00:00:01.101,00:00:07.174
>> Hey hey hey everybody. I just
wanted to uh take a second here

00:00:07.174,00:00:09.376
to announce the section that
we're going to be talking about

00:00:09.376,00:00:13.113
today. Abusing smart cities in
the dark age of modern mobility.

00:00:13.113,00:00:15.616
This is a a especially
interesting topic for me as I

00:00:15.616,00:00:19.353
live in a city that is still
stuck in the dark ages in Texas.

00:00:19.353,00:00:21.388
I also want you to be aware of
the fact that we've got full

00:00:21.388,00:00:25.092
mateo redundancy in this
presentation. Not one but two of

00:00:25.092,00:00:28.996
them in case one of them breaks.
So I'm gonna turn it over to the

00:00:31.832,00:00:33.634
[snap sound] [pause] >> So thank
you everyone for coming. And

00:00:33.634,00:00:37.237
thank you for your time. We are
gonna steal you just 1 hour so.

00:00:37.237,00:00:38.872
Okay um I'm Mateo. Mateo
[indiscernible]. Uh I work as uh

00:00:38.872,00:00:40.908
in the security field as a CTO
of a small company in Italy. And

00:00:40.908,00:00:42.242
we do offensive physical
security. Uh that's my Twitter

00:00:42.242,00:00:47.247
and if you want to just give
feedback at the end of the talk

00:00:49.616,00:00:54.621
I'd be happy to resp to reply to
that. [pause] >> And that's me.

00:01:02.729,00:01:07.734
I'm Mateo Corrulla and uh I got
a bachelor just 2 weeks ago. And

00:01:10.904,00:01:13.907
I'm still a student studying now
in the field of nano

00:01:13.907,00:01:18.512
technologies uh for our cities.
So if you want my Twitter as

00:01:18.512,00:01:24.751
well you find here my personal
information. And um [clears

00:01:24.751,00:01:29.656
throat] starting from May we are
uh with opposing force a member

00:01:29.656,00:01:33.961
of [indiscernible] cities which
is a non-profit organization

00:01:33.961,00:01:38.565
which helps uh the decision
maker to consider also security

00:01:38.565,00:01:44.271
issues when implementing new
solutions. And um I will give

00:01:44.271,00:01:48.608
the speech to my friend that
will start illustrating what we

00:01:48.608,00:01:55.082
did. >> Okay so that's the
agenda for today. Uh we start

00:01:55.082,00:01:58.485
giving a little overview about
what [indiscernible] is. Then we

00:01:58.485,00:02:01.788
focus on the transportation
system. Smart transportation

00:02:01.788,00:02:05.559
system. And what we want to do
is like introduce our

00:02:05.559,00:02:10.430
methodology for our SAAS this
kind of system. And doing so we

00:02:10.430,00:02:15.402
are so of a freaky friend case
studies. One for each uh

00:02:15.402,00:02:19.139
infrastructure in as much
transportation system. And we uh

00:02:19.139,00:02:22.943
we apply our method to this uh
to this case studies. And then

00:02:22.943,00:02:27.647
we see what's up next. So let's
start with uh with what are

00:02:27.647,00:02:33.153
smart cities. So a smart cities
is usually composed by several

00:02:33.153,00:02:36.857
eh critical infrastructure. As
for example um you know energy

00:02:36.857,00:02:42.129
measurement surveillance systems
water management transportation

00:02:42.129,00:02:47.134
system and waste management. So
for a city to be called smart

00:02:49.169,00:02:52.773
usually those infrastructures
have to be connected in some

00:02:52.773,00:02:56.276
way. Then can be connected to
some central system or connected

00:02:56.276,00:02:59.379
to each other to communicate and
you know better manage the

00:02:59.379,00:03:03.216
resources. Eh in this
presentation we're going to

00:03:03.216,00:03:09.456
focus on uh transportation
systems. So [pause] let's focus

00:03:09.456,00:03:11.892
on smart transportation system.
And uh smart transportation

00:03:11.892,00:03:16.897
system itself is divided in uh
several infrastructure. And we

00:03:16.897,00:03:21.768
may have traffic control. We may
have a smart parking system. We

00:03:21.768,00:03:25.238
may have a street lighting smart
street lighting system. And

00:03:25.238,00:03:28.709
public transportation systems.
So it's pretty complicated to

00:03:28.709,00:03:32.079
work in this kind of environment
because we have multiple layers.

00:03:32.079,00:03:35.482
Multiple infrastructure. Each
one communicate with the others

00:03:35.482,00:03:40.353
in unknown protocols. So what we
are doing is trying to to find a

00:03:40.353,00:03:44.324
method to assess the system to
better to easily do it do it so

00:03:44.324,00:03:49.529
because that's what we do for
job. So we have to you know do

00:03:49.529,00:03:53.934
it as quickly as possible and
the best way we can. So let's

00:03:53.934,00:03:57.003
see quickly how's a smart
transportation system is usually

00:03:57.003,00:04:01.475
composed. We have 2 mantels eh
sorry 2 different kind of

00:04:01.475,00:04:06.480
systems. The first one eh in
which every element so for

00:04:06.480,00:04:10.317
example eh traffic system
traffic control systems smart

00:04:10.317,00:04:14.387
lighting control smart parking
and transportation communicates

00:04:14.387,00:04:18.125
with a some central system. Each
central system then communicate

00:04:18.125,00:04:21.895
to a more central system. And
that central system aggregate

00:04:21.895,00:04:25.398
the data from all the other
systems and communicate

00:04:25.398,00:04:28.902
information usually useful
information to the citizens.

00:04:28.902,00:04:32.839
Like which what is what is the
best road to go to work. Where

00:04:32.839,00:04:39.012
is more uh where is less traffic
today. And so on. Eh another

00:04:39.012,00:04:43.049
kind of system is where each of
the m micro system uh

00:04:43.049,00:04:47.020
communicates directly to the
user. And sometimes also

00:04:47.020,00:04:50.457
directly to each other. So there
is no need to a more central

00:04:50.457,00:04:54.861
control system. Eh usually the
the central point of the smart

00:04:54.861,00:04:59.533
city is always the citizen. So
all the infrastructure are

00:04:59.533,00:05:04.771
thought to be helpful to the
citizen. Okay let's go even more

00:05:04.771,00:05:09.910
in details. So smart
transportation system. We have

00:05:09.910,00:05:14.514
private transport shared
transport and public transport.

00:05:14.514,00:05:19.085
With uh private transport we
mean like smart parking. With

00:05:19.085,00:05:24.758
public transport we mean metro
bus tram trains you call it. And

00:05:24.758,00:05:29.296
with shared transport we mean
the new transportation economy

00:05:29.296,00:05:34.301
like bike sharing car sharing
etc. [pause until 5:41] I drink

00:05:41.741,00:05:46.179
a lot so sorry for these
interruptions. [pause] Okay

00:05:46.179,00:05:52.619
that's one of the method. One of
the architecture used to assess

00:05:52.619,00:05:57.691
the system. So we try to reduce
every infrastructure to this

00:05:57.691,00:06:01.862
schema. In which we have net
domain and inside the net domain

00:06:01.862,00:06:06.333
there is the edge device. Eh
that take data from the physical

00:06:06.333,00:06:12.372
world and send this raw data to
our cloud domain. The cloud

00:06:12.372,00:06:17.944
domain is like the brain of our
system and it know analyze the

00:06:17.944,00:06:23.650
data and send commands back to
the to the device or send

00:06:23.650,00:06:26.386
information to the client domain
which can be like mobile

00:06:26.386,00:06:30.724
application for the citizens and
etc. So the communication is

00:06:30.724,00:06:36.129
usually is always be lateral so
the edge devices can both eh

00:06:36.129,00:06:39.866
send de send cors send data and
receive commands. So they can

00:06:39.866,00:06:43.603
act properly about the data they
send. So for example if there is

00:06:43.603,00:06:48.608
no traffic the traffic light is
always green. [pause until 6:53]

00:06:51.878,00:06:56.883
Okay that's uh our first that's
a little bit introduction. Now

00:06:59.219,00:07:02.455
let's go to our first case
study. Our smart parking meters

00:07:02.455,00:07:07.460
system. Um we wish
[indiscernible] about that.

00:07:11.464,00:07:16.636
[pause until 7:13] Okay that's a
device. And let's make a little

00:07:16.636,00:07:20.173
bit of introduction about how
the device work. Uh so the

00:07:20.173,00:07:25.178
device is uh bought by the user.
Eh at some shop. And then the

00:07:27.480,00:07:31.718
device can be re-charged. So you
can store credit on the device.

00:07:31.718,00:07:36.790
And you can do it uh on both
online uh from your home so you

00:07:36.790,00:07:40.093
connect the device to your
computer register on the website

00:07:40.093,00:07:44.097
of the of the of the company and
then using your credit card or

00:07:44.097,00:07:47.534
paypal or whatever you can
charge credits on the device

00:07:47.534,00:07:50.970
that can be used later. Or you
can do the same procedure at

00:07:50.970,00:07:54.107
some uh con at some shops. So
you go to the shops. You gave

00:07:54.107,00:07:57.911
the device. You pay in cash and
the and the guy can charge you

00:07:57.911,00:08:03.016
can charge your device. Eh once
once the device has some credit

00:08:03.016,00:08:08.121
you you can park your car and
then turn on the device. The you

00:08:08.121,00:08:11.891
then have to select the proper
location. Because this device is

00:08:11.891,00:08:16.396
available for more than 40
cities in Italy. Actually didn't

00:08:16.396,00:08:21.368
I shouldn't say Italy. Okay. In
more than 40 cities worldwide

00:08:21.368,00:08:26.272
[laughter] and it can it's
growing. So we have to select

00:08:26.272,00:08:28.608
[indiscernible] the correct city
because each each city has

00:08:28.608,00:08:32.746
different fare zone. So and once
the you select the city you have

00:08:32.746,00:08:36.549
to select the proper eh fare
zone. And activate the device.

00:08:36.549,00:08:41.054
For for that for now on eh every
minute eh every second sorry the

00:08:41.054,00:08:44.624
device automatically calculate
the fee yo are paying. And

00:08:44.624,00:08:48.128
reduce that amount from your
from your credit. So actually

00:08:48.128,00:08:51.498
the benefit for the user is that
the user doesn't have to bring

00:08:51.498,00:08:56.836
like coins and cash to pay the
the park the parking and he just

00:08:56.836,00:09:00.240
get just pay for the exact time
he's he's parking and not for

00:09:00.240,00:09:05.412
like half an hour or 1 hour
over. So this are some of the

00:09:05.412,00:09:07.080
interfaces we found on the
device. So there is uh display

00:09:07.080,00:09:08.415
part which is for uh showing
some information we we see

00:09:08.415,00:09:09.749
later. There is the USB port
which is used to connect the

00:09:09.749,00:09:14.421
device through the so called
gateway which is our computer

00:09:14.421,00:09:16.156
that uh connects the device to
the cloud system. And then we

00:09:16.156,00:09:17.490
have our our [indiscernible].
And all those interfaces uh have

00:09:17.490,00:09:18.858
some form of [indiscernible]. We
install them in a few. I just

00:09:18.858,00:09:20.193
need to drink again. [pause
until 9:39] At DefCon there is

00:09:20.193,00:09:25.198
um how say? The first time you
speak at DefCon they usually

00:09:44.684,00:09:48.521
bring you shots of vodka. They
didn't do that this year. I

00:09:48.521,00:09:54.661
don't know why. This is all.
[off mic comment] Yeah. Anyway

00:09:54.661,00:09:58.131
the first analysis we pro we did
on the on the device was a

00:09:58.131,00:10:01.067
farmer analysis in which we
found that there were no

00:10:01.067,00:10:04.370
integrity checks. The
[indiscernible] can be easily

00:10:04.370,00:10:07.173
obtained in 2 different methods.
We can intercept the

00:10:07.173,00:10:10.477
communication between the the
gateway. So our PC and the

00:10:10.477,00:10:14.247
backend system during an a OTA
update. So we can intercept the

00:10:14.247,00:10:18.151
firmware. Or we can extract the
firmware directly from the NCU.

00:10:18.151,00:10:22.288
Eh in both cases the the the con
the unpacking the firmware was

00:10:22.288,00:10:25.625
easy. And no integrity checks
were present. No encryption in

00:10:25.625,00:10:28.828
the firmware were present. No
[indiscernible]. And no au

00:10:28.828,00:10:32.132
authenticity is is also
authenticty checks is present

00:10:32.132,00:10:36.035
during the firmware upgrade
[indiscernible]. So the result

00:10:36.035,00:10:38.037
is the attacker cannot
[indiscernible] malicious

00:10:38.037,00:10:42.342
firmware. For example removing
the reducing of the

00:10:42.342,00:10:45.411
[indiscernible] part. So you can
turn on the device. The device

00:10:45.411,00:10:48.948
acts as uh it has always been
but at the end of the at the end

00:10:48.948,00:10:51.551
of the at the end of the day you
have always the same credit on

00:10:51.551,00:10:57.724
the device. [pause] As I said
before there is some debug

00:10:57.724,00:11:01.094
interfa [cough] sorry. There is
some debugging interfaces

00:11:01.094,00:11:05.498
present on the on the device. We
used the jtec port and the SWE

00:11:05.498,00:11:10.603
port to extract for example the
firmware. Eh there are also

00:11:10.603,00:11:13.206
other [indiscernible] uh for all
the components. So for each

00:11:13.206,00:11:16.309
component present on the device
you can actually un intercept

00:11:16.309,00:11:22.015
the data exchange it and in
inject other data. So let's try

00:11:22.015,00:11:27.353
to reconduce our our device the
the schema I show you before. So

00:11:27.353,00:11:30.423
[indiscernible] domain we have
parking meter. Which is

00:11:30.423,00:11:35.195
connected to the OSB through our
gateway and cloud domain. Eh the

00:11:35.195,00:11:39.065
cloud appliance is used for like
remote charging the device. To

00:11:39.065,00:11:43.536
create invoice based on uh where
you park and how time how time

00:11:43.536,00:11:46.439
you park. For example for
expenses for the company etc.

00:11:46.439,00:11:52.145
and to [indiscernible]. So the
cloud domain that communicates

00:11:52.145,00:11:56.049
to a client application which is
eh gave to the inspectors. Eh

00:11:56.049,00:11:59.185
the inspector can use the
application to check if you are

00:11:59.185,00:12:02.288
paying the correct fee for your
staying if you are paying

00:12:02.288,00:12:06.326
correctly. Um another thing the
inspector can usually the

00:12:06.326,00:12:09.862
inspector check if you are
paying correctly just by looking

00:12:09.862,00:12:12.832
at the display of the device.
But there is also an

00:12:12.832,00:12:16.135
[indiscernible] interface eh
that eh use that the inspector

00:12:16.135,00:12:21.140
can use to access eh memory of
the on the device. So we didn't

00:12:23.176,00:12:26.646
have communications security did
not exist and the results were

00:12:26.646,00:12:31.317
the there is no data validation
between the edge edge device and

00:12:31.317,00:12:35.521
the cloud domain. So we can both
modify the data send from the

00:12:35.521,00:12:38.291
cloud to the to the device and
to the the [indiscernible]

00:12:38.291,00:12:43.129
device to the cloud. And
moreover the all the trust in

00:12:43.129,00:12:46.966
the if you are paying or not is
in the device itself. So the

00:12:46.966,00:12:50.536
inspector can actually check
only if you are paying by

00:12:50.536,00:12:53.706
looking the device or accessing
the memory on the device. It can

00:12:53.706,00:12:57.043
not check if you are paying
correctly eh using the cloud the

00:12:57.043,00:13:00.747
the cloud data. Because the
device it's not it's not

00:13:00.747,00:13:06.352
updating it's status in real
time. [pause] So as I said there

00:13:06.352,00:13:09.722
is no incre no integrity check
no encryption no [indiscernible]

00:13:09.722,00:13:15.695
checks. So this is our sample uh
request. We we intercepted and

00:13:15.695,00:13:19.165
from that you can see I don't
know if you can see but it's

00:13:19.165,00:13:22.402
there is some parameters which
are very useful. And this is our

00:13:22.402,00:13:25.672
configuration file. So every
time you connect your device to

00:13:25.672,00:13:29.942
the to the gateway eh the cloud
appliance send new configuration

00:13:29.942,00:13:34.113
files for updating like fee
zones etc. Eh if there are any

00:13:34.113,00:13:41.087
new cities uh and we can modify
that configuration file. Okay so

