 Hey, hey, hey everybody. I just wanted to take a second here to announce this section We're gonna be talking about today abusing smart cities in the dark age of modern mobility This is an especially interesting topic for me as I live in a city that is still stuck in the dark ages in Texas I also want you to be aware of the fact that we've got full Mateo redundancy in this presentation We're not one but two of them in case one of them breaks. So I'm gonna turn it over to them So thank you everyone for coming and thank you for your time We are going to steal you just one hour. So Okay I'm a tail Mateo the one Mateo Mateo the caro. I work as In the security field as a CTO of a small company in Italy and we do offensive physical security That's my Twitter. And if you want to just give feedback at the end of the talk I'd be happy to reply to that. There's me. I'm Mateo Kallura and I got a bachelor just two weeks ago and I'm still a student studying now in the field of nanotechnologies Fricities, so if you want my Twitter as well, you'll find here my personal information and Starting from May We are with opposing force member of securing smart cities, which is a non-profit organization which helps Decision-maker to consider also security issues when implementing new solutions and I will give the speech to my friend that will start illustrating what we did Okay, so that's the agenda for today We start giving a little overview about what a smart cities is then we focus on a transportation system smart transportation system and What we want to do is like introduce a methodology for assess those kind of systems and Doing so we also have three different case studies one for each Infrastructure in a smart transportation system and we are we apply our method to these to these case studies And then we see what's up next So let's start with the what is a smart cities So as much cities is usually composed by several critical infrastructure as for example You know energy management surveillance systems Water management transportation system and waste management. So for a city to because Mars usually those Infrastructures have to be connected in some way. They can be connected to some central system or connected to each other to communicate and You know better manage the resources In this presentation, we are going to focus on Transportation system. So Let's focus on smart transportation system and a smart transportation system itself is divided in the several infrastructure and We may have Strafi control. We may have a smart parking system. We may have a street lighting smart street lighting systems and public transportation system. So it's Pretty complicated to work in this kind of environment because we have multiple layers Multiple infrastructure each one communicate with the others in unknown protocols. So What we are doing is trying to define a method to assess the system to better to easily do it doing so because That's what we do for jobs. So we have to know Do it as quickly as possible and the best way we can So let's see quickly. How's our smart transportation system is usually composed? We have two methods Yeah, sorry two different kind of systems the first one in which every element so for example Traffic system traffic control system smart lighting control smart parking and transportation Communicates with some central system each central system them communicate to a more central system and that central system Aggregate the data from all the other systems and communicate information usually useful information to the citizen Like we watch it. What is the best road to go to work? Where is the more? What is the left traffic today and so on? And another kind of system is where each of the Macro system Communicates directly to the user and sometimes also directly to each other. So there is no need of a more central control system Usually the the central point of a smart city is always the citizen. So all the infrastructure are Four to be helpful to the citizen Okay, let's go even more in details. So smart transportation system We have private transport shared transport and public transport with the private transport to we mean like a smart parking With the public transport we mean metro bus tram trains You call it and with shared transport. We mean the new Transportation economy like bike sharing car sharing etc. I drink a lot. So sorry for these interruptions okay, that's one of the method one of the Architecture used to assess the system. So we try to Reduce every infrastructure to this schema in which we have an edge domain and inside the edge domain there is the edge device that take data from the physical world and Send this road data to a cloud domain. The cloud domain is like the brain of our system and you know analyze the data and Send command back to the to device or send information to the client domain Which can be like mobile application for the citizen and etc So the communication usually is always bilateral. So the edge devices can both Send send send data and receive commands so they can act properly about the data They are sending so for example if there is no traffic the traffic light is always green Okay That's our first that's a little bit introduction now Let's go to our first case study a smart parking meter system We will show some vulnerabilities about that. Okay, that's the device and let's make a little bit of introduction about how the device work so the device is both by the user at some shop and Then the device can be recharged so you can store credit on the device and you can do it Both online From your home. So you connect the device to your computer a register on the website of the of the of the company And then using your credit card or PayPal or whatever you can charge credit on the device that can be used later Or you can do the same procedure at some come at some shops So you go to the shops you gave the device you pay in cash in the and the guy can charge your can charge your device Also once the device has some credit you can park your car and then turn on the device You then have to select the proper location because this device is available for more than 40 cities in Italy Actually, I didn't I shouldn't say Italy. Okay in more than 40 cities worldwide and It's growing so You have to select the correct cities because each city has different fair zone So and once that you select the city you have to select the proper fair zone and activate the device For for that for now on every minute Every second sorry the device automatically calculate the fee you are paying and reduce that amount from your from your credit So actually the benefit for the user is that the user doesn't have to bring like coins and cash to pay the park The parking and he just get he just pay for the exact time is is parking and not for like half an hour or one hour over So these are some of the interfaces we found on the device So there is a display port which is for showing some information We will see later. There is the USB port which is used to connect the device through the so-called gateway Which is our computer that connects the device to the cloud system and then we have our our MCU And all those interfaces that have some vulnerabilities. We will show them in a few. I just need to drink again at Defcon there is a I'll say the first time you speak at Defcon. They usually bring you shots of alcohol. They didn't do that It's easier. I don't know why Yeah anyway The first analysis we did on the on the device was a firmware analysis In which we found that there are no integrity checks The the firmware can be easily obtained in two different methods We can intercept the communication between the gateway So our PC and the back end system during an OTA update So we can intercept the firmware or we can extract the firmware directly from the MCU In both cases Unpacking the the firmware was easy and no integrity checks were present. No encryption in the firmware were present No discussion and no authenticity is also authenticity checks is present during the firmware upgrade analysis So the result is that attacker can upload a malicious firmware for example removing the Reducing of the credits part so you can turn on the device device acts as It always being but at the end of the at the end of the at the end of the day You have always the same credit on the device as I said before there is some the bug interface Sorry, there is some debugging interfaces present on the on the device We use the JTAG port and the SWD port to extract for example the firmware There are also other debug traces for all the components So for each component present on the device you can actually and intercept the data exchange it and in inject other data So let's try to reconduce our our device to the schema. I show you before So for the edge domain we have the parking meter Which is connected via USB to our gateway and the cloud domain The cloud appliance is used for like remote charging the device to create invoice based on Where you park and how time you out of your park for example for expensive for the company etc and do OTA updates so The cloud domain then communicates to our client application, which is gave to the inspectors The inspector can use the application to check if you are paying the correct fee for your staying if you are paying corrected Another thing the inspector can usually the inspector check if you are paying correctly just by looking at the display of the device But there is also an NFC interface That they use that the inspector can use to access memory of the on the device So we did an communication security analysis and the result where that there is no data validation between the edge device and the cloud domain So we can both modify the data send from the cloud to the device and to the from the device to the cloud and Moreover, the all the trust in the if you are paying or not is in the device itself So the inspector can actually check only if you are paying by looking the device or accessing the memory on the device You cannot check if you are paying correctly using the cloud that the cloud data Because the device it's not it's not updating its status in real time So as I said, there is no increase and I integrity check no encryption not in TCT checks So this is a sample request we intercepted and from that you can see I don't know if you can see but it's There is some parameters which are very useful and this is a configuration file So every time you connect your device to the to the gateway The the cloud appliance and the new configuration files for updating like fee zones, etc if there are any new cities and We can modify that configuration file Okay, so reversing the the firmware analyzing the communication and using some Debug interface to understand better the data. We finally found what is the formula used by the device to calculate the fee That's the formula. So we have the price per time unit then we have the fair frequency because in some cities you You may have To pay every half