DEF CON 26 - Daniel Crowley and Panel - Outsmarting the Smart City
Next, and last today we have Daniel we have Mauro and we have Jen who are going to talk to us about smart, city stuff and taking. Over smart, city stuff and generally. Causing all kinds of, chaos and havoc why. Don't we give these guys a big round of applause. Hi. Everybody. So. Some. Quick introductions my, name is Daniel Crowley I am the research Baron, 4x4 shred you. Might be wondering why I have such a silly title well I wanted, to be a, director, of research because. I do direct, the research program, but directors, apparently reserved word at IBM so. I had to kind of work around that I pitched him a couple things including, tyrannical, research dictator, they didn't like that I. Pitched. A research Sultan but it was some suggestion that maybe, there was some cultural insensitivity there, so we passed, on that one but I do hold, and. I'm getting ahead of myself here but I do hold the noble title of Baron in, the Micra nation of Sealand so as long as you respect its sovereignty, well you, marry libertas to you buddy. But. I'm a baron, as long as you don't mind me having paid $40, to get that title. That's, $40 I ever spent by the way, I've. Been doing pen testing since, 2004, and I've been a hobbyist before, that and I also haven't have an interest in in physical, security and my. Bit of a walk sport enthusiast. Oh. I. Didn't advance the slides quick enough today, hi. I'm Jennifer savage I'm, a security researcher at, threat care I'm also a member of the blackhat review board I've had a couple decades experience. In tech including. Software. Development, management. Vulnerability. Management vulnerability. Assessment, penetration. Testing. Security. Research etc. Tomorrow. I've. Been doing pen testing for many years I've been passing, through different areas like, to, architecture. Developing. C. Semi-trailer, I. Love, to find logs and, correct, them so. You, might be kind of curious. About the term smart city what, exactly makes, technology. Smart, city technology, well it's. A pretty, broad, blanket, term kind of like Internet, of Things it's, slight it's more specific than that but it's still in the Venn diagram, it's a pretty large bubble. And there's lots of little. Circles within that so, for. Instance they're the industrial, internet of things cities. Have to have. Utilities. You know you have to have water infrastructure. And power, and all, that sort of things so when, you have technology running, that that's, part. Of smart city tech, something. That fits more squarely, into, that is urban. Automation, so an example being automated. Waste trucks, that, drive. Around and pick up people's trash, cans and read, RFID, tags in the trash cans so they have an exact log of when. Each trashcan was picked up and which, trash can.
Belong. To whom and how. Heavy it was and all that sort of thing and then, you have Public Safety things like police, body cams, you have things like emergency. Management, systems, so. You. Have systems. That. Detect. Impending. Disasters. And allow. People to respond, quicker. You. Have intelligent, transportation systems. Devices. And software, that try to reduce, traffic congestion things. That will detect. How, much traffic is on, a, stretch of road and then, communicate. With the. Traffic. Light down, road, to, say okay you're, gonna want to open it. Up a little bit. And, then, you have a, metropolitan. Area networks, which are just, sort of City sized, they're, like lands, but city, sized. So. You might have public internet kiosks or, you. Might have citywide, Wi-Fi. Provided. Just for all the citizens to use and. There's, more smart City tech than just this there's lots and lots and lots of different tech but these are different just example. Areas. So. When it comes to privacy there are a lot of concerns with smart city technologies. It's, a very different thing when. You can choose what, you have in your home you can choose not to have IOT, devices you can choose not to have a smart, TV in, your home but. You can't really get. Much control, over the fact that outside. Your home right, outside your door every. Street lamp on your street. Might, have a camera, in it and that's. What we're talking about when, we talk about smart, cities, everything's. Monitored, there are billion sensors everywhere, it. Could become the case that there. Are legitimate purposes. That, are subverted. By malicious. Actors. And so, if, you, know a legitimate. Person could, use a, connected. Vehicle, infrastructure, like, a vehicle to infrastructure, hub to, monitor. The location of a car or use. Cameras. To monitor the location of a person walking down a street that, and you. Know a malicious, actor could use it for the same purposes, as well. So. Speaking, of intelligent, transportation systems, this is one of the biggest pushes, in smart city tech there, is a lot, of advancement, a lot of adoption.
