Outsmarting the Smart City

Video thumbnail (Frame 0) Video thumbnail (Frame 8642) Video thumbnail (Frame 11233) Video thumbnail (Frame 12955) Video thumbnail (Frame 17042) Video thumbnail (Frame 17896) Video thumbnail (Frame 18693) Video thumbnail (Frame 20515) Video thumbnail (Frame 22336) Video thumbnail (Frame 27402) Video thumbnail (Frame 32112) Video thumbnail (Frame 33282) Video thumbnail (Frame 35416) Video thumbnail (Frame 37459) Video thumbnail (Frame 38686) Video thumbnail (Frame 41875) Video thumbnail (Frame 44297) Video thumbnail (Frame 48037) Video thumbnail (Frame 50341) Video thumbnail (Frame 51201)
Video in TIB AV-Portal: Outsmarting the Smart City

Formal Metadata

Outsmarting the Smart City
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The term"smart city" evokes imagery of flying cars, shop windows that double as informational touchscreens, and other retro-futuristic fantasies of what the future may hold. Stepping away from the smart city fantasy, the reality is actually much more mundane. Many of these technologies have already quietly been deployed in cities across the world. In this talk, we examine the security of a cross-section of smart city devices currently in use today to reveal how deeply flawed they are and how the implications of these vulnerabilities could have serious consequences. In addition to discussing newly discovered pre-auth attacks against multiple smart city devices from different categories of smart city technology, this presentation will discuss methods for how to figure out what smart city tech a given city is using, the privacy implications of smart cities, the implications of successful attacks on smart city tech, and what the future of smart city tech may hold.
Transportation theory (mathematics) Venn diagram Chaos (cosmogony) Mereology Information privacy Computer programming Data management CAN bus Roundness (object) Different (Kate Ryan album) Circle Information security Physical system Vulnerability (computing) Area Software developer Physicalism Bit Instance (computer science) Überlastkontrolle Connected space Data management Internetworking Computer configuration Right angle Quicksort Whiteboard Reading (process) Slide rule Game controller Cellular automaton Plastikkarte Power (physics) Whiteboard Term (mathematics) Reduction of order Utility software Software testing Metropolitan area network Computer architecture Interactive kiosk Plastikkarte Information privacy Uniform resource locator Word Software Personal digital assistant Radio-frequency identification Conditional-access module Internet der Dinge Force
Point (geometry) Standard deviation Pattern recognition Slide rule Context awareness Hoax Transportation theory (mathematics) Multiplication sign Direction (geometry) Workstation <Musikinstrument> Plastikkarte Information privacy Event horizon Robotics Process (computing) Physical system Addition Service (economics) Standard deviation Pattern recognition Uniqueness quantification Projective plane Civil engineering Plastikkarte Bit Information privacy Data management Digital photography Software Robotics
NP-hard Purchasing Observational study Source code Design by contract Open set Plastikkarte Internetworking Different (Kate Ryan album) Googol Musical ensemble Website Traffic reporting Physical system Covering space Airfoil Observational study Purchasing Smart Device Information Weight Software developer Plastikkarte Bit Open set Type theory Internetworking Repository (publishing) Search engine (computing) Personal digital assistant Order (biology) System programming Local ring
Source code Open source Software Real number System administrator Repository (publishing) Open source Independence (probability theory) Process (computing) Information security
Group action User interface Real number Range (statistics) Plastikkarte Digital signal Plastikkarte Planning Inclusion map Internetworking Autonomic computing Website Traffic reporting Resultant Physical system
Purchasing Service (economics) Multiplication sign 1 (number) Set (mathematics) Coma Berenices Denial-of-service attack Googol Order (biology) Cuboid Website Conditional-access module Routing Reading (process) Resultant
Server (computing) Functional (mathematics) Computer file Variety (linguistics) System administrator Password IP address Software bug Power (physics) Web 2.0 Mathematics Web service Goodness of fit Root Internetworking Different (Kate Ryan album) Förderverein International Co-Operative Studies Information security Proxy server Default (computer science) User interface Authentication Default (computer science) Service (economics) Gateway (telecommunications) Binary code Plastikkarte System call File Transfer Protocol File Transfer Protocol Mathematics Web application Process (computing) Software Password Telecommunication Configuration space Quicksort Family Communications protocol Address space
Email Intel Digital electronics Proxy server Computer file Transportation theory (mathematics) Code Patch (Unix) Execution unit Source code Sheaf (mathematics) Counting IP address Software bug String (computer science) Operating system Information security Proxy server Linear map Form (programming) Vulnerability (computing) Physical system Data type Authentication Default (computer science) Multiplication Code Cartesian coordinate system Connected space File Transfer Protocol Message passing Process (computing) Personal digital assistant Telecommunication Order (biology) Interpreter (computing) Configuration space Pattern language Quicksort Communications protocol Limit of a function Sinc function Asynchronous Transfer Mode
Authentication Injektivität Scripting language System call Trail Key (cryptography) Cross-site scripting Message passing Mathematics Different (Kate Ryan album) Phase transition Password Video game console Message passing
Email Server (computing) Functional (mathematics) Computer file Authentication Set (mathematics) Web 2.0 Optical disc drive Different (Kate Ryan album) String (computer science) Square number Videoconferencing Condition number Authentication Pairwise comparison Information management Key (cryptography) Poisson-Klammer Electronic mailing list System call Type theory Personal digital assistant String (computer science) output Right angle
Web page Injektivität Authentication Injektivität Polygon mesh Observational study Information Data storage device Set (mathematics) Database Cloud computing Instance (computer science) Counting Login Mereology Revision control Uniform resource locator Personal digital assistant String (computer science) Password Thermal radiation Energy level Quicksort
Authentication Injektivität Polygon mesh Computer simulation Set (mathematics) Line (geometry) Variable (mathematics) Cartesian coordinate system Number Web application Type theory Root Personal digital assistant Password Gastropod shell output Gastropod shell Authorization Physical system
Backup View (database) Videoconferencing Water vapor Game theory Distance Ultrasound Vulnerability (computing)
Point (geometry) Polygon mesh Open source Length Code Patch (Unix) Independence (probability theory) Bit Hacker (term) Order (biology) Software testing Information security Vulnerability (computing)
Connected space Gateway (telecommunications) Demo (music) Thermal radiation System programming Plastikkarte God Physical system
Implementation Information Planning Coma Berenices Basis <Mathematik> Vulnerability (computing)
next and last today we have Daniel we have Mauro and we have Jen who are going to talk to us about smart city stuff and taking over smart city stuff and generally causing all kinds of chaos and havoc why don't we give these guys a big round of applause hi everybody so some quick introductions my name is Daniel Crowley I am the research Baron 4x4 shred you might be wondering why I have such a silly title well I wanted to be a director of research because I do direct the research program but directors apparently reserved word at IBM so I had to kind of work around that I pitched him a couple things including tyrannical research dictator they didn't like that I pitched a research Sultan but it was some suggestion that maybe there was some cultural insensitivity there so we passed on that one but I do hold and I'm getting ahead of myself here but I do hold the noble title of Baron in the Micra nation of Sealand so as long as you respect its sovereignty well you marry libertas to you buddy but I'm a baron as long as you don't mind me having paid 40 to get that title that's 40 I ever spent by the way I've been doing pen testing since 2004 and I've been a hobbyist before that and I also haven't have an interest in in physical security and my bit of a walk sport enthusiast oh I didn't advance the slides quick enough today hi I'm Jennifer savage I'm a security researcher at threat care I'm also a member of the blackhat review board I've had a couple decades experience in tech including software development management vulnerability management vulnerability assessment penetration testing security research etc tomorrow I've been doing pen testing for many years I've been passing through different areas like to architecture developing C semi-trailer I love to find logs and correct them so you might be kind of curious about the term smart city what exactly makes technology smart city technology well it's a pretty broad blanket term kind of like Internet of Things it's slight it's more specific than that but it's still in the Venn diagram it's a pretty large bubble and there's lots of little circles within that so for instance they're the industrial internet of things cities have to have utilities you know you have to have water infrastructure and power and all that sort of things so when you have technology running that that's part of smart city tech something that fits more squarely into that is urban automation so an example being automated waste trucks that drive around and pick up people's trash cans and read RFID tags in the trash cans so they have an exact log of when each trashcan was picked up and which trash can belong to whom and how heavy it was and all that sort of thing and then you have Public Safety things like police body cams you have things like emergency management systems so you have systems that detect impending disasters and allow people to respond quicker you have intelligent transportation systems devices and software that try to reduce traffic congestion things that will detect how much traffic is on a stretch of road and then communicate with the traffic light down road to say okay you're gonna want to open it up a little bit and then you have a metropolitan area networks which are just sort of City sized they're like lands but city sized so you might have public internet kiosks or you might have citywide Wi-Fi provided just for all the citizens to use and there's more smart City tech than just this there's lots and lots and lots of different tech but these are different just example areas so when it comes to privacy there are a lot of concerns with smart city technologies it's a very different thing when you can choose what you have in your home you can choose not to have IOT devices you can choose not to have a smart TV in your home but you can't really get much control over the fact that outside your home right outside your door every street lamp on your street might have a camera in it and that's what we're talking about when we talk about smart cities everything's monitored there are billion sensors everywhere it could become the case that there are legitimate purposes that are subverted by malicious actors and so if you know a legitimate person could use a connected vehicle infrastructure like a vehicle to infrastructure hub to monitor the location of a car or use cameras to monitor the location of a person walking down a street that and you know a malicious actor could use it for the same purposes as well so speaking of intelligent
transportation systems this is one of the biggest pushes in smart city tech there is a lot of advancement a lot of adoption of smart city technologies I was lucky enough to speak with the gentleman from Federal Highway Administration who corrected me a little bit on this slide so there was as far as we can find a proposed obd 3 standard at one point which was basically obd ii plus a little transceiver but the more we looked into it we weren't sure if it was a thing that was pitched a long time ago around circa 2000 and then died because it was obviously a terrible idea or it might have actually been a hoax because we we chased it down in it was some of these things looked pretty odd so thank you to Ed from the FHWA for steering us in the right direction on that so something that exists in Hangzhou China is what's called the city brain or traffic brain which is a gigantic intelligent transportation systems project that aims to reduce the traffic problems in Hong Joo and as a Western if it's this particular quote kind of horrified me that in China people have less concerned with privacy which allows us to move faster and that for context is being spoken by the the manager of AI at Alibaba who created the Alibaba created the traffic brain and he's speaking about it at a the world summit AI in a talk about the traffic brain but it's not just in China there's also street
lights with cameras built into them and it took me a while of staring at this picture before I could actually see the cameras in these street lights but sure enough they are there now in addition to that lots of cities are either talking about or have already deployed facial recognition software to their surveillance cameras so in 2017 a former former governor event photo red leather yellow leather unique New York a former government official for Singapore said that they want to deploy cameras to every single one of their lamp posts all hundred ten thousand and put facial recognition software to work on those cameras and if you think that's crazy Dubai one-up them they want to make the first police station manned entirely by robot police by 2030 there was a movie about this it didn't end well so let's
talk about reconnaissance how do you discover what's in a city so you just
start with search engines that's the most obvious place in fact everything that you need in order to discover what's in a city can be done entirely through passive reconnaissance methods so we started with case studies made by manufacturers who talked about what their devices were being used for around the world and you can get some really interesting information about the deployments of those devices just by looking at the case studies there's also news reports so local news will quite often cover smart city developments it's all new it's not all fascinating and it's all recorded by the news and then oh the Open Data initiatives so some of you may have seen a lot of Open Data initiatives offered by various government agencies and cities will quite often have their own Open Data initiatives where they publish data quite often taken from those Smart City sensors and then some city contracts are public I'm looking at this upside down it's kind of hard so some city contracts are public so in the US everything's foil so you can look up a purchase order online if you just google for it properly you can check bid net etc and then you can see what your city has so also public systems are already mapped so there are some really great search engines out there that are used for mapping out Internet infrastructure so if you first identify the Ayana ranges for the city that you're doing recon on then you can just check shoten and census by searching literally for that i an arranged they'll be an ID for it a nun lastly physical recon so just going outside basically and looking with your eyes you can do traditional methods like wardriving looking for Wi-Fi there's all kinds of different war driving methods out there there's even war driving for laura when you can find I think Travis Goodspeed has some really great stuff on other types of war driving out there and but all of this requires that you actually log off and walk outside your home so a bit of a challenge for some of us and then source code repositories so
a lot of this stuff is open source you can check github bitbucket get lab and then lastly we found this thing called OS ADP run by the federal highway administration and I was recently informed that they actually are requiring that a lot of these manufacturers open source their software so that independent security researchers can do this kind of work and it really enables us to try to find these kinds of flaws so I'm really happy with that so let's apply these method methods real