an hour and not an hour So it's another parameter then we have the time the seconds laps from when you turn on the device And then you divide every all this for one hour because usually it's one hour And then we have to add the minimum fee because in some park in some parking you have to pay at least One hour of parking even if you stay just for like ten minutes so As I said before when you turn on the device the display show you the price you are paying and The time you turn on the device. So those two parameters has actually displayed. So even if we modified the The configuration files so we can for example if we put at zero the price per time unit That zero is displayed it is displayed by the device so the inspector can actually see you are you are committing a fraud So that's not good The minimum fee in all the cities At the moment is usually set to zero. So we don't have to care about that So what's the only parameter we have to change to set the multiplication to zero because that's what we want If we set the multiplication to zero then our fee is zero so If you can change the frame the fair frequency to zero all the key all the formula is then zero so we don't pay anything even if the Correct configuration files is displayed because price per time units We just set the the correct one and it's the second we don't modify that The fair frequency is not displayed so we can change it easily to zero from the configuration files So we intercept the configuration file Change the the value to zero and then the old formula becomes zero. So that's why we call our formula our cento gral and Using this vulnerability this vulnerability is pretty easy to To exploit we actually wrote a little script that can allow you to like do everything automatically So you can just plug the device to the computer and like I don't know maybe three or four seconds Your device is like every city present in Italy or not Actually, you pay zero for parking Moreover we also develop a firmware which in which the the fee payment is removed So we displayed the correct Information, but we don't remove the credits from the memory So multiple vulnerabilities allow you to actually not pay for parking. That's a good thing, right? Okay, I'll now leave my award to my colleague, which we'll talk about the next two case study Okay Yeah, a little spoiler, but We will go on speaking now about shared transport shared transportation systems and in particular we will speak about bike sharing Well Our case of study was divided into three steps Essentially, the first step is the one in which you go to the station where all the bikes are located and You unlock yours The second step is the funniest you ride the bike and the third one is when you lock it again and You walk away. So let's go step by step From the first one the first one So the picture shows that the ways to unlock your bike are essentially two the first one is say more physical you need an NFC card and the NFC card Will be checked Here we will see how Will be checked and will unlock the bike the other way to unlock is by using a mobile application on our mobile device so the station is Speaking with the cloud or the back end that authorizes the unlocking of the bike Let's see more in detail. This is one of the stations and as you can see on the top. There is a NFC breeder for the for the card and As I said before there are those two Accessible methods in order to unlock the bike. Let's focus on the first one. So the mobile application so at first we with a compile the app and We found that there is no obfuscation on the code and so that Helped us a lot in order to understand how the whole procedure works but moreover One of the critical points is that there are the vendor credentials are coded and obviously we obfuscated them here because we don't want to say the name of any company here and The critical point is that with those credentials you are allowed to create new users Charge some credits on those users activate the users and Unlock a bike in real time wherever it is. So it is quite dangerous. I mean and moreover There are some API's here and that are vulnerable to a SQL injection and of course for Legal reasons we did not make any attempt to exploit them. So I will skip this part and There is a private Q&A session later Let's move to the card analysis. Okay, I Hope you don't recognize the city but It's okay, let's go on it's in Italy, but he said before and that's not a second The second mistake, okay, it's a ultralight NFC card. So we all know that ultralight does not have any Encrypted Data on it. Well, the protocol is not It's not encrypting the data inside so each one can read it easily and there is no authentication while Reading the card so If I can get one of those card I can easily read with my smartphone or another reader and The only identification a parameter in it unique Unique Identification parameter is the UID which identifies one and only one user So that is the sensible all the sensible information relies in the UID to unlock the bike and If you look close to that card Just look inside that rectangle. I don't know if you see That's number. Please raise raise your hand if you guess what that number is Please do Yes, you're right. It is the UID but in reversed way. So Don't know who who decided to put in that place the UID. Well, of course, it is simple to read it by a reader, but They ease you this procedure Let's go further and analyze the the other steps Well, there is a physical issue we found in the