Of Smart, city technologies, I was, lucky enough to speak with the gentleman from, Federal Highway Administration who. Corrected, me a little bit on this slide. So. There. Was. As. Far as we can find a proposed obd, 3 standard at one point which was basically obd, ii plus, a little transceiver, but, the more we looked into it we weren't sure if it was a thing, that was pitched a long time ago around circa. 2000. And then, died, because it was obviously, a terrible idea or it. Might have actually been a hoax, because. We, we. Chased it down in it was some, of these things looked pretty odd so thank. You to Ed from the FHWA. For. Steering. Us in the right direction on that. So. Something. That exists, in Hangzhou China is, what's. Called the city brain or traffic brain which is a gigantic, intelligent. Transportation systems. Project, that, aims to reduce the, traffic, problems, in Hong. Joo and as. A, Western, if it's this particular quote, kind of horrified, me that, in. China people have less concerned with privacy which allows us to move faster, and. That, for. Context, is being spoken by the. The. Manager, of AI at Alibaba, who created, the Alibaba, created, the, traffic brain and he's, speaking about it at a the. World summit AI in. A talk about the, traffic brain but. It's not just in China. There's. Also street, lights with cameras. Built into them and it. Took me a while of staring. At this picture before I could actually see, the cameras, in these street lights but sure enough they, are there. Now. In addition. To that lots, of cities are either. Talking about or have, already deployed facial, recognition software, to, their surveillance cameras, so in, 2017. A former. Former. Governor event photo, red. Leather yellow leather, unique, New York. A former. Government official for Singapore, said that they want to deploy, cameras. To every single one of their lamp posts, all hundred. Ten thousand, and put. Facial, recognition. Software. To work on those cameras, and, if, you think that's crazy. Dubai. One-up, them they want to make the, first police. Station manned, entirely, by robot. Police, by, 2030, there. Was a movie about this it. Didn't end well. So. Let's talk about reconnaissance. How do you discover what's, in a city.
So. You, just start with search engines that's the most obvious place in fact. Everything. That you need, in order to discover what's in a city can, be done entirely, through, passive, reconnaissance, methods so. We. Started, with case, studies made. By manufacturers. Who, talked about what their devices were being used for around. The world and, you can get some really interesting information about the deployments, of those devices just by looking at the case studies. There's. Also news, reports, so local. News will quite often cover, smart, city developments, it's all new it's not all fascinating. And. It's all recorded, by the news and. Then. Oh. The. Open Data initiatives so, some of you may have seen a lot of Open Data initiatives offered by various, government. Agencies and cities, will quite often have their own Open, Data initiatives where, they publish, data quite, often taken from those Smart City sensors, and. Then. Some. City contracts. Are. Public. I'm. Looking at this upside down it's kind of hard, so. Some city contracts are public so in the US everything's, foil so, you can look up a purchase order online, if you just google for it properly you can check bid net etc, and then, you can see what your city has. So. Also, public, systems are already mapped so there are some really great search, engines out there that are used, for. Mapping. Out Internet infrastructure. So. If you first identify the Ayana ranges for the city that you're doing recon on then. You can just check shoten and census, by searching literally. For that i an arranged they'll be an ID for, it a. Nun. Lastly, physical, recon. So just, going. Outside basically. And looking, with your eyes. You. Can do traditional, methods like wardriving. Looking, for Wi-Fi, there's, all kinds, of different war driving methods. Out there there's even war driving for laura when you, can find I think Travis, Goodspeed, has some really great stuff on other types. Of war driving out there and but. All of this requires that you actually log off and walk, outside, your home so a bit. Of a challenge for some, of us and, then. Source, code repositories, so a lot of this stuff is open, source you. Can check github, bitbucket get, lab and then lastly, we found this thing called OS ADP run by the federal highway administration. And I was recently informed that they, actually are requiring. That. A lot of these manufacturers. Open, source their software so that independent. Security researchers, can do this kind of work and it, really enables, us to try, to find, these kinds of flaws so, I'm really, happy with that. So. Let's apply these method, methods, real quick to a city so Austin Texas which is the city I live in, here's. A roundup, of some news reports that were done about smart, city tech that was being deployed. So. Autonomous. Transit, shuttles a. Smart, street so sixth Street which is a real big party Street there they were gonna turn into a smart Street. This. Is city up it's basically. A website all about Austin's. Smart city initiatives, and you can find lots of details there, here's. The census, results, for, the cities I an arranges, this. Actually, covers a lot more than just the smart city tech that they have it's a list of like all, of the systems, that are running on their range and. This, is, kind, of neat at all, of the low water crossings, in Austin. They have flood sensors, and these boxes, are on the side of the road and you can just walk, right by and see them and. Here's, how they transmit here interestingly. After. We started doing our research and I became concerned, about, whether. Or not flood, sensors, might be messed with and nobody would know to go check to make sure it's it's a legitimate, reading, somebody. Went, ahead and installed cameras. Without us even reaching out or talking to them they, installed cameras at every low water crossing, so now when you check the a TX floods website, that reports, the results of the.
