Forgot your password?
typodupeerror
Security Transportation

Hackers Get Free Parking In San Francisco 221

Posted by timothy
from the usually-spots-at-the-end-of-the-judah-line dept.
Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. 'It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it,' says Joe Grand. 'It seems like the system wasn't analyzed at all.' To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."
This discussion has been archived. No new comments can be posted.

Hackers Get Free Parking In San Francisco

Comments Filter:
  • by sopssa (1498795) * <sopssa@email.com> on Friday July 31, 2009 @07:58AM (#28894465) Journal

    Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

    I, for one, welcome our new parking meter botnet overlords.

  • The usual solution (Score:5, Interesting)

    by drgould (24404) on Friday July 31, 2009 @08:09AM (#28894527)

    The usual bureacratic solution in a case like this is to make it illegal to hook-up oscilloscopes to parking meters in San Francisco.

    • by n1ckml007 (683046) on Friday July 31, 2009 @08:10AM (#28894535)
      Sir is that an oscilloscope in your pocket... ?
    • Re: (Score:3, Funny)

      Sir! Put down the oscilloscope and back away....slowly....

    • Re: (Score:3, Insightful)

      by chill (34294)

      Looking at the pictures of how they accomplished that, including disassembling the parking meter and removing epoxy by dipping parts in heated fumeric acid... I'm fairly certain what he did was already illegal. It isn't as if the parking meters come with external JTAG points or something.

      • Just cut one off like Paul Newman in Cool Hand Luke and take it home with you. When you're done, dump it someplace. No one's the wiser. OTOH, you could move away from San Francisco and enjoy free parking in most of the rest of the country.
        • by chill (34294)

          Yeah, I know that is how a criminal would handle it. Thanks for the reference. I couldn't remember which movie.

          And I'm in Chicago. Don't talk to me about parking meters! Ugh!

      • Re: (Score:3, Informative)

        by Daley_G (1592515)
        I first read of this on some other site where it explains they bought various meters off ebay. At that point, nothing illegal was done as they owned the meters they were experimenting on. Granted, there was no money to be gained by doing this, but exploiting the vulnerability is probably worth quite a bit - to someone.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        The paper lists many attack vectors which could be used against more advanced meters. Hacking the San Francisco system required only a smart card "shim", which extends the contacts to a legitimate card outside the meter, and a portable oscilloscope or logic analyzer for recording the communication between the meter and the legitimate card. The trivial protocol was then implemented on a programmable smart card. This is in reach of most electronic hobbyists and requires no dangerous materials or tools.

    • by Shrike82 (1471633) on Friday July 31, 2009 @08:34AM (#28894713)
      "What's that Billy? Trespassers? Get my oscilloscope from above the fireplace!"
    • >>The usual bureacratic solution in a case like this is to make it illegal to hook-up oscilloscopes to parking meters in San Francisco.

      And make the minimum punishment 5 years in jail and %50,000 fine. After all, they do have cameras everywhere, right? It is just a matter of paying someone to sift through the video until they spot the guy doing this, then arrest him.

      While I understand that this system's not very secure, I don't know if I think attempting to make it perfectly secure is worth it when t

    • I really just want to know what a police would do should he come across someone with a freakin oscilloscope hanging off the side of a parking meter, and shoving cards in and out, recording data.

  • "It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it"

    Is it just me, or is this like a nationally publicized "Hey guys, try this!" The article lacks the detail to replicate this guy's code, but the other methods he used are all there. Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system (or one that begs

    • by Antique Geekmeister (740220) on Friday July 31, 2009 @08:19AM (#28894599)

      Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports? (http://blogs.zdnet.com/storage/?p=540) Most RFID implementations simply are not secure: they're typically no more reliable than a barcode, which is also easily spoofed.

      And sadly, it's the fault of both the technology (which remains limited by budget marketing to very simply devices) and by inabilities to agree on updates to their encryption and authentication techologies (look up 'new encryption standards for RFID' on Google for references). The infighting among the vendors is horrible, and is delaying improved technologies.

      • Re: (Score:3, Interesting)

        by Acer500 (846698)

        Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports?

        Erm... one is not like the other... I don't think that parking meters require the highest level of protection possible. Passports, OTOH...

    • by Vellmont (569020) on Friday July 31, 2009 @08:33AM (#28894697)


      Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system

      Stupid knowledge! You just ruin it for everyone. If only we'd be more ignorant and stick our heads in the sand there would be no problem.

      Did you ever think that someone beyond curious hackers looking for a few free hours of parking might be interested in this? Like say.. criminals selling counterfeit parking cards at 1/3 the price?

      • by Sinbios (852437)

        You mean I could buy an unlimited parking card for 1/3 the price of... whatever it is 1/3 the price of, without the hassle of fucking with the hardware myself?! SIGN ME UP!!

    • by solevita (967690) on Friday July 31, 2009 @08:43AM (#28894765)

      The article lacks the detail to replicate this guy's code

      That's what you get for reading the press release... Here [grandideastudio.com] is the original site; here [grandideastudio.com] is the code.

      • by billcopc (196330)

        The code has been "sanitized", meaning some details were deliberately changed to prevent people from blindy replicating the hack, otherwise every geek would quit their job and start selling hacked parking passes on street corners.

    • by TheP4st (1164315)

      Now there are 23000 meters in San Fran that may need to get new software..

      A valuable lesson they will learn from. Hopefully.

      Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system (or one that begs to be comprimised by publicity and the copy-cat nature of hackers and hacker upstarts) that may be rendered useless?

      Only the harshest of lessons work with stupidity on such a grand scale.

    • by lazn (202878)

      Security through obscurity is not security.. They should have written secure software in the first place.

      Or are you saying in a different but similar vein that someone like Microsoft has no imperative to make secure code and it isn't their job to fix vulnerabilities in their code either?

  • by onepoint (301486) on Friday July 31, 2009 @08:16AM (#28894583) Homepage Journal

    Well, I RTFA, and I have to admit, I liked the hack, I only hope that they do fix it, otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

    I really do hate it when people hog a meter all day, paying for daily parking in certain towns is just way out of control.

    Now if the hack is really as simple as presented in the 60+ page report, the black market for this is huge, selling 999.00 cards for $50.00 a pop, I know of at least 100 buyers, and if marketed correctly, the entire business district will be a net loss for those towns whom don't execute a plan quickly.

    Before anyone talks about the 3 million in savings, Please note, that's just the theft that the meter people were pocketing. What should happen is that the long term savings should increase by the labor savings, please see past example of easy-pass toll system of NY & NJ, where within 2 weeks rush-hour was reduced by 25 to 50 minutes and toll takers were reduced by 1 or 2 people per exit.

    • Cool? I dunno, it's pretty simple really. Here's the C source code [grandideastudio.com] for the hack. Basically he's just programming a smart card with a value of $999.99, and then asking the meter for the password, which it seems more than happy to provide for some reason.

      IOW, the meters are simply using security through obscurity, which is the same as no security at all.

    • by PopeRatzo (965947) *

      otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

      Huh?

      Do you mind explaining the part about people not having access to the stores because only employees will have the hack, or something?

      Don't you think that maybe after the first few days when the parking enforcement notices that they have collected NO money from the parking meters that they might start monitoring a little more closely? Or maybe after, as you say, "people shopping"

      • by onepoint (301486)

        >>the parking meter collections suddenly dropping to zero and the stores suddenly becoming ghost towns that someone might get suspicious.

        it's government employees, they don't notice anything. and if they do, they file a report that no one reads.

        >>Do you mind explaining the part about people not having access to the stores because only employees will have the hack, or something?

        If you have ever owned a store front property, you know that parking and walk-by traffic is a major factor in the invest

      • except the parking meter collections missing won't really be noticed. The cards are prepaid, and as far as the city knows
        the money is already in their account. there is nothing for them to collect at the meter, other than the audit log telling how many people parked at it. the city won't necessarily know that the card used to pay for the parking was a fake. they will just see that 75 cards were used to pay for parking but they had only sold 35. my understanding from the article is that the cards them

  • I'm not sure how normal that is in the bay area. To see some guy in a DeCSS tshirt hooking an O-scope to a parking meter.

    Seriously, how did they achieve *that*? Flat ribbon cable between the card and the meter?

    • by Canazza (1428553) on Friday July 31, 2009 @08:23AM (#28894631)

      He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

      • by value_added (719364) on Friday July 31, 2009 @08:42AM (#28894753)

        He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

        San Francisco may be different, but I'd imagine that in most cities, if someone was seen beating a parking meter with a baseball bat, people passing by would nod approvingly, or perhaps cheer.

        • Re: (Score:2, Funny)

          by srollyson (1184197)
          Small town, not much to do in the evenin'.
        • Re: (Score:3, Informative)

          by cfa22 (1594513)
          Back in the 90's in Berkeley (across the bay from SF) they had serious problems with people hacksawing the meters right off their posts and lobbing them into the bay. There is apparently more than one way to hack parking meters to get free parking.
      • by langelgjm (860756) on Friday July 31, 2009 @08:49AM (#28894831) Journal

        Indeed, that sort of social engineering is all about looking the part.

        I once knew someone who was able to swipe an unused payphone in broad daylight at lunchtime on a busy strip with lots of outdoor seating. The trick? Navy blue pants, blue "repairman" style shirt, a tool bag, and looking like you are supposed to be doing what you are doing.

      • Re: (Score:3, Interesting)

        by himself (66589)

        When I geocache in downtown I just carry a metal folding clipboard and write notes if I need "cover" in an exposed area. Taking down (useless, made-up) numbers from a tape measure helped once when two guys were watching me too closely. :7)

        I have read of some cachers who keep a high-vis yellow vest in their bag just for situations like this, and I myself once saw a guy wearing one go right into the edge of a construction zone to take tourist photos. (I could tell he probably wasn't employed by the site becau

        • by blueskies (525815)

          And then you get "accidentally" shot because a police officer thought you were a terrorist and he thought you were reaching for a gun.

          I'm not against what you are saying, but i'm just saying don't underestimate the stupidity of the police.

    • The Mythbusters are located in San Francisco so I can only assume they are used to geeky types doing weird stuff
    • Compared to other things I've seen in the Bay Area, a guy with an o-scope attached to a parking meter would be pretty damn tame.

  • l0pht (Score:5, Informative)

    by Anonymous Coward on Friday July 31, 2009 @08:19AM (#28894601)

    For reference, Joe Grand is one of the members of the l0pht hacker group that were announced to be making a comeback [url=http://news.slashdot.org/story/09/07/26/167251/Hacker-Group-L0pht-Making-a-Comeback?art_pos=1]here[/url]

  • by surmak (1238244) on Friday July 31, 2009 @08:45AM (#28894779)

    In Monopoly just remember what is 10 spaces away from free parking (actually, in either direction). Something tells me that those who try this "Free Parking" trick may well end up rolling a pair of fives on their next move.

    Do not pass go, do not collect $200.

  • by Viol8 (599362) on Friday July 31, 2009 @08:54AM (#28894877)

    "To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing."

    Err ,yeah, I do that sort of thing every day in my kitchen!

    Lets be honest , "anyone" is a relative term here - anyone whos a whizz with low level logica gate analysis plus knows some chemistry and has access to occiliscopes etc may be able to do it - a normal office guy like me can't. Perhaps a bit too much false modesty on the part of the article author.

  • The headline makes it sound like hackers are routinely scamming the system, but there is no indication of this whatsoever in the article. It is improper of /. to impugn these guys when all they have done is demonstrate the vulnerability.

  • Finding a space. (Score:4, Interesting)

    by bezenek (958723) on Friday July 31, 2009 @09:03AM (#28894953) Journal
    Having a hacked card is of no use if one cannot find a parking space. Most people who have attempted to park in SF know the time wasted finding a space is usually worth more than the cost of the parking.

    Nevertheless, hacking the system is interesting.

    -Todd
  • by Ancient_Hacker (751168) on Friday July 31, 2009 @09:59AM (#28895547)

    TFA, kiinda ludicrous.

    First of all, how do you hook up an oscilloscope to a parking meter without disassembling it?

    Then, what could you get from that that you could not get just by reading the card stripe with a $29 card reader?

    One suspects this "black hat" just read a valid card on a card reader, swiped it in a parking meter, then re-read the card and noted the changes.

    In any case, since it's unlikely that the parking meters are networked, all he had to do was clone a good card and he's set.

    No oscilloscopes or trickery needed.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      First of all, how do you hook up an oscilloscope to a parking meter without disassembling it?

      Then, what could you get from that that you could not get just by reading the card stripe with a $29 card reader?

      Read TFPDF in TFA.

      1) Digital scopes are lightweight and portable. He used a shim between the card and its contacts.

      2) It wasn't a magstripe-based card. It was a smartcard. Gold-plated electrical contacts.

      3) A digital 'scope isn't that far removed from a logic analyzer, and he was able to recor

  • by russotto (537200) on Friday July 31, 2009 @10:05AM (#28895621) Journal

    So the hackers, having figured out how to rig the meters, set up their own meters at a few places in the city. With them they place large signs "Hacker Parking Only, Everyone Else $1,000,000". One day they notice a Porsche 959 pull up to the meter. A somewhat geeky looking man in his mid-50s gets out, looks at the sign, places a card in the meter, and it flips over to "2 hours paid". One of the hackers then walks up to the man and says "Hey, Bill Gates! I knew you started out as a hacker but I didn't know you still kept in the game!". And Gates says "What hack? I just paid the meter".

  • by Improv (2467) <pgunn@dachte.org> on Friday July 31, 2009 @10:59AM (#28896329) Homepage Journal

    It's not feasable to make every part of society completely bulletproof, societal trust is part of many areas of this. People keep the trust because they are supposed to and because it'd be a big hassle to do otherwise.

    In a neighbourhood, one neighbour may have a shed she doesn't want you playing around in. She might tie it shut with a rope, use a padlock, or even an electronic lock, depending on how much she cares. None of this is meant as a challenge - untying the rope, picking the lock, or messing with the electronic lock are all within the capabilities of some people. It's not cute to say "Your lock was not good enough, that's why I was in your shed".

    I've read 2600 for years (it's sometimes interesting when one can get past the juvenile attitude), and know people in the community. The standard preface of "I am just doing this for intellectual curiosity and do not laud nor do things like this" is more legal covering of asses than anything else. In some areas maybe we can't rely entirely on societal trust and it's accidentally helpful to have people prodding at these systems, but they're still a nuisance and I would not trust the community in general to use that knowledge responsibly. I've known too many people who have bad attitude towards society in general and who would take these things as far as they can for personal benefit.

    Being clever is great. Being clever in ways that hurt society is not.

  • "Crackers Get Free Parking In San Francisco"

  • Hackers Get Free Parking In San Francisco

    I thought they were just going to start letting us park for free because we're so cool.

The only function of economic forecasting is to make astrology look respectable. -- John Kenneth Galbraith

Working...