also facilitate better time management and resource allocation, as individuals prioritize tasks and opportunities that advance their professional growth. In addition, articulating career goals can aid in networking and mentorship, as it allows individuals to communicate their aspirations clearly to potential mentors, colleagues, and employers, thereby opening doors to valuable guidance and support. Ultimately, career goals are integral to personal and professional development, driving individuals toward sustained success and fulfillment in their chosen fields.
Carrer goals.pptx and their importance in real life
(Ab)using Smart Cities - Whitepaper
1. (Ab)using Smart Cities
The dark age of modern mobility
Authors:
Matteo Beccaro, Founder & CTO at Opposing Force
matteo.beccaro@opposingforce.it
Matteo Collura, Researcher at Politecnico di Torino
eagle1753@onenetbeyond.org
August 20, 2016
1
3. (Ab)using Smart Cities
1 Introduction
Since these last few years our world has been getting smarter and smarter. We may ask ourselves: what
does smart mean? It is the possibility of building systems which are nodes of a more complex network,
digitally connected to the internet and to the final users. Our cities are becoming one of those networks and
over time more and more elements are getting connected to such network: from traffic lights to information
signs, from traffic and surveillance cameras to transport systems. This last element, also called as Smart
Mobility is the subject of our analysis, divided in three sub-element, each one describing a different method
of transport in our city:
• Private transport: for this method we analyze the smart alternatives aimed to make parking activity
easy, hassle free and more convenient
• Shared transport: we focus our attention on those systems which are sharing transport vehicles. In
particular we deal with bike sharing which seems to be the most wide spread system in European
cities
• Public transport: object of our analysis for this section is the bus, metro and tram network
The aim of our analysis is understanding the ecosystem which each element belongs to and performing a
security evaluation of such system. In this way the most plausible attack and fraud scenarios are pointed out
and the presence of proper security measures is checked. All the details discussed here are collected from a
sample city, but the same methodology and concept can be applied to most of the smart cities in the world.
Figure 1: The smart parking meter ecosystem
Page 3 of 15
4. (Ab)using Smart Cities
2 Private Transport: Smart Parking
This section is concerning one of the most annoying activities in which we are involved when moving from
one place to another by means of our car: finding a park. If it is not a parking lot but just on the border of
the street, usually we need to stamp a ticket from the parking meter and leave it under the windshield. This
procedure however belongs to the old analog world, how to turn it smart? The answer is: Smart Parking
Meter.
2.1 Token
This device is able to replace all the parking meters in at least 50 big cities of our country. Whenever it is
turned on, the user is asked to select the city and the parking zone in which the car will be left. The whole
procedure is made by pressing three physical buttons (Enter/Power, Right, Left). Then it is sufficient to
place the device under the windshield in such a way it is easily noticeable by an inspector.
It is easy to spot the interfaces with the external world just by giving a quick look at the Smart Parking
Meter. There is NFC tag, then a micro USB. Moreover, when opening the case some well labeled lines are
showing up, revealing a JTAG and a SWD interface.
(a) The smart park meter dressed... (b) ... and naked
When activated, the display will show the city and zone set in the previous passage, then the date and time
and finally the price for the time unit, e.g. 1.50 e per hour. The selected fee will be automatically applied for
each second of activity: in this way the user is paying the effective parking time (when using the traditional
park meter instead the user is supposed to make a forecast). This device can be ordered online or bought at
some specific resellers, who are allowed to recharge money; however, this procedure can also be performed by
the user, at home, through a PC, paying by credit card. In order to make the computer properly recognize
the device, the user is asked to install a small Java utility.
Page 4 of 15
5. (Ab)using Smart Cities
Figure 2: The smart parking meter ecosystem
Summing up, the ecosystem we are analyzing is composed by:
• Token: the Smart Parking Meter
• Gateway: a PC application connecting the device to the Internet
• Backend: web service used to perform several actions on the device during the update process
• Controller/Inspector: it is not an element we can actually control, so we are not able to analyze its
attack surface and the role he can play during a fraud scenario
2.1.1 Token’s Attack Surface: NFC interface
The first step involves the identification of the NFC tag implemented in this device. It is sufficient a mobile
phone to identify that the chip on board is a NT3H1101 made by NXP Semiconductors. One of the main
features of this tag is the possibility to interact both with a I2
C interface according to a master-slave
relationship and also with a SRAM memory. The user memory is composed by 888 bytes and arranged in
222 pages.
