Hackers Get Free Parking In San Francisco

Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. 'It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it,' says Joe Grand. 'It seems like the system wasn't analyzed at all.' To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

Parking Meter Botnet

[sopssa]

Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

I, for one, welcome our new parking meter botnet overlords.

Re:Parking Meter Botnet

[jellomizer]

Yes I am upset by this.
If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.
The reason for meters besides revenue collection is to control the availability of parking spots. Metered parking helps keeps store front spots open for customers. As well keeps abandoned or broken cars sitting indefinitely in good parking spots.

Re:

[zippthorne]

First, decide what your goals are. If it's just to keep people from staying in a space too long, there's no need to charge, just have a timer hooked up to a proximity sensor of some kind (maybe like the ones at traffic lights), which activates a camera. If the car is over the limit, snap pictures every so often and send a fine. Call a tow if it's way too long.

If the goal is to make money, then there's no need for time limits. Just have something people can swipe their credit cards or a token card, or an

The meter pays for...

[tepples]

If it's just to keep people from staying in a space too long, there's no need to charge, just have a timer hooked up to a proximity sensor of some kind (maybe like the ones at traffic lights), which activates a camera.

The meter pays for the proximity sensor and the monitoring to exclude false positives.

Just have something people can swipe their credit cards

Credit card companies tend to charge a prohibitive percentage for small transactions.

Re:The meter pays for...

[blincoln]

Credit card companies tend to charge a prohibitive percentage for small transactions.

Seattle seems to have worked out a deal with them. All of the parking meters here accept credit cards.

Re:

[ColdWetDog]

Seattle seems to have worked out a deal with them. All of the parking meters here accept credit cards.

Some of the time perhaps. Last time I was in Seattle, I tried out that system. Worked one time out of three (in Ballard). The card just wouldn't register. The one time I didn't have any change, I got ticketed. I sent a note in my little payment envelope and haven't heard back from them, but it points out the issue of using semi complex technology without graceful fall backs or even significant testing

Re:

[xaxa]

Credit card companies tend to charge a prohibitive percentage for small transactions.

I'm sure that's negotiable.

For instance, I've bought a postage stamp online (to print out) for about £0.60, and was able to pay by credit card but not debit card. (I don't know what the minimum spend was, I have normal stamps for mail within the country, I only go online for parcels or international mail.)

Re:

[EtherMonkey]

[...] The reason for meters besides revenue collection is to control the availability of parking spots. Metered parking helps keeps store front spots open for customers. As well keeps abandoned or broken cars sitting indefinitely in good parking spots.

Theoretically, yes. But in practice it fails. Local employees just feed the meters (which itself might be illegal but is much more difficult to enforce). Meanwhile, the people you want to attract -- new customers -- have to worry about having change or a parking card AND finding a convenient, open parking spot before they can visit your store.

Re:

[Richy_T]

Absolutely. The rise in councils charging for parking in towns is what caused the rise of big out-of-town stores in the UK in my opinion.

Possibly they had no choice with the rise in car ownership leading to overuse and congestion but there you go.

Re:Parking Meter Botnet

[Aceticon]

Many cities around the world deploy parking meters in places where there is no lack of parking places as a form of revenue for the local authorities.

Also parking meters are usually deployed in such a way as to eliminate all other parking alternatives (if the purpose was to make parking spaces available for those who really need it, then only some of the places would need to be made "premium" with parking meters while most spaces would remain free)

To further enhance the income from parking, most parking meter systems are also designed in such a way (pay first) that users either have to overpay (pay more time than you use) or are hit with significant fines for going overtime.

This is why most people hate parking meters and other paid parking system in public spaces.

I for one welcome our new parking meter infecting virus overlords.

Re:

[sunking2]

The solution to this is pretty simply. Levy a $100,000 fine if you are caught. This will deter most people from doing it and those that do, any that are caught will more than make up the extra money in fines.

Re:

[Anonymous Coward]

Yes I am upset by this.
If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.

