(ab)using smart cities - the dark age of modern mobility
TRANSCRIPT
![Page 1: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/1.jpg)
Matteo Beccaro | Matteo ColluraSingapore – August 26th, 2016
![Page 2: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/2.jpg)
About us ||
§ Matteo Beccaro
§ Founder& Chief Technology Officer at Opposing Force§ The first Italian company specialize in offensive physical security
§ Twitter: @_bughardy_ | @_opposingforce
§ Web: www.opposingforce.it
![Page 3: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/3.jpg)
About us ||
§ Doc. Matteo Collura§ Bachelor of Science in Electronic Engineering
§ Currently studying “Nanotech for ICT” at Politecnico di Torino
§ Twitter: @eagle1753
![Page 4: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/4.jpg)
Starting from May 2016, we are, with Opposing Force,members of
![Page 5: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/5.jpg)
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
![Page 6: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/6.jpg)
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
![Page 7: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/7.jpg)
What is a Smart City?
![Page 8: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/8.jpg)
![Page 9: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/9.jpg)
let’s focus on..
![Page 10: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/10.jpg)
Smart Transportation Systems
![Page 11: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/11.jpg)
Smart transportation systems ||
§ Smart traffic control
§ Smart parking
§ Smart street lighting
§ Smart public transport system
![Page 12: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/12.jpg)
taxonomy for smarttransportation systems
![Page 13: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/13.jpg)
Citizens
Smart Traffic Control
Smart Lighting Control Smart Transportation
Smart Parking System
![Page 14: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/14.jpg)
Smart Traffic Control
Smart Lighting Control Smart Transportation
Smart Parking System
Citizen
![Page 15: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/15.jpg)
going into details…
![Page 16: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/16.jpg)
Smart transportation systems ||
Private transport
Shared transport
Public transport
![Page 17: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/17.jpg)
Smart transportation systems ||Physical world data
Physical world data
![Page 18: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/18.jpg)
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
![Page 19: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/19.jpg)
Smart parking meter – case study ||
MCU
USB port
Display port
![Page 20: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/20.jpg)
Smart parking meter – case study ||
Firmware analysis:
§ No integrity checks
§ No encryption or obfuscation
§ DFU can be easily obtained
![Page 21: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/21.jpg)
Smart parking meter – case study ||
Firmware analysis results:
§ Attackers can upload a malicious firmware
![Page 22: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/22.jpg)
Smart parking meter – case study ||
Debug interfaces:
§ JTAG port
§ SWD port
§ Debug traces
![Page 23: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/23.jpg)
Smart parking meter – case study ||
CLIENT DOMAINEDGE DOMAIN CLOUD DOMAIN
USB GSM
NFC
![Page 24: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/24.jpg)
Smart parking meter – case study ||
CLIENT DOMAINEDGE DOMAIN CLOUD DOMAIN
No data validation
Trust in the Edge Device provided information
![Page 25: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/25.jpg)
Smart parking meter – case study ||
Communication analysis:
§ No integrity checks
§ No encryption
§ No authenticity checks
![Page 26: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/26.jpg)
Smart parking meter – case study ||
𝐹𝑒𝑒 =𝑝𝑟𝑖𝑐𝑒 𝑝𝑒𝑟 𝑡𝑖𝑚𝑒 𝑢𝑛𝑖𝑡 ∗ 𝑓𝑎𝑟𝑒 𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ∗ 𝑒𝑙𝑎𝑝𝑠𝑒𝑑 𝑠𝑒𝑐𝑜𝑛𝑑𝑠
3600 𝑠𝑒𝑐𝑜𝑛𝑑𝑠+ 𝑚𝑖𝑛𝑖𝑚𝑢𝑚 𝑓𝑒𝑒
Usually set to 0
Displayed
Not displayed
Displayed
![Page 27: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/27.jpg)
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
![Page 28: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/28.jpg)
Bike sharing – case study ||
Step 1. Step 2. Step 3.
![Page 29: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/29.jpg)
Bike sharing – case study ||
Step 1. Step 2. Step 3.
![Page 30: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/30.jpg)
Bike sharing – case study ||
Access method:
§ Mobile application
§ NFC card
![Page 31: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/31.jpg)
Bike sharing – case study ||
Mobile application:
§ No obfuscation
§ Hardcoded vendor credentials
§ Multiple SQL Injections
![Page 32: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/32.jpg)
Bike sharing – case study ||
NFC card:
§ MIFARE Ultralight
§ UID based
§ UID is also printed on the card
![Page 33: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/33.jpg)
Bike sharing – case study ||
Step 1. Step 2. Step 3.
![Page 34: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/34.jpg)
Bike sharing – case study ||
Physical issue:
§ The hook’s sensor is not very precise
§ Unlock a bike and slowly remove it from the hook
§ The sensor is still detecting the bicycle..
![Page 35: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/35.jpg)
Bike sharing – case study ||
Physical issue:
§ It can be detected by the central system IF
I. The bike is left to an other station
II. A bike is hooked to the previous station
![Page 36: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/36.jpg)
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
![Page 37: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/37.jpg)
Public transport – case study ||
Two existing systems
“Online” system“Offline” system
![Page 38: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/38.jpg)
Public transport – case study ||
Offline system
§ Lock Attack
§ Time Attack
![Page 39: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/39.jpg)
Public transport – case study ||
Lock Attack
§ Abuse MIFARE Ultralight functionality
§ Set OTP page in read-‐only mode
§ No rides are removed
Page Address Byte #
DEC HEX 0 1 2 3
0 0x00 UID
1 0x01 UID
2 0x02 UID Internal Lock Bytes
Lock Bytes
3 0x03 OTP
From 4 to 15 0x04 to 0x0F Data
![Page 40: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/40.jpg)
Public transport – case study ||
Time Attack
§ Abuse of multiple rides tickets
§ Reverse engineer the stamping date
§ Update the stamping date without removing rides
![Page 41: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/41.jpg)
Public transport – case study ||
Online system
§ Replay Attack
![Page 42: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/42.jpg)
Public transport – case study ||
Replay Attack
§ Use of UID changeable tickets or emulators
§ Bypass “software” encryption
§ Very difficult to fix
![Page 43: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/43.jpg)
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
![Page 44: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/44.jpg)
![Page 45: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/45.jpg)
smart city surveillance..
![Page 46: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/46.jpg)
smart water management..
![Page 47: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/47.jpg)
smart city lighting system..
![Page 48: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/48.jpg)
smart trafficlight system..
![Page 49: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/49.jpg)
…a city?
![Page 50: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/50.jpg)
Any question?Don’t be shy..
![Page 51: (Ab)using Smart Cities - the dark age of modern mobility](https://reader031.vdocuments.mx/reader031/viewer/2022021919/587b24921a28ab736c8b749d/html5/thumbnails/51.jpg)
[email protected] | www.opposingforce.it | @_opposingforce