00:13:41.087,00:13:44.490
reversing the the firmware
analyzing the communication and

00:13:44.490,00:13:49.662
using some uh debug interface to
understand better the data. We

00:13:49.662,00:13:53.366
finally found with this formula
used by the device to calculate

00:13:53.366,00:13:57.603
the fee. That's the formula. So
you have the price per time

00:13:57.603,00:14:00.807
unit. Then we have the fare
frequency. Because in some

00:14:00.807,00:14:06.679
cities you you may have um to
pay every half an hour and not

00:14:06.679,00:14:09.916
an hour. So it's not a
parameter. Then we have the time

00:14:09.916,00:14:14.087
the seconds elapsed from when
you turn on the device. And then

00:14:14.087,00:14:17.490
you divide every all this for 1
hour because usually it's 1

00:14:17.490,00:14:20.560
hour. And then we have to add
the minimum fee because in some

00:14:20.560,00:14:25.231
park uh some parking you have to
pay at least 1 hour of parking.

00:14:25.231,00:14:30.670
Even if you stay just for like
10 minutes. So as I said before

00:14:30.670,00:14:34.974
when you turn on the device the
display show you the price you

00:14:34.974,00:14:38.511
are paying and eh ta time you
have turned on the device. So

00:14:38.511,00:14:42.482
those 2 parameters as actually
displayed so even if we modify

00:14:42.482,00:14:47.553
the the configuration files so
we conf for example if we put at

00:14:47.553,00:14:52.658
0 the price per time unit that 0
is displayed it is displayed by

00:14:52.658,00:14:55.628
the device. So the inspector can
actually see we are we are

00:14:55.628,00:15:00.900
committing a fraud. So that's
not good. The minimum fee in all

00:15:00.900,00:15:05.338
the cities uh at the moment are
usu is usually set to 0 so we

00:15:05.338,00:15:09.008
don't have to care about that.
So what's the only parameter we

00:15:09.008,00:15:13.146
have to to change to attack the
multiplication to 0? That that's

00:15:13.146,00:15:16.048
what we want. If you set the
multiplication to 0 then our fee

00:15:16.048,00:15:21.053
is 0. So if you can change the
fra the fare frequency to 0 all

00:15:23.456,00:15:27.426
the q all the formula is then 0.
So we don't pay anything. Even

00:15:27.426,00:15:31.697
if the correct configuration
files is displayed because price

00:15:31.697,00:15:35.268
per time unit is we just set the
the correct one. And it's the

00:15:35.268,00:15:39.405
second we don't modify that. The
fare frequency is not displayed.

00:15:39.405,00:15:42.742
So we can change it easily to 0
from the configuration files. So

00:15:42.742,00:15:47.113
intercept the configuration file
change the the value to 0 and

00:15:47.113,00:15:50.917
then the eh old formula becomes
0. So that's why we call our

00:15:50.917,00:15:57.056
formula our central ground. And
using this vulnerable

00:15:57.056,00:16:01.160
vulnerability pretty easy to
exploit. We actually wrote a

00:16:01.160,00:16:04.197
little script that can allow you
to like do everything

00:16:04.197,00:16:07.533
automatically. So you can just
plug a device to the computer

00:16:07.533,00:16:13.472
and like I don't know maybe 3 or
4 seconds uh your device is like

00:16:13.472,00:16:18.878
every city present in Italy or
not eh actually you pay 0 for

00:16:18.878,00:16:22.481
parking. Eh moreover we also
[indiscernible] firmware which

00:16:22.481,00:16:28.921
in which eh the the fee payment
is removed. So we displayed the

00:16:28.921,00:16:33.793
correct information but we don't
remove the credits from the

00:16:33.793,00:16:37.463
memory. So multiple
vulnerabilities allow you to

00:16:37.463,00:16:42.435
actually not pay for parking.
That's a good thing right? Okay

00:16:42.435,00:16:46.973
I'll now leave my the word to my
colleague which will talk about

00:16:46.973,00:16:51.978
the next 2 case study. [pause]
>>Okay. [pause] oops Okay. [off

00:17:06.893,00:17:10.162
mic comments] Um we'll go on
speaking now about shared

00:17:10.162,00:17:14.934
transport. Shared transportation
systems and in particular we'll

00:17:14.934,00:17:19.939
we'll speak about bike sharing.
Well our case study was was

00:17:22.074,00:17:26.479
divided into 3 steps.
Essentially. The first step is

00:17:26.479,00:17:30.683
the one in which you go to the
station where all the bikes are

00:17:30.683,00:17:36.355
located and uh you unlock yours.
The second step is the funnest.

00:17:36.355,00:17:40.793
You ride the bike. And the third
one is when you lock it again.

00:17:40.793,00:17:45.798
And you walk away. So let's go
step by step. From the first one

00:17:48.601,00:17:52.905
the first one um should the
picture shows that the ways to

00:17:52.905,00:17:58.244
unlock your bike are essentially
2. The first one is more

00:17:58.244,00:18:03.182
physical. You need uh NFC card
and uh NFC card will be checked.