The tone of your post seems to imply you are upset at the hackers for this, instead of upset at who's fault it is.
(If I misread your intent, feel free to disregard this)

The fault is not with the hackers pointing out the screw up by the city and meter manufacturer.
It isn't the hackers who took your tax money and spent it on a product that does not do what is needed (in this case, the need is to meter parking.)

It isn't as if the hackers could keep quiet, and the real criminals will somehow unlearn what they a

Meters are bad for business

[aywwts4]

Many businesses hate parking meters, it doesn't help their store, but it definitely keeps people from ever parking as they head off to a big box so they don't need to deal with the crap of a city nickel and diming them, as they have to consider a constantly running down meter, and the cost of even looking at one of our stores is higher than our competitor due to the meter, as well as the downtown it out of the way compared to a mall shopping plaza.

Many businesses including my own offer to pay for your ticke

Re:Parking Meter Botnet

[Shaltenn]

Maybe the fact that 90% of the time people don't have change on them? Society as a whole is becoming a lot more dependent on ATM cards, credit cards, etc as opposed to cash money. This means that people don't have coinage nor dollars, but instead a plastic card in their wallet. I have seen machines that take cards and coins and even dollar bills. This seems like the best idea. Any te

Re:

[Anonymous Coward]

It costs $20 per hour plus pension and health insurance for a meter maid to go collect coins.

Re:

[billcopc]

So now instead of collecting coins, they collect transaction logs on a PDA. That didn't save money.

If SF's municipal bureaucracy is anything like my city, nobody ever loses jobs, they just get less work to do. Public service unions are the dirtiest bastards IMO.

Re:Parking Meter Botnet

[xaxa]

what was wrong with coin operated meters? Why do they need computers?

Crimanal gangs target coin operated metres. For instance [blogs.com], "Cashless parking was trialled in Westminster [London] in October 2006 and in early 2007 the decision was taken to extend cashless parking city [of Westminster] wide. One of the primary drivers was the estimated £120,000 per week being lost to organised crime. Organised crime which led to murder on the streets of Westminster." (The murder was after one gang started taking the money from meters in another gang's "territory").

A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

Re:

[Jah-Wren Ryel]

Crimanal gangs target coin operated metres.

And they will target electronic metres too, just as soon as they figure out how to do it.

One of the primary drivers was the estimated £120,000 per week being lost to organised crime [and a murder].

If, as jellomizer postulated, the reason for having meters in the first place is to prevent "tragedy of the commons" type results for public parking spaces, then organized crime's theft of the money collected really doesn't affect that goal.

A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

It is really amazing how all public problems seem to lead us gently down the path of good intentions and into the maw of big brother.

Maybe the tragedy of the commons problem isn't so

Re:

[xaxa]

Crimanal gangs target coin operated metres.

And they will target electronic metres too, just as soon as they figure out how to do it.

That might be easier to trace.

Other advantages: no need for expensive security guards to empty the meters, probably less problems with broken metres, easy to enforce other rules (e.g. "Max 2 hour, no return within 2 hours" is typical in the UK).

If, as jellomizer postulated, the reason for having meters in the first place is to prevent "tragedy of the commons" type results for public parking spaces, then organized crime's theft of the money collected really doesn't affect that goal.

I'm sure the income from parking is significant. Without it, tax would be higher (or services reduced).

It is really amazing how all public problems seem to lead us gently down the path of good intentions and into the maw of big brother.

I didn't really mean it seriously ;-). I'd like to see the same done in central London as has been done in Copenhagen -- a reduction in the number of available park

Re:

[mdarksbane]

That's great if there's an alternative. For those of us who live out where they have to drive somewhere, the inability to find a parking space is what keeps me away from downtown areas any time I can possibly avoid it.

Sometimes I wish that city centers just had a giant ring of parking garages on the perimeter and no cars allowed beyond that point.

Re:

[peragrin]

Shh cities that are actually smart about travel are hard to find.

Though my personal favorite is to tearup a parking lot replace it with a parting garage with half the car slots. And add in a new office building or condo complex. It is like they don't expect people to travel.

Though iwish city streets were drivable by permit only. Without a permit you haveto park at large garages with regular mass transit to take you into the city.