stations because the only way the station Is able to understand if the bike is properly locked or is inserted is by a sensor inside that little piece of metal you see in the Yeah, in the hole and If you slightly remove the bike as soon as you unlocked But just a few centimeters If the distance is short the sensor will not well the station is not going to understand that the bike has been removed And so after a minute or 30 seconds, I don't remember the unlocking process goes in timeout and The station locks again the bike. The point is that The bike has slightly been unlocked. So the lock is not locking actually the bike and and you can extract the bike and station will feel as if the bike has not been unlocked and The point is that the central system can detect this issue in two ways The first one is that you you leave the bike in another station. So the central system will see okay I have the bike number one two three in station one and at the same time in station two so there is something wrong and The other critical point is if there is another bike that is going to be Left in in that station the central system will Understand that there are two bikes in the same location. So it is actually a problem and That's all for the shared transportation systems and what about the public transportation systems we defined two Different architectures the first one we called the offline system because each of the bus metro or tram, however they They are speaking with a back-end and the back-end is Unilaterally speaking with the UID blacklist or a database which is recording all the possible Tickets that are run out or banned don't know and The other architecture is we called online system because the difference is that the UID blacklist can interact With the stamping machines that are located on the bus metro or whatever So let's start with the first architecture. We spot out two main vulnerabilities the first one is called lock attack and Actually, it's quite easy to be understood because the the sector where the rides are located that is the OTP one Can be made read-only if we set one beat in the lock bites to one so it's quite easy hack, let's say and No rides will be removed when you stamp your ticket because it is read-only so Essentially, it's quite easy also to be fixed this vulnerability but it will work essentially well it was working and the second one we are talking about is the time attack and This is nicer because you don't have to make any any modifications to the lock set lock sector and to the OTP so you leave essentially all the rides as they were and you find the place where the timestamp of the last validate Last validated ticket is stored. So the only The only task is to reverse To reverse the timestamp and find the initial time when They start counting the minutes so as soon as we reversed those data for example here we we put a rectangle a red rectangle around the That area and we found the initial date was something around 2005 First January Yeah, don't don't say it and we found that and so that way we are able to forge our our own timestamp and validate our ticket without touching the rides because the ticket is valid for some minutes 90 minutes or whatever and so you you will have always a valid ticket and What about the online systems? This those kind of systems are not vulnerable to the previous but are vulnerable to the replay attack well offline systems are also vulnerable to replay attack but I will explain now and by replay attack you have a lot of possibilities and will be a serious problem because If you use some emulators or clone tickets the one from China for example There are no rules. They act like Miffere ultra light, but they are not or other Miffere maybe classic et cetera, but they are not following the standard rules and the protocols They are completely erasable and changeable So you are allowed to change the uid forge new uids with a valid structure because you have a you can clone your ticket with a Valid structure, even if it is encrypted you change the uid and then you can stamp it and bypass any software encryption because the the validating machine makes everything by itself and Moreover, you can also use the same ticket to you clone it on your clone one you increase one ride and you stamp the clone one and then you come back to the Previews ticket the original one copying all the data sectors and whatever you have so it will be perfectly Indistinguishable from the previous one and it is valid and The problem is that the implementation of a white list would be a problem in our systems because the white list must be must be updated on all the stamping machine in real time Think about if you go to buy a new ticket from a shop that ticket must be usable immediately As soon as you buy you buy it so the implementation of a white list is a serious problem and it will mean well you will need to Build a completely new infrastructure if you already deployed one to implement such a thing So it will be a very very difficult task As regards future works. What's next? well, we studied This is the picture we show we see before and We spoke about energy management surveillance systems water management. So let's start with the smart cities surveillance and those kind of cameras Can be used for? Well, they have multiple uses one of those uses can be for policemen to charge people may be going with their car in restricted areas for example limited traffic areas and they can snap a picture of your of your plate and Sending