quick to a city so Austin Texas which is the city I live in here's a roundup of
some news reports that were done about smart city tech that was being deployed so autonomous transit shuttles a smart street so sixth Street which is a real big party Street there they were gonna turn into a smart Street this is city up
it's basically a website all about Austin's smart city initiatives and you can find lots of details there here's the census results for the cities
I an arranges this actually covers a lot more than just the smart city tech that they have it's a list of like all of the systems that are running on their range and this is kind of neat at all of the
low water crossings in Austin they have flood sensors and these boxes are on the side of the road and you can just walk right by and see them and here's how they transmit here interestingly after we started doing our research and I became concerned about whether or not flood sensors might be messed with and nobody would know to go check to make sure it's it's a legitimate reading somebody went ahead and installed cameras without us even reaching out or talking to them they installed cameras at every low water crossing so now when you check the a TX floods website that reports the results of the flood sensor you can verify it visually to see whether or not the low water crossing actually is flooded and a TX floods by the way as a website you can use to plan your route around the city during times of flooding because it floods quite frequently in Austin and then this is
actually just a purchase order we found by googling for purchase orders like we said before and this one's for police body cams which falls under the safety sub set of things
right so I imagine some of you are here just for the bugs so here's the bugs so the first device or rather devices that we looked at were were a in a device family called the I'll on devices from s LAN corporation we looked at the smart server which was previously called previously branded as the I'll on one hundred and its successor the I'll on six hundred now both of these things have the same function but different feature sets so basically you might know something about ICS security but if you know anything about ICS security the general recommendation is never ever attach these things to the internet never just like put them in an air gap network and never let anybody touch them unless they are already authorized to touch them so we found that this was a
pretty interesting device because what it does is it hooks up ICS devices to IP networks like the internet and actually we found about 450 smart server devices exposed to the Internet via census so that's great so these things talk to a variety of different devices over various protocols like it speaks the very popular Modbus including the Modbus over tcp/ip variant it speaks BACnet over IP and it can also speak to any sort of web services that take soap communications hooking this up was kind of a harrowing experience for me because it doesn't take it it has these screw terminals to receive power and I couldn't just cannibalize a power Kait like an ATX power cable and plug in I had to get like a little power adapter and I might did a terrible wiring job I actually when I hooked this up I plugged it in on one of my like outside ports on my concrete patio and I was wearing like a safety goggles and oven mitts because I was like is this gonna blow up is there going to be fire I'm not electrician if there's anyone from OSHA in the room I'm sorry I probably did bad things there although it wasn't at my workplace well anyway so so we found a bunch of things here we found first of all that there were default credentials and one interesting thing is that there is a web server and an FTP server and there are separate credentials for both so you might have one of these things and change the web server password but not the ftp password in fact we sourced one of these devices from ebay and found that while the web application password had been changed the ftp server password had not so we we were able to because of the fact that the credentials are in a configuration file in plain text on the ftp root we were actually able to get the original credentials for this device which is scary in and of itself but that's you know that's neither here nor there one interesting thing about this is even if the default passwords have been changed the default configuration for what to authenticate on the web application does not include the api which does most of the heavy lifting the user interface which calls the api is authenticated but if you know the right way to make the calls you can just invoke all sorts of fun API functions like hey change the FTP credentials to blah blah blah so that's good and is this is of course over plaintext HTTP and it's not FTP s or SFTP is just a set just FTP and on top of all that there's another authentication bypass bug so even if you change the default configuration in both passwords you still have an authentication bypass bug so I talked about retrieving the clear text password be a FTP but you can also replace the binaries on the device over FTP you can fiddle with the ICS gear that's connected to it in the way that the legitimate administrator would or could and if you want you can also just change the IP address and prevent anybody from being able to connect to it