00:18:05.251,00:18:10.690
Here we will see how. Uh we will
checked and unlock the bike. The

00:18:10.690,00:18:15.861
other way to unlock is by using
mobile application on our mobile

00:18:15.861,00:18:22.668
device. So um the station is
speaking with a cloud or the

00:18:22.668,00:18:28.574
beacons that out arises the
unlocking of the bike. Let's see

00:18:28.574,00:18:32.778
more in detail. This is one of
the stations. And as you can see

00:18:32.778,00:18:39.585
on the top there is uh NFC
reader for the for the card. And

00:18:39.585,00:18:44.123
uh as I said before there are
those 2 accessible methods in

00:18:44.123,00:18:47.493
order to unlock the bike. Let's
focus on the first one. So the

00:18:47.493,00:18:53.199
mobile application. So at first
we we compiled the app. And we

00:18:53.199,00:18:56.302
found that there is no
[indiscernible] on the code and

00:18:56.302,00:19:01.774
so that helped us a lot in order
to understand how the whole

00:19:01.774,00:19:06.979
procedure works. But moreover
one of the critical points is

00:19:06.979,00:19:09.215
that there are the
[indiscernible] credentials are

00:19:09.215,00:19:11.584
coded. And obviously we
[indiscernible] them here

00:19:11.584,00:19:16.589
because we don't want to say the
name of any company here. And um

00:19:18.924,00:19:25.064
the the critical point is that
we those credentials you are

00:19:25.064,00:19:30.569
allowed to create new users. Uh
charge some credits on those

00:19:30.569,00:19:35.574
users. Activate the users. And
unlock a bike in real time.

00:19:38.010,00:19:43.849
Wherever it is. So it is quite
dangerous I mean. And moreover

00:19:43.849,00:19:49.321
uh there are some APIs here and
that are vulnerable to a

00:19:49.321,00:19:54.427
[indiscernible] injection. And
of course for legal reasons we

00:19:54.427,00:19:59.465
did not make any attempt to
exploit them. So I will skip

00:19:59.465,00:20:04.470
this part. An [laugh] >> There
is a private Q&A session later.

00:20:08.474,00:20:15.081
[laughter] >> Let's move to the
card analysis. Okay I hope you

00:20:15.081,00:20:20.086
don't recognize this city. But
um it's okay. Let's go on it's

00:20:22.321,00:20:26.258
in Italy but she said before and
>> It's not. >> second [laugh]

00:20:28.627,00:20:32.164
The second mistake. Okay. It's a
[indiscernible] light um NFC

00:20:32.164,00:20:36.035
card. So we all know that
[indiscernible] light does not

00:20:36.035,00:20:41.040
have any um encrypted uh data on
it. Well the protocol is not um

00:20:45.478,00:20:48.814
it's not encrypting the data
inside. So each one can read it

00:20:48.814,00:20:53.285
easily. And there is no
authentication while uh uh

00:20:53.285,00:20:57.556
reading the card. So mmm if I
can get one of those cards I can

00:20:57.556,00:21:02.595
easily read my with my smart
phone or another reader. And uh

00:21:02.595,00:21:08.400
the only identification
parameter in it unique uh unique

00:21:08.400,00:21:13.005
uh identification parameter is
the UID. Which identifies one

00:21:13.005,00:21:18.010
and only one user. So that is
the sensible all the sensible

00:21:18.010,00:21:23.115
information realized in the IUD
to unlock the bike. And uh if

00:21:23.115,00:21:28.921
you look close to that cart just
look inside that rectangle. I

00:21:28.921,00:21:33.559
don't know if you see the that
number. Uh please raise raise

00:21:33.559,00:21:39.598
your hand if you guess what that
number is. Please do. Yes you're

00:21:39.598,00:21:44.637
right. It is the UID button
reversed way. So don't know who

00:21:44.637,00:21:49.341
who decided to put in that place
the UID button. Of course it is

00:21:49.341,00:21:55.548
simple to read it by a reader
but um they if you this

00:21:55.548,00:22:00.352
procedure. Let's go further and
analyze the the other steps.

00:22:00.352,00:22:04.657
Well there is a physical issue
we found in the stations.

00:22:04.657,00:22:09.461
Because the only way the station
um is able to understand if the

00:22:09.461,00:22:15.768
bike is properly locked or is
inserted is by um a sensor

00:22:15.768,00:22:22.441
inside that uh little piece of
metal you see in the yeah in the

00:22:22.441,00:22:27.913
hole. And um if you slightly
remove the the bike as soon as

00:22:27.913,00:22:33.752
you unlocked but just a few
centimeters um it feel the

00:22:33.752,00:22:38.457
distance is short the sensor
will not well the station is not

00:22:38.457,00:22:41.560
going to understand that the
bike has been removed. And so

00:22:41.560,00:22:45.164
after a minute or 30 seconds I
don't remember uh the unlocking

00:22:45.164,00:22:50.769
process goes in time out. And uh
this station locks again the the

00:22:50.769,00:22:56.609
bike. The point is that the bike
has slightly been unlocked so

00:22:56.609,00:23:02.281
the lock is not locking actually
the bike. And you can extract

00:23:02.281,00:23:08.354
the bike and uh station will
feel uh as if the bike has not

00:23:08.354,00:23:13.692
uh been unlocked. And um the
point is that the central system

00:23:13.692,00:23:19.365
can detect this issue in 2 ways.
The first one is that uh you you

00:23:19.365,00:23:22.501
leave the bike in another
station. So the central system

00:23:22.501,00:23:27.740
will see okay I have the bike
number 1 2 3 in station 1 and at

00:23:27.740,00:23:32.011
the same time in station 2. So
there is something wrong. And uh

00:23:32.011,00:23:36.482
the other critical point is if
there is another bike that is

00:23:36.482,00:23:41.954
going to be uh left in in that
station the central system will

00:23:41.954,00:23:46.225
uh understand that there are 2
bikes in the same location so it

00:23:46.225,00:23:51.230
is actually a problem. And
that's all for the shared

00:23:51.230,00:23:55.100
transportation systems. And what
about the public transportation

00:23:55.100,00:24:01.740
systems? We defined uh 2
different architectures. Uh the

