session id: tech-t09 smart megalopolises. how safe and … · 2018-03-20 · session id: #rsac...

SESSION ID:

#RSAC

Denis Legezo

Smart Megalopolises. How Safe and Reliable Is Your Data?

TECH-T09

Global Research and Analytics Team, Kaspersky Lab@Legezo

#RSAC

Megalopolises are changing fast

2

#RSAC

The plan for today

3

Smart cities: Sensors' role

Reconnaissance: Vendors, locations, etc.

Sensors' functionality: Interfaces and data

Firmware: The Holy Grail of embedded

Automation: Let's send some bytes

Smart cities: Outside sensors

#RSAC

Why cities need all this stuff?

4







#RSAC

Why do cities have be smart?

5

Investments

Staff

Infrastructure

Data centers

Operation center

#RSAC

Raw data for planning

6

#RSAC

…And for traffic management

7

Possible to use for the traffic lights

Counting vehicles number and change timings

Counting pedestrians as well

#RSAC

Radars are the source of such data

8

#RSAC

The first phase

9







#RSAC

Appearance is a great help

10

#RSAC

..Any IDs you can get are also

11

MACs

Names

Any IDs

#RSAC

What we are gathering?

12







#RSAC

Look, interfaces

13

#RSAC

And a lots of data on-board

14

#RSAC

What's inside the data?

15

Vehicle type

Number of vehicles

Median speed

Station occupancy

#RSAC

The Holy Grail

16







#RSAC

Can we add some functions?

17

Through interface

Debugger?

Commands?

What is format?

#RSAC

Format looks like iHex or SREC

18

#RSAC

But for which controller is it?

19

#RSAC

LinkedIn isn't only for HR

20

#RSAC

..but it happens anyway

21

For me in a blackbox mode it looks like dead end

But does it means dead end at all?

Of course not!

#RSAC

Even with the stock firmware..

22







#RSAC

Reconnaissance first

23

I started with script + C

Bluetooth tools

adb to get GPS from phone

C code for sending

What to send?

#RSAC

Commands are partly known

24

#RSAC

So we can automate

25

#RSAC

Sensor will answer

26

#RSAC

What about the small DDoS?

27

Driving by, changing settings

Time: all traffic at night

Types: all traffic trucks

#RSAC

Python + PostgreSQL seems better

28

#RSAC

Resolve vendor and address offline

29

#RSAC

What to do further and else?

30







#RSAC

Side effects

31

Gather Wi-Fi data and filter it with Postgres views

MACs can be anonymous

WEP is still alive

#RSAC

Where is always place for fuzzing

32

Where are undocumented commands

#RSAC

So much other stuff

33

#RSAC

...even speeding penalties

34

Smart cities security perimeter if huge

So is the surface of attacks

Different authorities are in charge of the infrastructure

#RSAC

...And tools

35

#RSAC

What to apply?

36

Change appearance and default names

Don't rely only on standard authentication

Cooperate with third-party researches

Think a little bit like malefactor or hire someone who can

I know embedded devices vendors with generous bug bounty program. Respect

Cities also could participate

#RSAC

Summary

37

Smart city infrastructure is visible due to ID

Kudos to vendor, firmware is strong

Automation is possible with change of any settings

Interesting side effects with wireless protocols

Go further!

#RSAC

[email protected]

Denis Legezo

session id: tech-t09 smart megalopolises. how safe and … · 2018-03-20 · session id: #rsac...

Documents