so here's how the authentication bypass works what the i'll on devices do or did before patches where were made available they looked at the path to see does it match any does it match any of the items that i have in the configuration file for the authentication section so in this case we're hitting an endpoint that is authenticated by default so forms slash form slash epsilon slash star is a default item so this falls under that that pattern but it's just string based matching it doesn't do any sort of canonicalization on the name so if we instead request slash forms slash slash Ashkelon slash anything it says okay this isn't slash form slash epsilon there's another slash here i don't need to authenticate this and then it hits the operating system the extra slash is thrown away and well you know the story from there an interesting note the i'll on six hundred units have this weird thing called security access mode which basically means you have to stick a paperclip into this thing and hold it in there as you reset it so you know like either two paper clips or just pull the power and put it back in so you you have to go through this process in order to put it into a mode where you can change credentials so you can't really get the plaintext if you're just using the authentication bypass and by the way the default configuration is secure on or at least we didn't find any problems with the default configuration on the Ayalon 600 but this authentication bypass works on it so you can still use all of the the ICS stuff that they've configured into there i'll on 600 when you use this authentication bypass bug but you can't really change the FTP credentials and backdoor the device or anything like that but what you can do if you really just want to be a jerk is change the IP address since that's outside of the purview of the security access mode now something interesting that we stumbled across that we weren't looking for as we were doing this research is that the there was an exploit or the the default configuration bug that affects the API and this this was this was interesting to discover this was posted to get a github gist back in August of 2015 the comments and the code shown here suggest that this is older than three years so that's interesting we contacted exelon when we contacted exelon to disclose the vulnerabilities that we discovered we also let them know about this they were unaware of this exploit and they were under the we're aware of the bug that it exploits until we spoke to them so that's interesting and it tells us something that we normally don't get to know which is that yes there are people looking for these things and finding them and not reporting them so this but they'll
betray hub what it does but tell me to I hope mine I just communication between connected vehicles and in fact circuit interpretation in fact doctor he translate data from multiple sources and protocols using their use interpretation he has a modular infrastructure the system can help deliver messages that are useful for transportation applications like red light violation speed warnings over high Corning's with
bi hub it was possible to get gang access because he has hard-coded password he has four years of different API keys
that you can access with authentication where you can bypass you can perform cross-site scripting attacks attacks executing SQL injections in the API is also possible and you can gain access with authentication with all these flaws an attacker or a bursary can do many things he can track vehicles he can send safe sales messages okay change the messages it can create traffic or modify to drive ways to change something inside in a way that may create some different behaviors or just shut down the hub so nobody can say I receive messages from the hub this show why it is possible to chop down a device that running betwe hub because as you can see it doesn't require any authentication he doesn't need any API key the toy hub has an API and this API
requires a key even if the key has been changed it is possible to access the key through the web server with authentication as you can see using a string compare function comparing to a string that we would see pretty soon what it is even the key file was restricted the input keifa the input key and the camper key of the right key are compared using the string compare function which has an odd set of return values different conditions as you can see there is a list of return values that we can use effort they mostly make sense but something interesting interesting happens when comparing strings and arrays the string compare function return null without warning the dis warning is in north something can happen here when 0 the
value returned by the function when two string are identical is compared to null remember that we saw the compare function trying to compare the correctly with an input key using that function the comparison returns true as long as you are not checking types too carefully this means you add left square bracket and right square bracket a ring of key and the URL any key will be the right key so that means you have access to the API always and the case you can't call other features that the video hub is using and lastly the resize call
injection in version 3 as well and the login page so you can track all the usernames and passwords without any authentication