After the examination of the datasheet1
, we decided to inspect these areas:
• Capability Container is configured as the One Time Programmable sector in MIFARE Ultralight2
.
In this case it doesn’t seem to be showing any relevant information, moreover it is not changing while
the device is working or afterwards
• Lock Bytes are configured according to default values. Their role is again the same as in MIFARE
Ultralight3
; all the pages are by default readable and writable
• Configuration/Session Registers are configured according to default values. These registers, two
pages each, are used to set a relationship between NFC, I2
C and SRAM memory. The most useful
operations concern the enabling of SRAM Memory mirroring on the user memory, and the possibility
to write directly on it from NFC side. However, the Session Registers can be edited only through the
I2
C interface. As regards Configuration Registers, they depend on the Session ones, so, in conclusion,
we decided to solve this challenge in our future works
1http://www.nxp.com/documents/data_sheet/NT3H1101_1201.pdf
2http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf#page=12
3http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf#page=11
Page 5 of 15
6. (Ab)using Smart Cities
• User Memory is readable and writable by anyone, no encryption is on. It is surprisingly empty
• SRAM memory unfortunately is still a mystery to be solved. The only possibility to gather data
from here is to access the I2
C and change the proper bits in the Session Registers, otherwise it wouldn’t
be possible to enable the communication channel
2.1.2 Token’s Attack Surface: I2
C interface
As stated in the previous subsection, no tests have been performed on this interface by now.
2.1.3 Token’s Attack Surface: USB interface
The update and recharge processes are performed through this interface so that the device is able to reach
the web server and update its configuration files.
As a first analysis, it makes sense trying to eavesdrop the communication between the Smart Parking Meter
and the PC. This will possibly reveal the authentication procedure and data flow.
2.1.4 Token’s Vulnerabilities: USB interface
A malicious user could try to edit the configuration files requested by the device. The operation is possible
since there is no signature/key to validate the data: in case there are modifications the Smart Parking Meter
is not rejecting them. This opens a window on different scenarios:
• Modification of sensitive data (i.e. city names, prices per hour, working time etc.)
• Inspection of authentication methods towards the web server
• Creation and injection of a custom firmware
Moreover as soon as the device is connected to the PC, it will send out all the parking transactions and
funds updates. This will likely update the history of our Smart Parking Meter on the online database.
2.1.5 Attack Scenario: Configuration Files
When the device is working as it is supposed to do, the following information are shown on the display:
• City Name
• City Fare Zone
• Price per time unit
• Date and Time
However, a lot of data is exchanged during the update process of the Smart Parking Meter, like the time
window in which it should work (during day, not during night), the faring frequency (per hour, per quarter,
etc.), the minimum applicable fee and so on. When the device is stopped, it will show the amount of money
it has been charged and the remaining credit. We tried to guess the formula the device applies to charge the
right fee:
Fee =
(price per time unit) ∗ (faring frequency) ∗ (seconds elapsed)
3600 seconds
+ (minimum applicable fee)
As deducible, it would be sufficient to force the first or the second factor at the numerator to be zero together
with the minimum applicable fee in order to get a final result of 0 e to be charged. Since however the price
per time unit is showed on the display during device activity, it is better to set the faring frequency equal to
zero. Needless to say, we tried and the final fare became always zero, no matter how many elapsed seconds!
Page 6 of 15
7. (Ab)using Smart Cities
2.1.6 Attack Scenario: Firmware Upgrade
Another attack scenario involves the firmware upgrade mechanism, which is triggerable from the software
installed on the PC ( Gateway ). Once the process is started, the software will download a DFU file, put the
device in DFU mode and upload it on the device for upgrading. We discovered that no integrity checks are
performed on the firmware, therefore, it is possible to install a custom version on the device. An Inspector
can verify the correct device activity only by reading the display, which shows all the information regarding
the parking payment status. This, combined with the firmware upgrade issue, allows an attacker to load
on the device a custom software, able to emulate the data displayed by the original one without taking into
account the money on the device.
