Hackers Get Free Parking In San Francisco 221
Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. 'It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it,' says Joe Grand. 'It seems like the system wasn't analyzed at all.' To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."
Re:Portable Oscilloscope? (Score:5, Insightful)
how can this help us (Score:3, Insightful)
Well, I RTFA, and I have to admit, I liked the hack, I only hope that they do fix it, otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.
I really do hate it when people hog a meter all day, paying for daily parking in certain towns is just way out of control.
Now if the hack is really as simple as presented in the 60+ page report, the black market for this is huge, selling 999.00 cards for $50.00 a pop, I know of at least 100 buyers, and if marketed correctly, the entire business district will be a net loss for those towns whom don't execute a plan quickly.
Before anyone talks about the 3 million in savings, Please note, that's just the theft that the meter people were pocketing. What should happen is that the long term savings should increase by the labor savings, please see past example of easy-pass toll system of NY & NJ, where within 2 weeks rush-hour was reduced by 25 to 50 minutes and toll takers were reduced by 1 or 2 people per exit.
Re:"other people are probably already doing it" (Score:4, Insightful)
Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports? (http://blogs.zdnet.com/storage/?p=540) Most RFID implementations simply are not secure: they're typically no more reliable than a barcode, which is also easily spoofed.
And sadly, it's the fault of both the technology (which remains limited by budget marketing to very simply devices) and by inabilities to agree on updates to their encryption and authentication techologies (look up 'new encryption standards for RFID' on Google for references). The infighting among the vendors is horrible, and is delaying improved technologies.
Re:Free parking! Just uh.. oh crap. (Score:5, Insightful)
He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.
Re:Parking Meter Botnet (Score:4, Insightful)
Yes I am upset by this.
If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.
The reason for meters besides revenue collection is to control the availability of parking spots. Metered parking helps keeps store front spots open for customers. As well keeps abandoned or broken cars sitting indefinitely in good parking spots.
Re:The usual solution (Score:3, Insightful)
Looking at the pictures of how they accomplished that, including disassembling the parking meter and removing epoxy by dipping parts in heated fumeric acid... I'm fairly certain what he did was already illegal. It isn't as if the parking meters come with external JTAG points or something.
Re:"other people are probably already doing it" (Score:5, Insightful)
Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system
Stupid knowledge! You just ruin it for everyone. If only we'd be more ignorant and stick our heads in the sand there would be no problem.
Did you ever think that someone beyond curious hackers looking for a few free hours of parking might be interested in this? Like say.. criminals selling counterfeit parking cards at 1/3 the price?
Re:Parking Meter Botnet (Score:5, Insightful)
Anyone could do it?? Don't think so.. (Score:4, Insightful)
"To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing."
Err ,yeah, I do that sort of thing every day in my kitchen!
Lets be honest , "anyone" is a relative term here - anyone whos a whizz with low level logica gate analysis plus knows some chemistry and has access to occiliscopes etc may be able to do it - a normal office guy like me can't. Perhaps a bit too much false modesty on the part of the article author.
Re:The usual solution (Score:1, Insightful)
Re:Parking Meter Botnet (Score:3, Insightful)
Crimanal gangs target coin operated metres.
And they will target electronic metres too, just as soon as they figure out how to do it.
One of the primary drivers was the estimated £120,000 per week being lost to organised crime [and a murder].
If, as jellomizer postulated, the reason for having meters in the first place is to prevent "tragedy of the commons" type results for public parking spaces, then organized crime's theft of the money collected really doesn't affect that goal.
A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.
It is really amazing how all public problems seem to lead us gently down the path of good intentions and into the maw of big brother.
Maybe the tragedy of the commons problem isn't so bad after all. Maybe we should just reduce parking enforcement to the barest minimum - have a guy with a piece of chalk walk around marking tires - pay his salary from the property taxes of the stores along his route. If a car is in place for more than a couple of days, tow it. Leave it at that and forget about all the expense - monetary and socially - of massively complex and invasive enforcement systems.