so the final device that we looked at was called the live belly um mesh Liam so the mesh Liam is a part of an ecosystem that works on sensors these sensors can detect all sorts of things and the mesh Liam is actually designed to be able to communicate with even sensors that are not produced by light belly em themselves they have their own sensor ecosystem called wasp mote and they are their own set of sensors that they sell that plug into wasp mote pretty easily some examples of these are radiation level sensors and water levels our distance sensors which are used for example in flood prevention by detecting water levels we have sensors that detect rainfall and wind speed so depending on what this is used for and we do have some limited information provided through customer case studies about what this is being used for for instance we know that the Spanish government is using these devices to detect radiation levels around nuclear power plants we know that there is a dam in somewhere in Europe where the mesh Liam or the the wasp mote ecosystem is being used to detect water quality so if you're using a mesh Liam there's some interesting problems there but the the mesh Liam it essentially just acts for a as a hub and a centralized location for storage or to be like sort of collected and then passed on so it takes in data from all these sensors and then passes them to either a database or pushes him up to some cloud platform so what we found was
that there were a number of endpoints on the application that we're just missing authentication entirely so they could be invoked directly and didn't require any username or password and some of them could actually function as a whole was like correctly some of them couldn't a number of them actually took user input directly and fed it into a shell command without any sanitation so if you take a look at the last line here you can see and this is this is pretty much there's this I don't remember if this is the start of the file or not but this is one of the exploitable cases of this so if you just put something like let's say semi colon RM RF slash in as your link variable and you have your type variable set to download update while interesting things happen now you might be saying well Daniel first of all no purrs ooh no preserve root ism didn't that example okay okay pedantic sure let's add that but you're still the web application user so you're not going to be able to to do much well I have a solution for you which involves the fact that the web application has the the ability to distill without any password so if you just do semicolon su do RM RF / no preserve root well funny or terrible things happen depending on you know what side you're on so we want to do a little demonstration we have a whole dam simulator built into
an aquarium based on a mesh Liem system
we were not able to use that so we instead have a backup video which I
guess there are a be issues with bringing the dam years
so this is a simulated game really soon and they deliver it through banks cars rock wall even scenic view and it's all inside an aquarium now while this is a simulated dam the former do these reviews are very real what we've got set up here is a dam would be controlled by a Raspberry Pi and that Raspberry Pi is controlling the water level based on data sent by this ultrasound sensor attached to a liability in place now this is only was the water level in centimeters distance from the sensor now because of the vulnerabilities initially in fact this data is being read from the messaging we're going to want to do that is in fact very well so the dam is going to go all the way and it's going to stable them no matter how high the water will pass you can see if eating the top the riverbanks and now starting to spill over onto the edge and now on the other side starting to plug the road [Applause]
please don't dismay we worked with the vendors reported all vulnerabilities they were all patched cities have had weeks to roll out these patches everybody has been notified so that's that's the the positive side of all of this additionally you know I think when it comes to the implications of being things you know as hackers we have to ask ourselves to what lengths do we independent of the companies who are selling these devices independent of the cities or the governments that run them want to go to try to find these vulnerabilities with the v2i hub it's fairly simple because the code is open source with the mesh eleum we had to pay 3,000 euros for a mesh Liem setup in order to test it with the islands we got some off eBay used so it was a bit less expensive but the point is these devices are very very very expensive and it can be very difficult for us to get the ability to do the independent security testing that's really required but as far as the vulnerabilities that we found here are the implications surveillance
of connected vehicles so following a governor around or a celebrity or god forbid even the president traffic manipulation causing traffic to slow down industry in the city that you live in and sabotage of disaster warning systems similar to the dam demo that we showed you but for something like radiation monitoring where you cause a false panic because you set off the sensors and everybody thinks there's radiation and they start to evacuate that could be quite bad right but after
you've finished setting up your city it's a fully you know a smart city place I hope that you are also going to set up your IOT paper clip so that you can reset the device when something goes horribly wrong I hope also that cities
will take into consideration whether or not the devices they purchase have been tested by independent parties on a regular basis that cities will have their implementations of these devices tested and that the information about the remediation plan for any vulnerabilities found will be made available to the public so the public can feel safe about what's in their city thank you so much for coming to our topic [Applause]