00:24:01.740,00:24:08.047
first one we called offline
system because uh each of the

00:24:08.047,00:24:13.585
bus metro tram however they um
they are speaking with backend

00:24:13.585,00:24:20.426
and the backend is unilaterally
speaking with uh UID black list

00:24:20.426,00:24:26.098
or database which is recording
all the possible mmm tickets

00:24:26.098,00:24:31.170
that are run out or
[indiscernible]. And the other

00:24:31.170,00:24:35.641
architecture is we called online
system. Because the difference

00:24:35.641,00:24:41.447
is that the UID black list can
interact um with the stamping

00:24:41.447,00:24:46.452
machines that are located on the
bus metro or whatever. So let's

00:24:48.687,00:24:53.559
start with the the first
architecture. We spot out uh

00:24:53.559,00:24:56.362
[indiscernible] our abilities.
The first one is called uh lock

00:24:56.362,00:25:02.701
attack. And um actually it's
quite easy to be understood

00:25:02.701,00:25:07.172
because the the sector where the
rider is located that is

00:25:07.172,00:25:12.544
[indiscernible] 1 can be made
read only. If we set 1 bit in

00:25:12.544,00:25:17.216
the lock byte uh to 1. So it's
quite easy [indiscernible] let's

00:25:17.216,00:25:22.254
say. And um no rights will be
removed when you stamp your

00:25:22.254,00:25:27.025
ticket because it is a read
only. So essentially it's quite

00:25:27.025,00:25:32.498
easy also to be uh fixed this
vulnerability. But um it will

00:25:32.498,00:25:37.403
work essentially because
working. And uh the second one

00:25:37.403,00:25:42.408
we are talking about is the time
attack. And um this is nicer

00:25:44.643,00:25:49.114
because you don't have to make
any any modifications to the

00:25:49.114,00:25:54.353
lock secta lock sector and to
the auto pay. So you leave

00:25:54.353,00:25:59.958
essentially of the rides as they
were and you find the place

00:25:59.958,00:26:05.364
where the time stamp of the last
validate last validated ticket

00:26:05.364,00:26:12.171
is stored. So the only the only
task is to reverse uh to reverse

00:26:12.171,00:26:17.810
the ti time stamp and find the
initial time uh when the they

00:26:17.810,00:26:23.148
start counting the minutes. So
as soon as we reverse the the

00:26:23.148,00:26:28.587
data for example here we we put
our rectangle our red rectangle

00:26:28.587,00:26:32.758
around the that area. And we
found the initial date was

00:26:32.758,00:26:38.197
something around 2005 I don't
remember. >> First generally >>

00:26:38.197,00:26:44.036
[laugh] Yeah don't don't don't
say it loudly. And uh we found

00:26:44.036,00:26:50.542
that and so that way are able to
afford our our own uh time stamp

00:26:50.542,00:26:53.812
and validate our ticket without
touching the rights. Because the

00:26:53.812,00:26:57.616
tickets is valid for some
minutes. 90 minutes or whatever.

00:26:57.616,00:27:03.388
And so you you will have always
a valid ticket. And uh what

00:27:03.388,00:27:08.760
about the online systems? Um
this those kinds of systems are

00:27:08.760,00:27:12.231
not uh vulnerable to the
previous but are vulnerable to

00:27:12.231,00:27:15.267
the replay attack. Well offline
systems are also vulnerable to

00:27:15.267,00:27:19.204
replay attack but I will explain
now. And [indiscernible] by

00:27:19.204,00:27:23.609
replay attack you have a lot of
possibilities and will be a

00:27:23.609,00:27:30.482
serious problem. Because if you
use some immulators or clone

00:27:30.482,00:27:35.787
tickets the one from China for
example the there are no rules.

00:27:35.787,00:27:38.690
They act like uh [indiscernible]
but they are not. Or other

00:27:41.193,00:27:43.595
[indiscernible] may be plastic
[indiscernible] etc. but they

00:27:43.595,00:27:46.632
are not following the standard
rules and there probably was

00:27:46.632,00:27:51.937
they are completely erasable and
changeable. So you are allowed

00:27:51.937,00:27:57.276
to change the UID. Forge new
UIDs with a a valid structure

00:27:57.276,00:28:01.914
because you have uh you can
clone your ticket with a a valid

00:28:01.914,00:28:05.350
structure. Even if it is
encrypted you change the UID and

00:28:05.350,00:28:10.055
then you can stamp it and bypass
any software encryption. Because

00:28:10.055,00:28:15.060
the the validating machine makes
everything um by itself. And uh

00:28:17.496,00:28:23.135
moreover you can also use the
same ticket to you clone it on

00:28:23.135,00:28:28.173
your clone one you increase 1
ride and you stamp the clone one

00:28:28.173,00:28:31.543
and then you come back to the
the previous ticket the original

00:28:31.543,00:28:34.913
one copying all the data
sectors. And whatever you have

00:28:34.913,00:28:40.919
so it will be perfectly um indi
indistinc indistinguishable from

00:28:40.919,00:28:42.254
the the previous one. And it is
valid. And the pro the problem

00:28:42.254,00:28:43.589
is that uh implementation of it
white list would be uh a

00:28:43.589,00:28:44.957
problem. In our systems. Because
the white list must be must up

00:28:44.957,00:28:46.291
be updated on all the stamping
machine. In real time. Think

00:28:46.291,00:28:47.626
about uh if you to to buy a new
ticket from um a shop. That

00:28:47.626,00:28:48.961
ticket must be useable
immediately. A as soon as you

00:28:48.961,00:28:50.295
buy it you buy it. So the
implementation of a white list

