(ab)using smart cities - the dark age of modern mobility

Matteo Beccaro | Matteo ColluraSingapore – August 26th, 2016

About us ||

§ Matteo Beccaro

§ Founder& Chief Technology Officer at Opposing Force§ The first Italian company specialize in offensive physical security

§ Twitter: @_bughardy_ | @_opposingforce

§ Web: www.opposingforce.it

About us ||

§ Doc. Matteo Collura§ Bachelor of Science in Electronic Engineering

§ Currently studying “Nanotech for ICT” at Politecnico di Torino

§ Twitter: @eagle1753

Starting from May 2016, we are, with Opposing Force,members of

Agenda ||

§ What is a smart city?

§ Smart transport systems§ Smart parking meter

§ Bike sharing

§ Public transport

§ What’s next?

What is a Smart City?

let’s focus on..

Smart Transportation Systems

Smart transportation systems ||

§ Smart traffic control

§ Smart parking

§ Smart street lighting

§ Smart public transport system

taxonomy for smarttransportation systems

Citizens

Smart Traffic Control

Smart Lighting Control Smart Transportation

Smart Parking System

Smart Traffic Control

Smart Lighting Control Smart Transportation

Smart Parking System

Citizen

going into details…

Smart transportation systems ||

Private transport

Shared transport

Public transport

Smart transportation systems ||Physical world data

Physical world data

Agenda ||



§ Bike sharing

§ Public transport

§ What’s next?

Smart parking meter – case study ||

MCU

USB port

Display port


Firmware analysis:

§ No integrity checks

§ No encryption or obfuscation

§ DFU can be easily obtained


Firmware analysis results:

§ Attackers can upload a malicious firmware


Debug interfaces:

§ JTAG port

§ SWD port

§ Debug traces


CLIENT DOMAINEDGE DOMAIN CLOUD DOMAIN

USB GSM

NFC


CLIENT DOMAINEDGE DOMAIN CLOUD DOMAIN

No data validation

Trust in the Edge Device provided information


Communication analysis:

§ No integrity checks

§ No encryption

§ No authenticity checks


𝐹𝑒𝑒 =𝑝𝑟𝑖𝑐𝑒 𝑝𝑒𝑟 𝑡𝑖𝑚𝑒 𝑢𝑛𝑖𝑡 ∗ 𝑓𝑎𝑟𝑒 𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ∗ 𝑒𝑙𝑎𝑝𝑠𝑒𝑑 𝑠𝑒𝑐𝑜𝑛𝑑𝑠

3600 𝑠𝑒𝑐𝑜𝑛𝑑𝑠+ 𝑚𝑖𝑛𝑖𝑚𝑢𝑚 𝑓𝑒𝑒

Usually set to 0

Displayed

Not displayed

Displayed

Agenda ||



§ Bike sharing

§ Public transport

§ What’s next?

Bike sharing – case study ||

Step 1. Step 2. Step 3.


Access method:

§ Mobile application

§ NFC card


Mobile application:

§ No obfuscation

§ Hardcoded vendor credentials

§ Multiple SQL Injections


NFC card:

§ MIFARE Ultralight

§ UID based

§ UID is also printed on the card


Step 1. Step 2. Step 3.


Physical issue:

§ The hook’s sensor is not very precise

§ Unlock a bike and slowly remove it from the hook

§ The sensor is still detecting the bicycle..


Physical issue:

§ It can be detected by the central system IF

I. The bike is left to an other station

II. A bike is hooked to the previous station

Agenda ||



§ Bike sharing

§ Public transport

§ What’s next?

Public transport – case study ||

Two existing systems

“Online” system“Offline” system


Offline system

§ Lock Attack

§ Time Attack


Lock Attack

§ Abuse MIFARE Ultralight functionality

§ Set OTP page in read-‐only mode

§ No rides are removed

Page Address Byte #

DEC HEX 0 1 2 3

0 0x00 UID

1 0x01 UID

2 0x02 UID Internal Lock Bytes

Lock Bytes

3 0x03 OTP

From 4 to 15 0x04 to 0x0F Data


Time Attack

§ Abuse of multiple rides tickets

§ Reverse engineer the stamping date

§ Update the stamping date without removing rides


Online system

§ Replay Attack


Replay Attack

§ Use of UID changeable tickets or emulators

§ Bypass “software” encryption

§ Very difficult to fix

Agenda ||



§ Bike sharing

§ Public transport

§ What’s next?

smart city surveillance..

smart water management..

smart city lighting system..

smart trafficlight system..

…a city?

Any question?Don’t be shy..

[email protected] | www.opposingforce.it | @_opposingforce

(ab)using smart cities - the dark age of modern mobility

Presentations & Public Speaking