Re:

[xaxa]

I'm not suggesting it for everywhere, just central London (I live in London, how anywhere else manages parking is up to the residents).

There are alternatives in London: everyone in Greater London, and pretty much the South East of England, can get to central London by public transport (railway lines in Greater London [nationalrail.co.uk], and in South East England [nationalrail.co.uk]). Most people do -- even people that live in the middle of nowhere (relatively) would most likely drive (or cycle) to the nearest station. I just think it'd be nicer

Re:

[Mister Whirly]

I read that some cities were talking about getting a grid of "smart meters" that you could go online and check availability, and also reserve certain spots at certain times. The ones that will text your cell phone when your time is almost up, and allow you to add more time over the phone is a nice feature as well.

Re:

[Shatrat]

A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

Finally a little payback for motorcycles. The traffic lights may have no idea I'm there half the time, but neither will the automated ticket-issuing overlords!

Re:

[xaxa]

A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

Finally a little payback for motorcycles. The traffic lights may have no idea I'm there half the time, but neither will the automated ticket-issuing overlords!

Make the most of it while it lasts, most of the traffic lights round me detect my bicycle!

Re:

[Chyeld]

As they should, since bicycles are suppose to go on the road, not the sidewalk.

Re:

[Quiet_Desperation]

Organised crime which led to murder on the streets of Westminster." (The murder was after one gang started taking the money from meters in another gang's "territory").

But that's one gang member killing another gang member. That's not so much a "crime" as a "service to the mankind."

Re:

[timeOday]

what was wrong with coin operated meters? Why do they need computers?

If you think the security of the new system is bad, just compare it to something that can be fooled by a little disc of sheet metal.

Whenever people talk about exotic hacks on ATMs, I always think of how laughably insecure checks are, and credit cards. You give them one number and they get access to your entire available credit? Ridiculous.

Re:

[timeOday]

I wasn't very clear - by "little disc of sheet metal," I meant a fake quarter to drop into a coin-operated meter.

Re:

[tekrat]

Never mind all the people talking about gangs and organized crime. The *REAL* reason they switch to credit card payments over coin-operated is to remove the CASH from the equation. Cash requires people to collect it from the meters, and then those people who collect it also end up stealing some.

By using credit card payments, you eliminate the coin collectors, so you don't have to employ those people anymore, and you also eliminate having to monitor your collectors so they don't steal from you.

Look at any la

Re:Parking Meter Botnet

[Rasperin]

What are you talking about, it's very expensive to fix. First you have to pay for the code updates, that's going to be a million, take a year, and be delivered late. Then, you have to do a mass software update, that's going to be another 10 million. Then lastly, the most expensive part, a "hardware update" issuing new cards to be compliant with the new standard to match. I don't even want to dream how much that would cost.

*My numbers may be artificially inflated from working with IBM.

Re:Parking Meter Botnet

[blueskies]

They made that decision when they bought shitty meters.

How does this differ from counterfeiting money?

[Colin Smith]

Hell, you can virtually photocopy the stuff these days. If you're going to defraud people of goods and services, then you might as well go the universal route.
 

Re:Parking Meter Botnet

[sortius_nod]

I remember doing an easier hack on the parking meters in Newcastle AU. Grab a used Telstra smart card phone card, shove it in, meter breaks, free parking for a few days for everyone.

It seems that the parking meter OS was unable to handle cards that didn't send the right data back, so went in to "out of order" mode.

I suppose they got wise on these kind of simple hacks and changed the smart card system.

Re:

[fulldecent]

>> Yes, but do they run Linux?

Yes, but does it blend?

Re:

[sconeu]

Imagine a Beowulf cluster of parking meters!

The usual solution

[drgould]

The usual bureacratic solution in a case like this is to make it illegal to hook-up oscilloscopes to parking meters in San Francisco.

Re:The usual solution

[n1ckml007]

Sir is that an oscilloscope in your pocket... ?

Re:The usual solution

[kimvette]

Sir, do you have a concealed oscilloscope permit?

