(ab)using smart cities - the dark age of modern mobility

Matteo  Beccaro |  Matteo  ColluraSingapore  – August  26th,  2016

About  us  ||

§ Matteo  Beccaro

§ Founder&  Chief  Technology  Officer  at  Opposing  Force§ The  first  Italian  company  specialize  in  offensive  physical  security

§ Twitter:  @_bughardy_  |  @_opposingforce

§ Web:  www.opposingforce.it

About  us  ||

§ Doc.  Matteo  Collura§ Bachelor  of  Science   in  Electronic   Engineering

§ Currently  studying  “Nanotech  for  ICT” at  Politecnico di  Torino

§ Twitter:  @eagle1753

Starting  from  May  2016,  we  are,  with Opposing  Force,members  of

Agenda  ||

§ What  is  a  smart  city?

§ Smart  transport  systems§ Smart  parking  meter

§ Bike  sharing

§ Public  transport

§ What’s  next?

Agenda  ||

§ What  is  a  smart  city?

§ Smart  transport  systems§ Smart  parking  meter

§ Bike  sharing

§ Public  transport

§ What’s  next?

What  is  a  Smart  City?

let’s  focus  on..

Smart  Transportation  Systems

Smart  transportation  systems  ||

§ Smart  traffic  control

§ Smart  parking  

§ Smart  street  lighting

§ Smart  public  transport  system

taxonomy  for  smarttransportation  systems

Citizens

Smart  Traffic  Control

Smart  Lighting  Control Smart  Transportation

Smart  Parking  System

Smart  Traffic  Control

Smart  Lighting  Control Smart  Transportation

Smart  Parking  System

Citizen

going  into  details…

Smart  transportation  systems  ||

Private transport

Shared transport

Public transport

Smart  transportation  systems  ||Physical  world  data

Physical  world  data

Agenda  ||

§ What  is  a  smart  city?

§ Smart  transport  systems§ Smart  parking  meter

§ Bike  sharing

§ Public  transport

§ What’s  next?

Smart  parking  meter  – case  study  ||

MCU

USB  port

Display  port

Smart  parking  meter  – case  study  ||

Firmware  analysis:

§ No  integrity  checks

§ No  encryption  or  obfuscation

§ DFU  can  be  easily  obtained

Smart  parking  meter  – case  study  ||

Firmware  analysis  results:

§ Attackers  can  upload  a    malicious  firmware

Smart  parking  meter  – case  study  ||

Debug  interfaces:

§ JTAG  port

§ SWD  port

§ Debug  traces

Smart  parking  meter  – case  study  ||

CLIENT  DOMAINEDGE  DOMAIN CLOUD  DOMAIN

USB GSM

NFC

Smart  parking  meter  – case  study  ||

CLIENT  DOMAINEDGE  DOMAIN CLOUD  DOMAIN

No  data  validation

Trust  in  the  Edge  Device  provided  information

Smart  parking  meter  – case  study  ||

Communication  analysis:

§ No  integrity  checks

§ No  encryption

§ No  authenticity  checks

Smart  parking  meter  – case  study  ||

𝐹𝑒𝑒 =𝑝𝑟𝑖𝑐𝑒  𝑝𝑒𝑟  𝑡𝑖𝑚𝑒  𝑢𝑛𝑖𝑡 ∗ 𝑓𝑎𝑟𝑒  𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ∗ 𝑒𝑙𝑎𝑝𝑠𝑒𝑑  𝑠𝑒𝑐𝑜𝑛𝑑𝑠

3600  𝑠𝑒𝑐𝑜𝑛𝑑𝑠+ 𝑚𝑖𝑛𝑖𝑚𝑢𝑚  𝑓𝑒𝑒

Usually  set  to  0

Displayed

Not  displayed

Displayed

Agenda  ||

§ What  is  a  smart  city?

§ Smart  transport  systems§ Smart  parking  meter

§ Bike  sharing

§ Public  transport

§ What’s  next?

Bike  sharing  – case  study  ||

Step  1. Step  2. Step  3.

Bike  sharing  – case  study  ||

Step  1. Step  2. Step  3.

Bike  sharing  – case  study  ||

Access  method:

§ Mobile  application

§ NFC  card

Bike  sharing  – case  study  ||

Mobile  application:

§ No  obfuscation

§ Hardcoded  vendor  credentials

§ Multiple  SQL  Injections

Bike  sharing  – case  study  ||

NFC  card:

§ MIFARE  Ultralight

§ UID  based

§ UID  is  also  printed  on  the  card

Bike  sharing  – case  study  ||

Step  1. Step  2. Step  3.

Bike  sharing  – case  study  ||

Physical  issue:

§ The  hook’s  sensor  is  not  very  precise

§ Unlock  a  bike  and  slowly  remove  it  from  the  hook

§ The  sensor  is  still  detecting  the  bicycle..

Bike  sharing  – case  study  ||

Physical  issue:

§ It  can  be  detected  by  the  central  system  IF

I. The  bike  is  left  to  an  other  station

II. A  bike  is  hooked  to  the  previous  station

Agenda  ||

§ What  is  a  smart  city?

§ Smart  transport  systems§ Smart  parking  meter

§ Bike  sharing

§ Public  transport

§ What’s  next?

Public  transport  – case  study  ||

Two  existing  systems

“Online”  system“Offline”  system

Public  transport  – case  study  ||

Offline  system

§ Lock  Attack

§ Time  Attack

Public  transport  – case  study  ||

Lock  Attack

§ Abuse  MIFARE  Ultralight  functionality

§ Set  OTP  page  in  read-­‐only  mode

§ No  rides  are  removed

Page Address Byte  #

DEC HEX 0 1 2 3

0 0x00 UID

1 0x01 UID

2 0x02 UID Internal Lock  Bytes

Lock  Bytes

3 0x03 OTP

From  4  to 15 0x04  to  0x0F Data

Public  transport  – case  study  ||

Time  Attack

§ Abuse  of  multiple  rides  tickets

§ Reverse  engineer  the  stamping  date

§ Update  the  stamping  date  without  removing  rides

Public  transport  – case  study  ||

Online  system

§ Replay  Attack

Public  transport  – case  study  ||

Replay  Attack

§ Use  of  UID changeable  tickets  or  emulators

§ Bypass  “software”  encryption

§ Very  difficult  to  fix

Agenda  ||

§ What  is  a  smart  city?

§ Smart  transport  systems§ Smart  parking  meter

§ Bike  sharing

§ Public  transport

§ What’s  next?

smart  city  surveillance..

smart  water  management..

smart  city  lighting  system..

smart  trafficlight  system..

…a  city?

Any  question?Don’t  be  shy..

engage@oposingforce.it  |  www.opposingforce.it  |  @_opposingforce