Outsmarting the Smart City

Black Hat USA 2018

Presented by: Dan Crowley (unicornFurnace), Mauro Paredes, Jennifer Savage (savagejen)
Date: Thursday August 09, 2018
Time: 12:10 - 13:00
Location: Islander EI

The term "smart city" evokes imagery of flying cars, shop windows that double as informational touchscreens, and other retro-futuristic fantasies of what the future may hold. Stepping away from the smart city fantasy, the reality is actually much more mundane. Many of these technologies have already quietly been deployed in cities across the world. In this talk, we examine the security of a cross-section of smart city devices currently in use today to reveal how deeply flawed they are and how the implications of these vulnerabilities could have serious consequences.

In addition to discussing newly discovered pre-auth attacks against multiple smart city devices from different categories of smart city technology, this presentation will discuss methods for how to figure out what smart city tech a given city is using, the privacy implications of smart cities, the implications of successful attacks on smart city tech, and what the future of smart city tech may hold.

Dan Crowley

Daniel Crowley is the head of research and a penetration tester for X-Force Red. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME magazine's 2006 person of the year. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie and brews his own beer. Daniel's work has been included in books and college courses. Daniel also holds the noble title of Baron in the micronation of Sealand.

Mauro Paredes

Mauro Paredes has many years of experience performing penetration testing and security assessments for clients in Canada, USA, Germany, Mexico and Venezuela. Mauro has experience across several industries, including finance, telecommunication, e-commerce, technology providers, retail, energy, healthcare, logistics and transportation, government; and education. Mauro specializes in infrastructure security, network penetration testing (with a strong focus on finding software bugs), web application penetration testing, security assessments, and design and implementation of security controls and architectures to suit each customer's unique security requirements. When Mauro is not working, he likes to play basketball, ride a bicycle, watch a good movie and collect playing cards. Coming from a tropical country, he is now trying to adapt to Canadian sports and is attempting to learn snowboarding, which is still a work in progress.

Jennifer Savage

Jen Savage is a security researcher for Threatcare. She has over a decade of experience in tech including penetration testing, vulnerability assessment, vulnerability management, software development, technical management, and consulting services for companies ranging from startups to the Fortune 100. Her primary research interests are in Web Application Security and the Internet of Things.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats