Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Transportation

Hackers Get Free Parking In San Francisco 221

Posted by timothy from the usually-spots-at-the-end-of-the-judah-line dept.
Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. 'It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it,' says Joe Grand. 'It seems like the system wasn't analyzed at all.' To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."
This discussion has been archived. No new comments can be posted.

Hackers Get Free Parking In San Francisco More

Hackers Get Free Parking In San Francisco

Comments Filter:

  • l0pht (Score:5, Informative)

    by Anonymous Coward on Friday July 31, 2009 @08:19AM (#28894601)

    For reference, Joe Grand is one of the members of the l0pht hacker group that were announced to be making a comeback [url=http://news.slashdot.org/story/09/07/26/167251/Hacker-Group-L0pht-Making-a-Comeback?art_pos=1]here[/url]

  • security through obscurity (Score:2, Informative)

    by morgan_greywolf ( 835522 ) on Friday July 31, 2009 @08:30AM (#28894673) Homepage Journal

    Cool? I dunno, it's pretty simple really. Here's the C source code [grandideastudio.com] for the hack. Basically he's just programming a smart card with a value of $999.99, and then asking the meter for the password, which it seems more than happy to provide for some reason.

    IOW, the meters are simply using security through obscurity, which is the same as no security at all.

  • Re:Free parking! Just uh.. oh crap. (Score:1, Informative)

    by Anonymous Coward on Friday July 31, 2009 @08:37AM (#28894733)

    If you click the second link in the summary your question will be answered...

    To record the communication between the card and the meter, Grand purchased a smartcard shim -- an electrical connector that duplicates a smartcard's contact points -- and used an oscilloscope to record the electrical signals as the card and meter communicated. /blockquot

  • Re:"other people are probably already doing it" (Score:4, Informative)

    by solevita ( 967690 ) on Friday July 31, 2009 @08:43AM (#28894765)

    The article lacks the detail to replicate this guy's code

    That's what you get for reading the press release... Here [grandideastudio.com] is the original site; here [grandideastudio.com] is the code.

  • Re:Parking Meter Botnet (Score:5, Informative)

    by xaxa ( 988988 ) on Friday July 31, 2009 @08:57AM (#28894899)

    what was wrong with coin operated meters? Why do they need computers?

    Crimanal gangs target coin operated metres. For instance [blogs.com], "Cashless parking was trialled in Westminster [London] in October 2006 and in early 2007 the decision was taken to extend cashless parking city [of Westminster] wide. One of the primary drivers was the estimated £120,000 per week being lost to organised crime. Organised crime which led to murder on the streets of Westminster." (The murder was after one gang started taking the money from meters in another gang's "territory").

    A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

  • Re:The usual solution (Score:3, Informative)

    by Daley_G ( 1592515 ) on Friday July 31, 2009 @09:02AM (#28894941)
    I first read of this on some other site where it explains they bought various meters off ebay. At that point, nothing illegal was done as they owned the meters they were experimenting on. Granted, there was no money to be gained by doing this, but exploiting the vulnerability is probably worth quite a bit - to someone.

  • Re:The usual solution (Score:2, Informative)

    by Anonymous Coward on Friday July 31, 2009 @09:02AM (#28894947)

    The paper lists many attack vectors which could be used against more advanced meters. Hacking the San Francisco system required only a smart card "shim", which extends the contacts to a legitimate card outside the meter, and a portable oscilloscope or logic analyzer for recording the communication between the meter and the legitimate card. The trivial protocol was then implemented on a programmable smart card. This is in reach of most electronic hobbyists and requires no dangerous materials or tools.

  • Re:The meter pays for... (Score:4, Informative)

    by blincoln ( 592401 ) on Friday July 31, 2009 @09:53AM (#28895483) Homepage Journal

    Credit card companies tend to charge a prohibitive percentage for small transactions.

    Seattle seems to have worked out a deal with them. All of the parking meters here accept credit cards.

  • Re:Free parking! Just uh.. oh crap. (Score:3, Informative)

    by cfa22 ( 1594513 ) on Friday July 31, 2009 @09:59AM (#28895549)
    Back in the 90's in Berkeley (across the bay from SF) they had serious problems with people hacksawing the meters right off their posts and lobbing them into the bay. There is apparently more than one way to hack parking meters to get free parking.

Slashdot Top Deals

With your bare hands?!?

Close