2.2 Gateway
As stated before, the connection between the device and the Internet is mediated by the Gateway. The user
is asked to install a simple and light Java application that will enable a channel of communication with the
token. The allowed operations on the device are:
• Update
• Money recharge (provided a user is created on the backend and linked to the device’s serial number)
2.2.1 Gateway’s Attack Surface
When eavesdropping the incoming and outgoing data packets, it is possible to read clearly each action, from
the logs exchange to the update process. We manage to intercept even a firmware upgrade request.
2.2.2 Gateway’s Vulnerabilities
As deducible from the above paragraph, the data are not obfuscated, leaving the possibility to an external
user to understand how the update process is made. Moreover there is a lack of certificate validation! This
means that a modification of the data sent/received will be accepted and will generate possibly new requests.
For example it was possible to pretend the device’s firmware not to be up to date. As a consequence the
server produced a response containing an hardcoded URL, which was pointing to a .dfu packet. This example
shows also how to dump the firmware without even trying to extract it from the device.
Page 7 of 15
8. (Ab)using Smart Cities
3 Shared Transport: Bike Sharing
We studied also a new transport system: the shared transport, in particular we focused our attention on the
bike sharing service. It is very convenient because there are more than a hundred stations spread all over
the city of at least ten bicycles each. It is a low cost option used everyday. The user needs a token device
to take a bike: this can be a NFC card or his mobile phone, but, as regards this last case only, it is also
required to register an online account.
The token is used to identify the user to the system and then, if a valid subscription is verified, the bicycle is
unlocked and ready to be ridden. Once the bicycle is returned to another station, the system evaluates the
time elapsed since the unlocking and charges the user of the correct amount of money (Notice that for the
first thirty minutes it is free of charge). We mapped the ecosystem of this network in the following elements:
• Token
• Reader/Controller
• Backend
• Web application
We tried to perform an assessment on the complete ecosystem without risking to cause any denial of service,
therefore we didn’t analyze the last two elements: Backend and Web Application.
Figure 3: The bikesharing ecosystem
3.1 Token
As seen before the Token device can be either a NFC cardor the user’s mobile phone with the bike sharing
application installed. The NFC card is a MIFARE ULTRALIGHT tag with 512 bit of EEPROM memory,
7 bytes UID and very basic security features4
. The card’s UID is used by the controller to identify the user,
all the remaining Data bytes are not used and all set to 0.
The mobile application instead makes use of exposed APIs to speak with the system and send commands,
for example when unlocking a bicycle. It also uses GPS to localize the user and provide directions to the
nearest bike station. Moreover, it allows the releasing of a bike only if the user is close enough to the station.
4http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf
Page 8 of 15
9. (Ab)using Smart Cities
−−−−−−−−−−−−−−−−−− NFC Tag Content −−−−−−−−−−−−−−−−−−
[PAGE 0x01 ] 04:CA:63:25 (UID0−UID2 , BCC0)
[PAGE 0x02 ] 1A: 5 3 : 3 6 : 8 0 (UID3−UID6)
[PAGE 0x03 ] FF: 4 8 : 0 0 : 0 0 (BCC1, INT, LOCK0, LOCK1)
[PAGE 0x04 ] 00:00:00:00 (OTP0−OTP3)
[PAGE 0x05 ] FF:FF:FF:FF (DATA)
[PAGE 0x06 ] 00:00:00:00 (DATA)
[PAGE 0x07 ] 00:00:00:00 (DATA)
[PAGE 0x08 ] 00:00:00:00 (DATA)
[PAGE 0x09 ] 00:00:00:00 (DATA)
[PAGE 0x0A ] 00:00:00:00 (DATA)
[PAGE 0x0B ] 00:00:00:00 (DATA)
[PAGE 0x0C ] 00:00:00:00 (DATA)
[PAGE 0x0D ] 00:00:00:00 (DATA)
[PAGE 0x0E ] 00:00:00:00 (DATA)
[PAGE 0x0F ] 00:00:00:00 (DATA)
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
3.1.1 Token’s Attack Surface
We started analyzing the Token’s attack surface starting from the NFC card.