Re:

[Hijacked Public]

In San Francisco you can only open carry your "oscilloscope".

Re:

[Missing_dc]

In San Francisco you can only open carry your "oscilloscope".

Only if it is unloaded* and you can expect people to flip out, call the cops and to have your "oscilloscope" forcefully checked to see if it is loaded.

*You can have the batteries displayed next to it and ready to load though

Re:

[drinkypoo]

*You can have the batteries displayed next to it and ready to load though

Not in California.

For those who don't get it, in the state we're talking about, if you have the ammo next to it and ready to load it's considered loaded. Nice try though.

Re:

[Hijacked Public]

Not according to People v. Clark.

Re:

[morgan_greywolf]

Sir! Put down the oscilloscope and back away....slowly....

Re:The usual solution

[JustOK]

in a sinusoidal manner

Re:

[chill]

Looking at the pictures of how they accomplished that, including disassembling the parking meter and removing epoxy by dipping parts in heated fumeric acid... I'm fairly certain what he did was already illegal. It isn't as if the parking meters come with external JTAG points or something.

Re:

[The_Wilschon]

Just cut one off like Paul Newman in Cool Hand Luke and take it home with you. When you're done, dump it someplace. No one's the wiser. OTOH, you could move away from San Francisco and enjoy free parking in most of the rest of the country.

Re:

[chill]

Yeah, I know that is how a criminal would handle it. Thanks for the reference. I couldn't remember which movie.

And I'm in Chicago. Don't talk to me about parking meters! Ugh!

Re:

[Daley_G]

I first read of this on some other site where it explains they bought various meters off ebay. At that point, nothing illegal was done as they owned the meters they were experimenting on. Granted, there was no money to be gained by doing this, but exploiting the vulnerability is probably worth quite a bit - to someone.

Re:

[Anonymous Coward]

The paper lists many attack vectors which could be used against more advanced meters. Hacking the San Francisco system required only a smart card "shim", which extends the contacts to a legitimate card outside the meter, and a portable oscilloscope or logic analyzer for recording the communication between the meter and the legitimate card. The trivial protocol was then implemented on a programmable smart card. This is in reach of most electronic hobbyists and requires no dangerous materials or tools.

Re:The usual solution

[Shrike82]

"What's that Billy? Trespassers? Get my oscilloscope from above the fireplace!"

Re:

[ACMENEWSLLC]

>>The usual bureacratic solution in a case like this is to make it illegal to hook-up oscilloscopes to parking meters in San Francisco.

And make the minimum punishment 5 years in jail and %50,000 fine. After all, they do have cameras everywhere, right? It is just a matter of paying someone to sift through the video until they spot the guy doing this, then arrest him.

While I understand that this system's not very secure, I don't know if I think attempting to make it perfectly secure is worth it when t

Re:

[MachineShedFred]

I really just want to know what a police would do should he come across someone with a freakin oscilloscope hanging off the side of a parking meter, and shoving cards in and out, recording data.

"other people are probably already doing it"

[Hebbinator]

"It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it"

Is it just me, or is this like a nationally publicized "Hey guys, try this!" The article lacks the detail to replicate this guy's code, but the other methods he used are all there. Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system (or one that begs

Re:"other people are probably already doing it"

[Antique Geekmeister]

Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports? (http://blogs.zdnet.com/storage/?p=540) Most RFID implementations simply are not secure: they're typically no more reliable than a barcode, which is also easily spoofed.

And sadly, it's the fault of both the technology (which remains limited by budget marketing to very simply devices) and by inabilities to agree on updates to their encryption and authentication techologies (look up 'new encryption standards for RFID' on Google for references). The infighting among the vendors is horrible, and is delaying improved technologies.

Re:

[Acer500]

Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports?

Erm... one is not like the other... I don't think that parking meters require the highest level of protection possible. Passports, OTOH...

Re:"other people are probably already doing it"

[Vellmont]

Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system

Stupid knowledge! You just ruin it for everyone. If only we'd be more ignorant and stick our heads in the sand there would be no problem.

Did you ever think that someone beyond curious hackers looking for a few free hours of parking might be interested in this? Like say.. criminals selling counterfeit parking cards at 1/3 the price?

Re:

[Sinbios]

You mean I could buy an unlimited parking card for 1/3 the price of... whatever it is 1/3 the price of, without the hassle of fucking with the hardware myself?! SIGN ME UP!!

Re:"other people are probably already doing it"

[solevita]

The article lacks the detail to replicate this guy's code

That's what you get for reading the press release... Here [grandideastudio.com] is the original site; here [grandideastudio.com] is the code.

Re:

[billcopc]

The code has been "sanitized", meaning some details were deliberately changed to prevent people from blindy replicating the hack, otherwise every geek would quit their job and start selling hacked parking passes on street corners.

Re:

[TheP4st]

Now there are 23000 meters in San Fran that may need to get new software..

A valuable lesson they will learn from. Hopefully.

Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system (or one that begs to be comprimised by publicity and the copy-cat nature of hackers and hacker upstarts) that may be rendered useless?

Only the harshest of lessons work with stupidity on such a grand scale.

Re:

[lazn]

Security through obscurity is not security.. They should have written secure software in the first place.

Or are you saying in a different but similar vein that someone like Microsoft has no imperative to make secure code and it isn't their job to fix vulnerabilities in their code either?

how can this help us

[onepoint]

Well, I RTFA, and I have to admit, I liked the hack, I only hope that they do fix it, otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

I really do hate it when people hog a meter all day, paying for daily parking in certain towns is just way out of control.

Now if the hack is really as simple as presented in the 60+ page report, the black market for this is huge, selling 999.00 cards for $50.00 a pop, I know of at least 100 buyers, and if marketed correctly, the entire business district will be a net loss for those towns whom don't execute a plan quickly.

Before anyone talks about the 3 million in savings, Please note, that's just the theft that the meter people were pocketing. What should happen is that the long term savings should increase by the labor savings, please see past example of easy-pass toll system of NY & NJ, where within 2 weeks rush-hour was reduced by 25 to 50 minutes and toll takers were reduced by 1 or 2 people per exit.

security through obscurity

[morgan_greywolf]

Cool? I dunno, it's pretty simple really. Here's the C source code [grandideastudio.com] for the hack. Basically he's just programming a smart card with a value of $999.99, and then asking the meter for the password, which it seems more than happy to provide for some reason.

IOW, the meters are simply using security through obscurity, which is the same as no security at all.

Re:

[PopeRatzo]

otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

Huh?

Do you mind explaining the part about people not having access to the stores because only employees will have the hack, or something?

Don't you think that maybe after the first few days when the parking enforcement notices that they have collected NO money from the parking meters that they might start monitoring a little more closely? Or maybe after, as you say, "people shopping"

Re:

[onepoint]

>>the parking meter collections suddenly dropping to zero and the stores suddenly becoming ghost towns that someone might get suspicious.

it's government employees, they don't notice anything. and if they do, they file a report that no one reads.

>>Do you mind explaining the part about people not having access to the stores because only employees will have the hack, or something?

If you have ever owned a store front property, you know that parking and walk-by traffic is a major factor in the invest

Re:

[leonardluen]

except the parking meter collections missing won't really be noticed. The cards are prepaid, and as far as the city knows
the money is already in their account. there is nothing for them to collect at the meter, other than the audit log telling how many people parked at it. the city won't necessarily know that the card used to pay for the parking was a fake. they will just see that 75 cards were used to pay for parking but they had only sold 35. my understanding from the article is that the cards them

Free parking! Just uh.. oh crap.

[RyuuzakiTetsuya]

I'm not sure how normal that is in the bay area. To see some guy in a DeCSS tshirt hooking an O-scope to a parking meter.

Seriously, how did they achieve *that*? Flat ribbon cable between the card and the meter?

Re:Free parking! Just uh.. oh crap.

[Canazza]

He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

Re:Free parking! Just uh.. oh crap.

[value_added]

He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

San Francisco may be different, but I'd imagine that in most cities, if someone was seen beating a parking meter with a baseball bat, people passing by would nod approvingly, or perhaps cheer.