After all, its not fort knox, its just a fucking parking place.
Re:Parking Meter Botnet (Score:5, Insightful)
Many cities around the world deploy parking meters in places where there is no lack of parking places as a form of revenue for the local authorities.
Also parking meters are usually deployed in such a way as to eliminate all other parking alternatives (if the purpose was to make parking spaces available for those who really need it, then only some of the places would need to be made "premium" with parking meters while most spaces would remain free)
To further enhance the income from parking, most parking meter systems are also designed in such a way (pay first) that users either have to overpay (pay more time than you use) or are hit with significant fines for going overtime.
This is why most people hate parking meters and other paid parking system in public spaces.
I for one welcome our new parking meter infecting virus overlords.
TFA, mostly wrong on the details (Score:3, Insightful)
TFA, kiinda ludicrous.
First of all, how do you hook up an oscilloscope to a parking meter without disassembling it?
Then, what could you get from that that you could not get just by reading the card stripe with a $29 card reader?
One suspects this "black hat" just read a valid card on a card reader, swiped it in a parking meter, then re-read the card and noted the changes.
In any case, since it's unlikely that the parking meters are networked, all he had to do was clone a good card and he's set.
No oscilloscopes or trickery needed.
Re:Parking Meter Botnet (Score:2, Insightful)
Yes I am upset by this.
If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.
The tone of your post seems to imply you are upset at the hackers for this, instead of upset at who's fault it is.
(If I misread your intent, feel free to disregard this)
The fault is not with the hackers pointing out the screw up by the city and meter manufacturer.
It isn't the hackers who took your tax money and spent it on a product that does not do what is needed (in this case, the need is to meter parking.)
It isn't as if the hackers could keep quiet, and the real criminals will somehow unlearn what they already knew long before the hackers figured it out. Nor is it the fault of the hackers that the machines were built to function this way.
If you want to be upset at someone, be upset at the city for spending your taxes on some magical beans (that don't sprout like in the story), and/or the manufacturer who falsely represented how the meter functioned to the city to get them to hand over said tax monies.
Humanity collectivly hiding our heads in the sand and pretending there is a locked door when clearly there is no door at all, let alone a lockable one, does not security make. And the first step to a functional solution is to admit there is a problem.
If you honestly believe that these things have not been exploited by insiders and organized criminals since practically the day they were installed, and the hackers are actually letting secrets out or something, then you are only fooling yourself.
Societies depend on trust (Score:3, Insightful)
It's not feasable to make every part of society completely bulletproof, societal trust is part of many areas of this. People keep the trust because they are supposed to and because it'd be a big hassle to do otherwise.
In a neighbourhood, one neighbour may have a shed she doesn't want you playing around in. She might tie it shut with a rope, use a padlock, or even an electronic lock, depending on how much she cares. None of this is meant as a challenge - untying the rope, picking the lock, or messing with the electronic lock are all within the capabilities of some people. It's not cute to say "Your lock was not good enough, that's why I was in your shed".
I've read 2600 for years (it's sometimes interesting when one can get past the juvenile attitude), and know people in the community. The standard preface of "I am just doing this for intellectual curiosity and do not laud nor do things like this" is more legal covering of asses than anything else. In some areas maybe we can't rely entirely on societal trust and it's accidentally helpful to have people prodding at these systems, but they're still a nuisance and I would not trust the community in general to use that knowledge responsibly. I've known too many people who have bad attitude towards society in general and who would take these things as far as they can for personal benefit.
Being clever is great. Being clever in ways that hurt society is not.
Re:Parking Meter Botnet (Score:4, Insightful)
*My numbers may be artificially inflated from working with IBM.
Re:Parking Meter Botnet (Score:5, Insightful)
They made that decision when they bought shitty meters.
Re:Another Hack For Meters (Score:1, Insightful)
Hmmm, This makes me want to target people that I dont like by breaking the meters there are at. Like professors, and bad advisers.