Since it is a MIFARE ULTRALIGHT card, the following interesting features are worth to be explored:
• One Time Programmable (OTP) sector
• Lock bytes sector
• UID
• No encryption nor authentication for reading and writing data
It was trivial to see that both OTP and Lock bytes sectors are not used in this implementation because all
Data sectors are set to 0 both before and after using the system. Therefore the only sector in use is the
UID, which is used to identify the user. Figure 4 is showing in a schematic way the authentication process.
For what concerns the mobile app, we downloaded and decompiled the Android APK, doing a quick static
code review. Then the communication between the application and the backend during a bike unlock is
inspected.
3.1.2 Token’s Vulnerabilities
During our analysis we find several issues regarding the token, both in the NFC card and the mobile
application: those would allow a malicious user to bypass completely the security of the system and get free
bikes.
1. NFC Card
• It is possible to read other people’s cards without authentication
• The UID is stored and transmitted in clear text, therefore its usage as ID for the authentication
is not a wise thing.
• It is possible to exploit the anti-collision protocol to read the UID during a legit transaction from
an longer distance
Page 9 of 15
10. (Ab)using Smart Cities
Figure 4: Authentication scheme
2. Mobile application
• During the static code analyze several hardcoded credentials were found: they are used to admin-
istrate the backend Webservice. We suppose it would be possible to use those credentials to take
complete control of the backend.
• Other vulnerabilities were found during the user registration process: they would allow an attacker
to forge valid accounts with even positive money balance
Figure 5: Hardcoded login credentials
Page 10 of 15
11. (Ab)using Smart Cities
3.2 Reader/Controller
In the system we have analyzed the reader and the controller are in the same physical structure. In or-
der to avoid any service disruption we mapped the attack surface but never performed any case scenario
which could cause a denial of service.
3.2.1 Reader/Controller’s Attack Surface
We pointed out several entry points a malicious user can exploit to attack
the Reader/Controller element:
• NFC Interface
• Reader/Controller to Backend communication
• Physical Hook
We tested only the station hook to find out how it is realizing whether a
bike has been correctly locked or not.
3.2.2 Reader/Controller’s Vulnerabilities
It is possible to trick the bike station pretending that a bike has not been
unlocked. It is sufficient to pass the NFC card on the reader and wait
until the LED starts blinking. Then, we need to extract the bike slowly
for just a centimeter. After a short amount of time the process goes in
timeout and the lock mechanism is activated again, even if the bike has
been released. This way an attacker can unlock an unlimited number of
bikes. Unfortunately, if the system is tricked in such way but, after some
time, the bike is properly locked, the backend system recognizes that the
same bike has been locked twice. This will produce a ban on the used
NFC card and therefore the associated user after a week or so.
Page 11 of 15
12. (Ab)using Smart Cities
4 Public Transport: Bus, Tram, Metro
Public transport has been renewed in its architecture, in order to look smarter. That’s why in our sample
city the old paper tickets have been replaced with NFC tags. A user can buy a five-ride or fifteen-ride ticket.
Each ride is valid 90 minutes from the stamping time, except for the metro, which takes out one ride each
time we use it. As shown in Figure 5 the ecosystem we are analyzing is now composed of:
• Token (NFC tickets)
• Validating Machine
• Backend
We tried to understand more about the backend but it would have required invasive techniques. As a
consequence it was just checked the presence of any fraud detection mechanisms and, if so, how they work.
Figure 6: Public transport system
4.1 Token
The ticket is a well known MIFARE ULTRALIGHT tag, with 512 bit of EEPROM memory, 7 bytes UID
and very basic security features5
.
4.1.1 Token’s Attack Surface
The following interesting features are worth to be explored:
• One Time Programmable (OTP) sector
• Lock bytes sector
• UID
• No encryption nor authentication for reading and writing data
After a quick analysis we figured out that the ticket rides are stored in the OTP sector, as suggested by
reference design. Other relevant data are stored in the Data sector, such as date/time of last stamp, type of
transportation vehicle and its ID number, an integrity signature, and some other data we have not decoded
yet. The UID is used to calculate the signature stored in the data sector; unfortunately it will be saved in
the backend, as we will see in the following paragraphs.
5http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf
Page 12 of 15
13. (Ab)using Smart Cities
4.1.2 Token’s Vulnerabilities
On the token’s side we find that the lock bytes are not all secured: the most of the block locking bits are in
facts set to 0, including the OTP one. As a consequence, at least the ticket is vulnerable to the Lock Attack.