00:28:50.295,00:28:56.101
is a serious problem. And it
will mean well you will need to

00:28:56.101,00:29:01.406
um build a completely new
infrastructure if you're ready

00:29:01.406,00:29:06.411
to point one to demand such a
thing. So it will be a very very

00:29:11.683,00:29:16.688
difficult task. As regards
future works what's next. Well

00:29:31.470,00:29:36.475
[pause] we started um a this is
the picture we shown we see

00:29:40.545,00:29:46.251
before. And um we spoke about uh
energy management. Surveillance

00:29:46.251,00:29:50.122
systems water management. So
let's start with uh smart cities

00:29:50.122,00:29:56.361
sur surveillance. And those kind
of cameras can be used for multi

00:29:56.361,00:30:02.534
well they have multiple uses.
One of those uses can be um for

00:30:02.534,00:30:09.307
policemen to charge people maybe
uh going with their car in uh a

00:30:09.307,00:30:14.980
restricted areas. For example
limited traffic uh areas. And

00:30:14.980,00:30:21.253
they can uh snap a picture of
your of your plate. And uh ss mm

00:30:21.253,00:30:26.591
sending you fine for entering
that. But how the how is the

00:30:26.591,00:30:32.330
connection made between those
cameras and the main uh backend?

00:30:32.330,00:30:38.804
Well we we still have to
understand how. And um then we

00:30:38.804,00:30:44.576
have something onto water
management. Maybe there are some

00:30:44.576,00:30:48.680
counters that are billing how
much water each one of us is

00:30:48.680,00:30:53.685
using. And uh um applying the
charge for each cube meter of

00:30:56.154,00:30:59.157
water. I don't know if you use
here those kinds of units of

00:30:59.157,00:31:03.095
measurements. But eh the amount
of water >> [off mic comment] >>

00:31:03.095,00:31:07.499
Yeah imperial is different from
metric but I hope it is clear

00:31:07.499,00:31:13.138
the same way. And uh so those
kind of systems have to be

00:31:13.138,00:31:17.776
interconnected between a central
infrastructure that uh eh

00:31:17.776,00:31:23.849
evaluates the right fee to be
charged at each user. But what

00:31:23.849,00:31:29.054
about for example the smart city
lighting system? And uh this way

00:31:29.054,00:31:35.026
we're going to illustrate for
example how the the lighting for

00:31:35.026,00:31:41.433
uh a street. Maybe or some
buildings how to uh save money

00:31:41.433,00:31:47.439
with in turning on or off lights
when unness uh when it is not uh

00:31:47.439,00:31:52.744
necessary. So uh what is the
what is the algorithm a central

00:31:52.744,00:31:58.216
system can use to turn on or off
those kind of lights? That it

00:31:58.216,00:32:04.189
will be uh a center point for
future works. And finally the

00:32:04.189,00:32:09.861
smart traffic lights system. And
some new technologies about uh

00:32:09.861,00:32:14.699
making the green light last
longer if the the road is quite

00:32:14.699,00:32:21.506
crowded. And uh maybe preventing
from turning it red if there is

00:32:21.506,00:32:27.445
no car in the crossing road. And
uh but if those systems are

00:32:27.445,00:32:31.416
interconnected and badly let's
say [indiscernible] badly and

00:32:31.416,00:32:35.887
the connection is not secure
maybe um [indiscernible] user

00:32:35.887,00:32:40.625
and turn red often and uh well
the green on and the green on

00:32:40.625,00:32:45.831
the other side could be a mess.
>> Yeah the there was a a paper

00:32:45.831,00:32:48.266
published by Susan
[indiscernible] about traffic

00:32:48.266,00:32:51.002
system. You can check about
that. >> Yes >> Interesting

00:32:51.002,00:32:56.007
thing. >> [Indiscernible] >>
[Indiscernible} >> And finally

00:32:58.009,00:33:00.912
>> One of the traf okay we can
test all all those

00:33:00.912,00:33:04.516
infrastructure but our final
challenge will be hacking a

00:33:04.516,00:33:09.955
whole city. >> Yeah >> So as you
saw we have like material for

00:33:09.955,00:33:14.125
for you or for DefCon. So
[laugh] Good will you can see us

00:33:14.125,00:33:18.263
in the next year probably. >>
Sure and if you have some >>

00:33:18.263,00:33:21.032
Yeah >> [indiscernible] you will
recommend some cities to be

00:33:21.032,00:33:24.970
hacked >> Yeah we are >> sponsor
us we are uh >> We just need to

00:33:24.970,00:33:28.273
play the five a five star hotel
and then we can work something

00:33:28.273,00:33:32.310
out. No problem. >> Eh you you
forgot a suite. >> Yeah five

00:33:32.310,00:33:37.883
star a suite in a five star
hotel. Sorry. [laugh] One each.

00:33:37.883,00:33:42.520
We don't share. [laugh] Just to
be clear. >> Yeah yeah sure. >>

00:33:42.520,00:33:46.758
Okay so I figure there is like
something like 15 hundred people

00:33:46.758,00:33:51.763
now here. Any question? [pause]
>> Don't be shy. Come on. >> It

00:33:53.832,00:33:57.569
is written don't be shy. It's a
Q&A session. Okay. Uh >> Do we

00:33:57.569,00:34:01.773
have a microphone for? >> How
does it work? >> Yeah >> Goons?