Flood Sensor you, can verify, it visually, to, see whether or not the low water crossing, actually, is flooded, and a, TX, floods by the way as a website you can use to. Plan, your route around the city during, times of flooding because it floods quite frequently, in Austin and. Then. This, is actually just a purchase order we found by googling. For purchase orders like we said before and, this, one's for police body cams which falls under the safety, sub. Set of things. Right. So I imagine some of you are here just for the bugs so, here's. The bugs so the, first device. Or, rather, devices, that we looked at were. Were. A in. A device family called the I'll on devices, from s LAN corporation. We. Looked at the smart server which was previously called. Previously. Branded as the I'll on one hundred and its, successor, the I'll on six hundred now. Both of these things have the same function, but different feature sets. So. Basically. You. Might know something about ICS, security, but if you know anything about ICS, security, the general, recommendation. Is never, ever, attach. These things to. The internet never, just like put them in an air gap network and never, let anybody. Touch them unless they are already, authorized. To, touch them so, we. Found that this was a pretty interesting device, because what it does is it hooks up ICS. Devices, to IP networks, like the, internet and, actually. We found about 450. Smart server devices. Exposed, to the Internet via census. So. That's great so. These, things talk to a variety of different devices over various protocols like, it speaks the very popular Modbus. Including. The Modbus. Over tcp/ip, variant. It speaks BACnet over IP and. It can also speak to any, sort of web services, that take. Soap. Communications. Hooking. This up was kind of a harrowing experience for, me because it doesn't take it. It, has these screw terminals, to receive power and I. Couldn't, just cannibalize. A power Kait like an ATX power cable and. Plug, in I, had, to get like a little power adapter, and I might, did a terrible wiring, job I actually when I hooked this up I plugged it in on one of my like outside, ports on my concrete patio and I was wearing like a, safety. Goggles and oven mitts because, I was like is this gonna blow up is there going to be fire I'm not electrician. If. There's anyone from OSHA in the room I'm sorry, I. Probably did. Bad things there although it. Wasn't at my workplace well, anyway so. So. We found a bunch of things here we, found first of all that there were default credentials and one, interesting thing is that there is a web. Server and an FTP server and there are separate credentials, for both so, you. Might have one of these things and change the web server password, but not the ftp password in, fact we, sourced one of these devices from ebay and found, that while the web application, password, had been changed, the ftp, server password, had not, so. We. We. Were able to because. Of the fact that the credentials, are in a configuration file, in plain text on the. Ftp root we, were actually able to get the original credentials. For. This device which is scary. In and of itself but that's you, know that's neither here nor there. One. Interesting. Thing about this is even if the default passwords, have been changed, the default configuration. For what to authenticate, on the web application, does not include the api which, does most of the heavy lifting the, user interface, which calls, the api is authenticated. But if you know the right way to make the calls you. Can just invoke. All. Sorts of fun, API functions, like hey change the FTP, credentials to blah blah blah. So. That's good and is this is of course over plaintext. HTTP, and it's, not FTP s or SFTP, is just a set just, FTP and. On, top of all that there's another authentication. Bypass bug, so even if you change the default configuration in, both passwords, you. Still have an authentication, bypass bug, so I talked, about retrieving, the clear text password. Be a FTP, but, you, can also replace, the binaries. On the device over FTP, you, can fiddle with the ICS, gear that's connected to it in the way that the legitimate. Administrator, would or could. And. If. You, want you can also just, change.
The IP address, and prevent anybody from being. Able to connect to it. So. Here's how the authentication, bypass works. What, the i'll, on devices. Do. Or, did. Before. Patches, where were made available they. Looked at the path to. See does, it match any does. It match any of the items that i have in the configuration, file for the. Authentication. Section so. In, this case we're, hitting an endpoint that is authenticated, by default so forms, slash. Form slash epsilon slash, star. Is a default. Item so this falls under that. That, pattern, but it's just string based matching, it doesn't do any sort of canonicalization. On the, name so if we instead request slash, forms slash slash. Ashkelon. Slash, anything, it says okay this isn't slash form slash epsilon there's. Another slash here i don't need to authenticate this, and. Then it hits the operating, system the extra slash is thrown away and well. You, know the story from there an. Interesting, note the. I'll on six hundred units have. This weird thing called security, access mode which basically means you have to stick a paperclip into, this thing and hold it in there as you reset, it so you know like either two paper clips or just pull the power and put. It back in so. You. You. Have to go through this process in, order to put it into a mode where you can change credentials, so. You. Can't really, get. The plaintext. If. You're just using the authentication, bypass and. By the way the default configuration is, secure on or, at least we didn't find any problems, with the default configuration on the Ayalon 600, but this authentication, bypass works, on it, so. You can still use all of the the. ICS, stuff, that, they've configured, into, there. I'll on 600, when you use this authentication bypass bug, but, you. Can't really change the FTP credentials and backdoor the device or anything like that but. What you can do if you really just want to be a jerk is change, the IP address since that's outside, of the purview of the security, access mode, now. Something. Interesting that we stumbled across that we weren't looking for as we, were doing this research is that the there was an exploit. Or the, the. Default, configuration bug. That affects the API. And. This this was this. Was interesting to discover this. Was posted to get a github gist back, in August of 2015, the. Comments, and the code shown here suggest. That this is older than three, years, so. That's, interesting. We contacted, exelon when we contacted exelon to disclose the vulnerabilities, that we discovered, we also let them know about this they, were unaware, of this exploit, and they. Were under the we're aware, of the bug that it exploits, until, we spoke to them so. That's. Interesting and it tells us something. That we normally, don't get to know which is that yes there are people looking for these things and finding, them and not reporting, them so. This. But. They'll betray, hub what. It does but tell me to I hope mine I just communication. Between connected, vehicles, and. In. Fact circuit interpretation. In fact doctor he, translate, data from multiple sources, and, protocols, using, their. Use interpretation. He. Has a modular. Infrastructure. The. System can help deliver. Messages. That are useful for. Transportation. Applications like, red light violation. Speed. Warnings. Over high Corning's. With. Bi hub it. Was possible. To get gang, access, because he has. Hard-coded. Password, he. Has. Four. Years of different, API keys that. You can access with authentication. Where you can bypass, you. Can perform, cross-site, scripting attacks attacks. Executing. SQL. Injections. In the API is also possible, and, you. Can gain access with authentication. With. All, these, flaws an, attacker. Or a bursary, can do many things he, can track. Vehicles, he, can send, safe. Sales. Messages. Okay, change, the messages, it. Can create traffic or. Modify, to drive ways to change, something inside. In a way that may, create some different. Behaviors or, just. Shut, down the. Hub so, nobody. Can say I receive, messages, from the hub. This. Show, why, it, is possible, to chop, down a, device. That running betwe. Hub because. As you can see it doesn't require any, authentication. He, doesn't need any API key. The. Toy hub has. An API and this. API, requires, a key even. If the key has been changed, it, is possible, to access the key through. The web server with authentication.
As. You can see using a string compare function. Comparing. To a string. That. We would see. Pretty. Soon what it is. Even. The key file, was. Restricted. The. Input, keifa. The input key and the, camper. Key of the right key are compared, using the string compare, function which. Has an, odd, set of return, values. Different. Conditions as you can see there, is a list of return. Values that. We can use, effort. They. Mostly, make sense but, something, interesting, interesting. Happens, when comparing. Strings. And. Arrays. The. String compare, function return. Null. Without. Warning the dis warning, is in, north something. Can happen here. When. 0 the value returned, by the function when. Two string are identical. Is compared, to null. Remember. That we saw the, compare, function, trying. To compare the correctly, with an input key using. That function. The. Comparison. Returns. True. As long as you are not checking types too carefully, this, means you add. Left. Square bracket and. Right. Square bracket a ring, of key and the. URL any. Key will be the right key so. That means you have access to the API always, and. The. Case you can't call other features, that the video hub is. Using. And. Lastly. The. Resize call injection, in version. 3 as well and the. Login page so. You can. Track. All the usernames and passwords without. Any authentication. So, the final device that we looked at was called the live belly um mesh Liam so, the mesh Liam is a, part. Of an ecosystem that. Works on sensors, these. Sensors can detect all, sorts of things and the mesh Liam is actually designed to be able to communicate, with, even. Sensors that are not produced by light belly em themselves, they have their own sensor ecosystem, called wasp mote and, they, are their own set of sensors that they sell that plug, into wasp mote pretty easily, some, examples, of these are, radiation. Level sensors, and. Water. Levels our distance, sensors which are used, for example in flood. Prevention by, detecting, water levels, we. Have sensors, that detect. Rainfall. And wind speed so. Depending. On what this is used for and we do have some limited information. Provided. Through customer case studies about what this is being used for for, instance we know that the Spanish government is, using. These devices to, detect. Radiation. Levels around nuclear, power plants. We, know that, there. Is a dam, in somewhere. In Europe where. The mesh Liam or, the the wasp mote ecosystem, is being used to detect water quality, so. If. You're using a mesh Liam there's, some, interesting problems there but. The the mesh Liam it essentially, just acts for a as a hub and a centralized. Location, for storage, or to. Be like. Sort of collected. And then passed on, so. It takes, in data from all these sensors and then passes them to either a database, or, pushes. Him up to some cloud platform. So. What we found was that there were a number of endpoints.
