Feeds

Meter insecurity raises specter of free parking hacks

Cloned card could allow unlimited parking

The Power of One eBook: Top reasons to choose HP BladeSystem

Black Hat Hackers have figured out a way to trick San Francisco's computerized parking meter system into giving away unlimited free parking by cloning the smart cards used to pay fees.

Speaking at the Black Hat security conference in Las Vegas, hackers Jacob Appelbaum, Joe Grand and Chris Tarnovsky said they were able to compromise the system by monitoring the communications that occur between the electronic meters and the smart cards. They were then able to carry out what's known as a replay attack, in which the communications were repeated on their own blank smart cards.

"We own the San Francisco parking meter system," Appelbaum said in an interview with El Reg. "They clearly did not do enough due diligence if at all from a security perspective. The idea that someone is not already exploiting it is sort of laughable."

During their 75-minute talk, the team showed a picture of a cloned smart card in one of the San Francisco parking meters. It's value: $999.99. The team was careful to say they never actually used any of the stored credit to pay for parking.

The hack is only the latest to highlight vulnerabilities in a new generation of electronic payment systems that collect parking fees and bus and train fares. Parking meters in New York were compromised in 2001 using infrared remote controls, and three years later weaknesses in stored-value cards used by San Diego were exposed by a hacker who goes by the name H1kari.

Last year, three undergrads from the Massachusetts Institute of Technology uncovered critical vulnerabilities in electronic fare-payment systems used by Boston's mass transit system, but were prevented from speaking about them during the Defcon hacker conference.

The process used to hack the San Francisco system was fairly straightforward and took only three days to devise. It involved using an off-the-shelf smart-card shim, and monitoring what happened using an oscilloscope. The team then analyzed the data using pen and paper and wrote a program that would repeat the process with programmable smart cards they bought off the internet.

The smart cards work in McKay Guardian XLE meters, which can accept either coins or electronic payments. Many other cities use the same model parking meters, but because of differences in the way they are configured, the team couldn't say whether the technique they used would work outside of San Francisco.

Parking meter displaying smart card balance of $999.99

The researchers said they gained valuable insights into the meter's inner workings by purchasing them on eBay and watching how they functioned. They said their research was intended to expose weaknesses that could cost San Francisco taxpayers millions of dollars in lost revenue, and not to enable people to actually carry out the attacks.

They plan to release the source code for their replay software but will modify important bits to prevent script kiddies from using it to get free parking. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.