00:34:01.773,00:34:07.846
We need a microphone. [pause] >>
Right Goons are here >> Ah the

00:34:07.846,00:34:10.982
microphone is here >> Oh okay
you have to come here. You have

00:34:10.982,00:34:15.987
to do work. [pause] >> So on the
reply attack rather than copy

00:34:20.158,00:34:22.794
into another device couldn't you
just copy it make a gold image

00:34:22.794,00:34:25.463
and then after you've used it
replay that back onto the

00:34:25.463,00:34:29.334
original device? >> Yeah you you
can do that but the problem is

00:34:29.334,00:34:33.905
uh when you have the black list
uh sometimes your token can uh

00:34:33.905,00:34:36.875
can be put on the black list
because it actually behave now

00:34:36.875,00:34:43.315
not correct way. So what we did
is to inject new UID so the

00:34:43.315,00:34:46.384
system doesn't recognize if the
every time you stop the token

00:34:46.384,00:34:50.322
you put a new id. So that this
new ID is not eh previous

00:34:50.322,00:34:55.327
behavior so they don't bang it.
[pause] >> Other questions just

00:34:59.531,00:35:04.469
stand up and go to the uh
microphone. [Off mic comments]

00:35:10.976,00:35:15.246
[pause] >> No questions? C'mon.
[laugh] Uh we have like Yeah >>

00:35:15.246,00:35:18.616
[indiscernible] more minutes >>
Yes so we won't >> Go anywhere

00:35:18.616,00:35:22.087
>> Please ask. >> You have to
stay in this side. Close the

00:35:22.087,00:35:28.193
doors. [laugh] >> Okay. Thank
you. >> I have a question uh

00:35:28.193,00:35:31.196
[clapping] >> It's for you not
for us. [laugh] [clapping] >>

00:35:31.196,00:35:37.369
off mic - I can talk afterwards
>> Thank you. >> Um Singapore is

00:35:37.369,00:35:39.738
having uh real big surge with
their smart nation. One of the

00:35:39.738,00:35:43.008
things that they're doing is
they're having a big push for in

00:35:43.008,00:35:46.645
the name of elder care
monitoring in the home. Are you

00:35:46.645,00:35:51.850
seeing that in Europe? >> Uh
nope. At least not in Italy.

00:35:51.850,00:35:54.452
Well we are from Italy now maybe
you understand understood that

00:35:54.452,00:35:58.289
but [laugh] not in Italy. It's a
it's a interesting thing because

00:35:58.289,00:36:01.893
we actually never thought about
that. But um we're going to

00:36:01.893,00:36:05.930
present the same research in
Singapore uh next month at

00:36:05.930,00:36:08.266
[indiscernible] yeah this month
>> two weeks >> at the end of

00:36:08.266,00:36:11.669
the month. In [indiscernible] so
maybe there's some like

00:36:11.669,00:36:14.672
interesting points to to speak
about. >> Can you Tweet where

00:36:14.672,00:36:17.308
you're doing this information?
Because I live in Singapore I'd

00:36:17.308,00:36:21.713
like to attend. >> Uh okay. You
can come later and we give you

00:36:21.713,00:36:26.418
the link >> Yeah >> what up >>
So on on the on the parking

00:36:26.418,00:36:29.854
meter charge hack did you think
to try and making the charge

00:36:29.854,00:36:33.792
negative? >> Yeah >> Yeah but >>
and something very weird

00:36:33.792,00:36:37.662
happened. >> Yeah >> They
charged us like 10 times what

00:36:37.662,00:36:41.099
what what we owe. >> Ho >> Yeah
so there there must be something

00:36:41.099,00:36:44.769
more in that formula [laugh] >>
Reversing the firmware there is

00:36:44.769,00:36:49.774
some like very strange things
like some weird vulnerabilities

00:36:49.774,00:36:53.111
in which you can like overflow
the whole system and crash it.

00:36:53.111,00:36:56.081
It's >> off mic - more more to
look in to >> But yes we we

00:36:56.081,00:37:01.719
tried. >> Hi. So in Chicago we
have a different bike share

00:37:01.719,00:37:05.023
system with a different lock at
the front end of the bike which

00:37:05.023,00:37:08.593
I believe uh I'm not sure if
this hack will work or not on

00:37:08.593,00:37:10.995
it. So I'm wondering if you've
looked into other hacks for bike

00:37:10.995,00:37:15.633
share that aren't reliant on the
locking mechanism? And then also

00:37:15.633,00:37:19.838
our bikes have GPS. So have you
figured out how to if you wanted

00:37:19.838,00:37:24.542
to literally steal the bike how
do you overcome the GPS? >> So

00:37:24.542,00:37:28.079
so you have GPS on the bike. >>
The bikes. >> Okay you there was

00:37:28.079,00:37:31.850
uh a talk I think last year at
the Black Hat or DefCon. Both

00:37:31.850,00:37:37.388
probably. Uh about spoofing GPS
data with uh SDR. So you can

00:37:37.388,00:37:41.059
actually bring your SDR and have
it in a backpack with a battery

00:37:41.059,00:37:44.729
and like spoofing your data and
meanwhile stealing stealing the

00:37:44.729,00:37:50.034
bike legally. [laugh] It's a a
principal we we are trying also

00:37:50.034,00:37:54.405
to apply to uh car sharing.
Because they check your mileage

00:37:54.405,00:37:57.375
and where are you going? And
they charge money for that so

00:37:57.375,00:38:03.281
it's interesting thing.
[indiscernible] [pause] Anyone

00:38:03.281,00:38:08.286
else? 3 minutes. No. Maybe 4 or
5. Okay. Thank you very much for

00:38:16.161,00:38:23.034
coming. Thank you for your hour.
[clapping] >> Yeah thanks for >>

00:38:23.034,00:38:24.869
Really appreciate [clapping] >>
Also thanks for our sponsors and

00:38:24.869,00:38:24.836
yeah that's it.