On The application, that we're just missing authentication. Entirely so, they could be invoked directly, and. Didn't. Require any username, or password and, some, of them could actually function as a. Whole was like correctly, some. Of them couldn't a. Number. Of them actually. Took user input directly, and fed it into a shell, command. Without, any sanitation. So if. You take a look at the, last, line here, you. Can see and this is this. Is pretty much there's. This. I don't remember if this is the start of the file or not but this is one of the exploitable. Cases, of this so. If you just put. Something. Like let's say semi colon RM. RF slash in, as, your link variable, and you, have your type variable set to download update while interesting things happen, now. You might be saying well Daniel. First. Of all no purrs ooh no preserve root ism didn't that example okay okay pedantic, sure let's add that but, you're, still the web application, user so you're not going to be able to to. Do much well I have a solution for you which involves, the fact that the web application, has, the, the. Ability to distill, without. Any password, so if. You just do semicolon. Su do RM RF / no. Preserve root well. Funny. Or terrible things happen depending on you know what side you're on. So. We. Want to do a little demonstration we. Have a. Whole, dam simulator. Built into an aquarium based, on a mesh Liem system. We. Were not able to use. That so, we, instead have a backup video. Which. I. Guess. There are a be issues, with bringing, the dam years. So. This. Is, a. Simulated. Game, really. Soon. And they deliver it. Through banks, cars. Rock, wall even. Scenic view. And. It's. All. Inside. An aquarium, now. While. This is a. Simulated. Dam the, former do these reviews are very real. What, we've got set up here is a, dam would, be controlled. By, a, Raspberry. Pi and. That. Raspberry, Pi is, controlling. The water level, based. On, data. Sent. By this. Ultrasound, sensor, attached, to a liability, in place. Now. This. Is only was the water level, in. Centimeters. Distance. From, the sensor, now. Because. Of the vulnerabilities, initially. In fact this data is being read from the messaging, we're. Going to want to do. That. Is. In fact very, well, so. The dam is going to go all, the way and, it's. Going to stable them no, matter how high the, water will, pass, you. Can see if eating the top the riverbanks and now, starting. To spill over onto. The edge. And. Now on. The other side, starting. To plug the road. Please, don't dismay we worked with the vendors, reported. All vulnerabilities. They were all patched, cities. Have had weeks to roll out these patches, everybody. Has been notified. So. That's that's the the positive side of all of this. Additionally. You, know I, think. When. It comes to the implications, of being things, you, know as hackers we have to ask ourselves to. What lengths, do we, independent. Of the companies, who are selling these devices independent.
Of The cities or the governments that run them want. To go to, try to find these vulnerabilities. With the v2i hub it's, fairly simple because. The code is open source with. The mesh eleum we had to pay, 3,000. Euros, for. A mesh Liem setup in order to test it. With. The islands we got some off eBay used so, it was a bit less expensive but. The point is these devices, are very very. Very expensive, and, it can be very difficult for us to get the ability to do the independent, security testing that's really required. But. As far as the vulnerabilities, that we found here. Are the implications. Surveillance. Of connected, vehicles, so following. A governor, around or a celebrity, or god. Forbid even the president. Traffic. Manipulation. Causing. Traffic to slow down industry. In the city that you live in and. Sabotage. Of disaster, warning systems, similar, to the dam demo, that we showed you but. For, something like radiation, monitoring. Where, you cause a false panic, because you set off the sensors, and everybody, thinks there's radiation and they start to evacuate, that could be quite bad right but. After, you've, finished setting. Up your city it's, a fully you know a smart city place I hope. That you are also going to set up your IOT. Paper clip so, that you can reset, the device when, something goes horribly wrong I. Hope. Also that, cities will take into consideration. Whether or not the devices, they purchase, have, been tested, by, independent. Parties on a regular. Basis, that, cities will have their implementations. Of these devices tested. And that the information, about, the remediation, plan for any vulnerabilities. Found will, be made available to the public so the public can feel safe about what's in their city thank, you so much for coming to our topic.