Re:

[srollyson]

Small town, not much to do in the evenin'.

Re:

[cfa22]

Back in the 90's in Berkeley (across the bay from SF) they had serious problems with people hacksawing the meters right off their posts and lobbing them into the bay. There is apparently more than one way to hack parking meters to get free parking.

Re:Free parking! Just uh.. oh crap.

[langelgjm]

Indeed, that sort of social engineering is all about looking the part.

I once knew someone who was able to swipe an unused payphone in broad daylight at lunchtime on a busy strip with lots of outdoor seating. The trick? Navy blue pants, blue "repairman" style shirt, a tool bag, and looking like you are supposed to be doing what you are doing.

Re:

[MobyDisk]

Why would anyone want to steal a pay phone?

Re:

[himself]

When I geocache in downtown I just carry a metal folding clipboard and write notes if I need "cover" in an exposed area. Taking down (useless, made-up) numbers from a tape measure helped once when two guys were watching me too closely. :7)

I have read of some cachers who keep a high-vis yellow vest in their bag just for situations like this, and I myself once saw a guy wearing one go right into the edge of a construction zone to take tourist photos. (I could tell he probably wasn't employed by the site becau

Re:

[blueskies]

And then you get "accidentally" shot because a police officer thought you were a terrorist and he thought you were reaching for a gun.

I'm not against what you are saying, but i'm just saying don't underestimate the stupidity of the police.

Mythbusters

[MoreDruid]

The Mythbusters are located in San Francisco so I can only assume they are used to geeky types doing weird stuff

Re:

[aquatone282]

Compared to other things I've seen in the Bay Area, a guy with an o-scope attached to a parking meter would be pretty damn tame.

l0pht

[Anonymous Coward]

For reference, Joe Grand is one of the members of the l0pht hacker group that were announced to be making a comeback [url=http://news.slashdot.org/story/09/07/26/167251/Hacker-Group-L0pht-Making-a-Comeback?art_pos=1]here[/url]

10 spaces away

[surmak]

In Monopoly just remember what is 10 spaces away from free parking (actually, in either direction). Something tells me that those who try this "Free Parking" trick may well end up rolling a pair of fives on their next move.

Do not pass go, do not collect $200.

Anyone could do it?? Don't think so..

[Viol8]

"To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing."

Err ,yeah, I do that sort of thing every day in my kitchen!

Lets be honest , "anyone" is a relative term here - anyone whos a whizz with low level logica gate analysis plus knows some chemistry and has access to occiliscopes etc may be able to do it - a normal office guy like me can't. Perhaps a bit too much false modesty on the part of the article author.

Unfair and misleading headline

[Chris Pimlott]

The headline makes it sound like hackers are routinely scamming the system, but there is no indication of this whatsoever in the article. It is improper of /. to impugn these guys when all they have done is demonstrate the vulnerability.

Finding a space.

[bezenek]

Having a hacked card is of no use if one cannot find a parking space. Most people who have attempted to park in SF know the time wasted finding a space is usually worth more than the cost of the parking.

Nevertheless, hacking the system is interesting.

-Todd

TFA, mostly wrong on the details

[Ancient_Hacker]

TFA, kiinda ludicrous.

First of all, how do you hook up an oscilloscope to a parking meter without disassembling it?

Then, what could you get from that that you could not get just by reading the card stripe with a $29 card reader?

One suspects this "black hat" just read a valid card on a card reader, swiped it in a parking meter, then re-read the card and noted the changes.

In any case, since it's unlikely that the parking meters are networked, all he had to do was clone a good card and he's set.

No oscilloscopes or trickery needed.

Re:

[Anonymous Coward]

First of all, how do you hook up an oscilloscope to a parking meter without disassembling it?

Then, what could you get from that that you could not get just by reading the card stripe with a $29 card reader?

Read TFPDF in TFA.

1) Digital scopes are lightweight and portable. He used a shim between the card and its contacts.

2) It wasn't a magstripe-based card. It was a smartcard. Gold-plated electrical contacts.