4.2 Validating Machine
We don’t know very much of the physical specifications of the Validating Machine, however, during the
working period they are working offline. We supposed that when the vehicles are sent to deposit, about once
per week, they are connected to a backend service, to upload their logs and update the blacklist. We will
speak about that later.
4.2.1 Validating Machine’s Attack Surface
Whenever a ticket is supposed to be stamped, the validating machine is checking first:
1. Last stamp date/time greater than 90 minutes
2. OTP sector writable
3. Signature integrity
As regards point #1 it is a nice try to exploit the Time Attack, by editing the timestamp however we like.
Unfortunately, the presence of a Signature (#3) is making this impossible (as long as that string of bytes is
not deciphered). For what concerns point #2 there is a check on the OTP sector lock bit. This is avoiding
the usage of Lock Attack. The last possibility to check is the Replay Attack. Finally, since the NFC interface
is linked to an embedded system, it would be interesting to check how it will respond to a fuzzing test. We
didn’t try any similar attack in order not to cause any denial of service.
4.2.2 Validating Machine’s Vulnerabilities
Actually there is just one vulnerability we are able to exploit which is the aforementioned Replay Attack:
the Validating Machine is not able to retrieve on the fly the history of the ticket to be stamped. For that
reason, a clone MIFARE ULTRALIGHT tag can be used to make the stamping machine believe that there
is one ride more than expected. This will produce a valid ticket, with the same number of rides of the real
one but with a verified data sector.
4.3 Backend
As stated before, there is a lack of knowledge about the backend since we skipped intrusive tests in order to
avoid denials of service. However, its existence is confirmed since we experienced during our tests that if we
try to validate a five-ride ticket more than five times, one week after the 5th stamp, the stamping machine
refuses the ticket. This is a clear evidence of a blacklist check.
The Validating Machine contains a ticket blacklist, updated through the backend approximately once every
week. Here each record is possibly including the ticket’s UID and rides left. If the ticket to be stamped is
blacklisted, the Stamping Machine will write 0xFF all over the ticket, making it forever useless.
4.3.1 Backend’s Attack Surface
The communication between the Validating Machine and the Backend is occasional, so it is hard even to
define the channel. For sure the exchanged data are stored in a database, indexed by the ticket UIDs. In
order to avoid any denial of service or being too intrusive, we refrained from performing any test.
Page 13 of 15
14. (Ab)using Smart Cities
Figure 7: Public transport system
4.3.2 Backend’s Vulnerabilities
This system is vulnerable to the injection of virgin multiple-ride tickets. A whitelist cannot exist as long as
the Validating Machine and the ticket-vending machines are not always connected to the Internet nor the
backend.
5 Impact
We would like to point out what could be the impact of a large scale abuse of the above issues. Clearly the
aim of this research is not try to understand what a state-wide attack could do on the transportation system
but instead what are the possible financial losses derived from the exploitation of the above vulnerabilities
from, for example, a criminal organization. That organization could sell ticket which could be valid for life
for a fraction of the price, sell modified parking device or discounted recharge for bike sharing account and
this, for our example city, would be a multi hundred milion euros loss each year.
We are also interested in continuing our research to understand what a more advanced criminal operation
could do to create a disruption of the transportation services.
6 Future works
In the future we plan to extend our area of research to other elements of smart cities6
, such as:
1. Power Management
2. Water Management
3. Surveillance
We will also try to extend our methodology to cover those additional elements.
6http://securingsmartcities.org/wp-content/uploads/2015/05/CitiesWideOpenToCyberAttacks.pdf
Page 14 of 15
15. (Ab)using Smart Cities
7 Conclusions
By means of this paper we hope the readers will be aware of the possible risks concerning all the applications
that are labeled as “smart”. This document’s aim is to give an overview about how our cities are getting
smarter and more connected, how such ecosystems are composed and how to perform a security assessment
on them. Moreover we hope the reader will be curious and willing to look into other environments, now that
he has a deeper knowledge of the inner working of such systems.
8 Links
Opposing Force - www.opposingforce.it - @ opposingforce
SecuringSmartCities - www.securingsmartcities.org
Matteo Beccaro - @ bughardy
Matteo Collura - @eagle1753
Page 15 of 15