How the Smart-City becomes stupid presented at BSidesNova 2017

by Denis Makrushin, Vladimir Dashchenko,

Summary : Scary stories around the Internet of Things (IoT) conjure up images of bad guys in hoodies, living for hacking and making the lives of other people harder, inventing millions of ways to infiltrate your life through your gadgets. Probably nobody cares about his smart-home security, but what about Smart-City threats, which affect billions people? A huge number of public IoT devices are vulnerable for potential abuse, potentially endangering users’ data, networks of companies they belong to, or both. Based on research of various public devices, such as terminals and cameras, we offer a methodology for security analysis of these devices, which would answer the following questions:
How easy it is to compromise a terminal in the park?
What can hackers steal from there?
What can be done with hacked device?
How can the internal network of the installer organization be penetrated?
How to protect public devices from attacks?
How to protect public devices from attacks?
We will share not only our research experience, but also will show a live demo how you can easily hijack a real speed radar somewhere around the world. This topic is the unique opportunity to hear about real cases of public device hacking and see the process of compromising the different terminals from the beginning to the end:
Parking and ticket terminals
Information terminals in museums/cinemas/whatever else
Hotels infrastructures
Airport infrastructure
Road Cameras/speed radars Topic includes:
Methodology for security analysis of public IoT
Post-exploitation scenarios
Methodology for improving the security of these devices
Non-trivial protection for non-trivial device