Matteo Beccaro | Matteo Collura Singapore – August 26 th , 2016
Jan 15, 2017
Matteo Beccaro | Matteo ColluraSingapore – August 26th, 2016
About us ||
§ Matteo Beccaro
§ Founder& Chief Technology Officer at Opposing Force§ The first Italian company specialize in offensive physical security
§ Twitter: @_bughardy_ | @_opposingforce
§ Web: www.opposingforce.it
About us ||
§ Doc. Matteo Collura§ Bachelor of Science in Electronic Engineering
§ Currently studying “Nanotech for ICT” at Politecnico di Torino
§ Twitter: @eagle1753
Starting from May 2016, we are, with Opposing Force,members of
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
What is a Smart City?
let’s focus on..
Smart Transportation Systems
Smart transportation systems ||
§ Smart traffic control
§ Smart parking
§ Smart street lighting
§ Smart public transport system
taxonomy for smarttransportation systems
Citizens
Smart Traffic Control
Smart Lighting Control Smart Transportation
Smart Parking System
Smart Traffic Control
Smart Lighting Control Smart Transportation
Smart Parking System
Citizen
going into details…
Smart transportation systems ||
Private transport
Shared transport
Public transport
Smart transportation systems ||Physical world data
Physical world data
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
Smart parking meter – case study ||
MCU
USB port
Display port
Smart parking meter – case study ||
Firmware analysis:
§ No integrity checks
§ No encryption or obfuscation
§ DFU can be easily obtained
Smart parking meter – case study ||
Firmware analysis results:
§ Attackers can upload a malicious firmware
Smart parking meter – case study ||
Debug interfaces:
§ JTAG port
§ SWD port
§ Debug traces
Smart parking meter – case study ||
CLIENT DOMAINEDGE DOMAIN CLOUD DOMAIN
USB GSM
NFC
Smart parking meter – case study ||
CLIENT DOMAINEDGE DOMAIN CLOUD DOMAIN
No data validation
Trust in the Edge Device provided information
Smart parking meter – case study ||
Communication analysis:
§ No integrity checks
§ No encryption
§ No authenticity checks
Smart parking meter – case study ||
𝐹𝑒𝑒 =𝑝𝑟𝑖𝑐𝑒 𝑝𝑒𝑟 𝑡𝑖𝑚𝑒 𝑢𝑛𝑖𝑡 ∗ 𝑓𝑎𝑟𝑒 𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 ∗ 𝑒𝑙𝑎𝑝𝑠𝑒𝑑 𝑠𝑒𝑐𝑜𝑛𝑑𝑠
3600 𝑠𝑒𝑐𝑜𝑛𝑑𝑠+ 𝑚𝑖𝑛𝑖𝑚𝑢𝑚 𝑓𝑒𝑒
Usually set to 0
Displayed
Not displayed
Displayed
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
Bike sharing – case study ||
Step 1. Step 2. Step 3.
Bike sharing – case study ||
Step 1. Step 2. Step 3.
Bike sharing – case study ||
Access method:
§ Mobile application
§ NFC card
Bike sharing – case study ||
Mobile application:
§ No obfuscation
§ Hardcoded vendor credentials
§ Multiple SQL Injections
Bike sharing – case study ||
NFC card:
§ MIFARE Ultralight
§ UID based
§ UID is also printed on the card
Bike sharing – case study ||
Step 1. Step 2. Step 3.
Bike sharing – case study ||
Physical issue:
§ The hook’s sensor is not very precise
§ Unlock a bike and slowly remove it from the hook
§ The sensor is still detecting the bicycle..
Bike sharing – case study ||
Physical issue:
§ It can be detected by the central system IF
I. The bike is left to an other station
II. A bike is hooked to the previous station
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
Public transport – case study ||
Two existing systems
“Online” system“Offline” system
Public transport – case study ||
Offline system
§ Lock Attack
§ Time Attack
Public transport – case study ||
Lock Attack
§ Abuse MIFARE Ultralight functionality
§ Set OTP page in read-‐only mode
§ No rides are removed
Page Address Byte #
DEC HEX 0 1 2 3
0 0x00 UID
1 0x01 UID
2 0x02 UID Internal Lock Bytes
Lock Bytes
3 0x03 OTP
From 4 to 15 0x04 to 0x0F Data
Public transport – case study ||
Time Attack
§ Abuse of multiple rides tickets
§ Reverse engineer the stamping date
§ Update the stamping date without removing rides
Public transport – case study ||
Online system
§ Replay Attack
Public transport – case study ||
Replay Attack
§ Use of UID changeable tickets or emulators
§ Bypass “software” encryption
§ Very difficult to fix
Agenda ||
§ What is a smart city?
§ Smart transport systems§ Smart parking meter
§ Bike sharing
§ Public transport
§ What’s next?
smart city surveillance..
smart water management..
smart city lighting system..
smart trafficlight system..
…a city?
Any question?Don’t be shy..
[email protected] | www.opposingforce.it | @_opposingforce