3) A digital 'scope isn't that far removed from a logic analyzer, and he was able to recor

Drawing attention to the problem

[russotto]

So the hackers, having figured out how to rig the meters, set up their own meters at a few places in the city. With them they place large signs "Hacker Parking Only, Everyone Else $1,000,000". One day they notice a Porsche 959 pull up to the meter. A somewhat geeky looking man in his mid-50s gets out, looks at the sign, places a card in the meter, and it flips over to "2 hours paid". One of the hackers then walks up to the man and says "Hey, Bill Gates! I knew you started out as a hacker but I didn't know you still kept in the game!". And Gates says "What hack? I just paid the meter".

Societies depend on trust

[Improv]

It's not feasable to make every part of society completely bulletproof, societal trust is part of many areas of this. People keep the trust because they are supposed to and because it'd be a big hassle to do otherwise.

In a neighbourhood, one neighbour may have a shed she doesn't want you playing around in. She might tie it shut with a rope, use a padlock, or even an electronic lock, depending on how much she cares. None of this is meant as a challenge - untying the rope, picking the lock, or messing with the electronic lock are all within the capabilities of some people. It's not cute to say "Your lock was not good enough, that's why I was in your shed".

I've read 2600 for years (it's sometimes interesting when one can get past the juvenile attitude), and know people in the community. The standard preface of "I am just doing this for intellectual curiosity and do not laud nor do things like this" is more legal covering of asses than anything else. In some areas maybe we can't rely entirely on societal trust and it's accidentally helpful to have people prodding at these systems, but they're still a nuisance and I would not trust the community in general to use that knowledge responsibly. I've known too many people who have bad attitude towards society in general and who would take these things as far as they can for personal benefit.

Being clever is great. Being clever in ways that hurt society is not.

I'd rather say:

[Domini]

"Crackers Get Free Parking In San Francisco"

disappointed

[BattleApple]

Hackers Get Free Parking In San Francisco

I thought they were just going to start letting us park for free because we're so cool.

Re:Portable Oscilloscope?

[rodrigoandrade]

Geez, at those prices, wouldn't it be cheaper to just pay for the damn parking card???

Re:

[TheP4st]

Sure if it only is for your self it probably would not make that much sense to buy one of the more expensive ones but I saw a USB one going for 72$, seem quite a reasonable investment for unlimited parking to me. And, if you start massproducing cards and selling them for let's say 5 buck a pop it should not take long before you do break even on a fluke 225.

Re:

[TheP4st]

Should have been 25 buck a pop and Fluke 125.

Re:

[sdpuppy]

Saves a lot of money until you get caught with the counterfeiting equipment.

I'm sure eventually the city will notice the discrepancy and figure out what's going on and investigate.

Guess where will the money come to pay to fix the meters (even if it's just changing a couple lines of code it will not be inexpensive).

Re:

[Pinckney]

Make up for it by making and selling bottomless parking cards.

Oscilloscopes in San Francisco? Oh, Great...

[RobotRunAmok]

Can't wait for the trends to start: half the populace will be covering them in WD-40 and sticking them up their ass, and the rest will be basing a new religion around them, tattooing sine waves onto their foreheads.

Re:

[RichardJenkins]

Only for the person who gathers and distributes the data, and only then if he doesn't already own one.

Re:

[Raven42rac]

I don't think you need it every time, just to figure out how the thing worked. The way it works doesn't really surprise me, municipalities take this amazing technology, apply bad practices, lowest common denominator stuff, and use horrendous security at an inflated cost for not much benefit.

Re:

[twistah]

Please tell me you don't seriously think they did this to get away with not paying for parking.

Re:

[c_jonescc]

here in Philly it's possible to get a ticket if you're found to 'too frequently' happen to be parked at broken meters. the assumption is that you're a vandal. if those broken meters happened to actually be vandalized, you may find yourself having a longer conversation than a parking ticket. http://www.philly.com/dailynews/columnists/stu_bykofsky/45599557.html [philly.com]

Re:

[blueskies]

How do you know it was fraudulently paid?