you a fine for entering that but how the how is the connection made between those cameras and the main back end well we still have to understand how and Then we have something on water management maybe there are some counters that are revealing how much water each one of us is using and Applying a charge for each a cube meter of water I don't know if you use here those kind of units of measurements, but The amount of water unit. Yeah imperial is different from metric, but I hope it is clear the same way and So those kind of systems have to be interconnected between a central infrastructure that Evaluates the right fee to be charged at each user But what about for example the smart city lighting system? and this way we are going to illustrate for example how the lighting for a Street, maybe or some buildings how to Save money in turning on or off lights when when it is not necessary, so What is the? What is the algorithm a central system can use to turn on or off those kind of lights that it will be a central point for future works and finally the smart traffic light system and some new technologies about making the green light last longer if the the road is quite crowded and maybe Preventing from turning it red if there is no car in the crossing road And but if those systems are interconnected and badly, let's say say badly and the connection is not secure. Maybe Elintation at user can turn red often and Well the green on and the green on the other side could be a mess There was a paper published by CISO Cerudo about traffic system. You can check about that. Yes Securing the smart yeah, securing smart cities. Yeah, and finally One of the child what okay? We can test all all those infrastructure But our final challenge will be hacking a whole city. Yeah, so As you saw we have like material for for you or for death cone Good. Well, you can see us in the next year probably Sure, and if you have some yeah, I suggest you would recommend some cities to be hacked. Yeah We are to sponsor us. We are You just need to play the flight a five-star hotel and then we can work something out. No problem You forgot the suite. Yeah, five stars sweet enough. I started the last story One each we don't share Okay, just to be clear. Yeah. Yeah, sure. Okay, so I think there is like something like 1500 people now here Any question? Don't be shy. Come on. It's written. Don't be shy. It's a Q&A session. Okay Do we have a microphone for how does it work? Yeah goons? We need a microphone. I think my is here. Oh, okay. You have to come here You have to do the work. Oh on a replay attack rather than copying it to another device Couldn't you just copy it make a gold image and then after you've used it replay that back onto the original device? Yeah, you you can do that. But the problem is when you have the blacklist Sometimes your ticket can can be put on the blacklist because it actually behaved now not correct way So what we did is to inject new you ID? So the system doesn't recognize if the every time you stamp the ticket you put a new ID so that this new ID has not Previous behavior so they don't ban it other question. Just stand up and go to the microphone. We have like Yes, yes, so we won't go anyway, please ask you have to stay inside close the doors Okay, thank you have a question It's for you not for us Thank you Singapore is having a real big surge with a smart nation one of the things that they're doing is they're having a big push for In the name of elder care monitoring in the home Are you seeing that in Europe? No, at least not in Italy. Well, we are from Italy now. Maybe you haven't said understood that but not in Italy We think it's an interesting thing because we actually never thought about that but We are going to present the same research in Singapore next month at GSEC Yeah, this month two weeks at the end of the month in GSEC So maybe there's some like interesting point to speak about can you tweet where you're doing this information because I live In Singapore, I like to attend Okay, you can come later and give you the link. Yeah, whatever Yeah, yeah, but something very weird happened. Yeah, we charged us like 10 times what what what we owe? Oh, yeah, so there must be something more in that formula Reversing the firmware. There is some like very strange things like some weird vulnerabilities in which you can like overflow the whole system and crush it But yes, we tried so in Chicago We have a different bike share system with a different lock at the front of the bike, which I believe I'm not sure if this hack will work or not on it So I'm wondering if you've looked into other hacks for bike share that aren't reliant on the locking mechanism And then also our bikes have GPS. So have you figured out how to if you wanted to literally steal the bike? How do you overcome the GPS? So you have a GPS on the bike the bike. Okay, there was a talk I think last year the blackhead or death convolved both probably about spoofing GPS data with the SDR so you can actually bring your SDR and now in a backpack with a battery and Like spoofing the data and meanwhile stealing stealing the bike legally It's a principle we are trying also to apply it to car sharing because they check your mileage and where are you going and they charge money for that. So it's interesting thing Do I go anyone else? three minutes maybe four Or five Okay, thank you very much for coming. Thank you for your hour. Yeah, thanks. We really appreciate Also, thanks for all our sponsors Yeah, that's it