In the name of urban anarchy and intellectual stimulation, a team of three hackers has figured out how to break the security systems of a variety of parking meters.
At the Black Hat conference in Las Vegas today, Joe Grand, Jacob Appelbaum and Chris Tarnovsky said they used a variety of tactics to figure out how various parking meters work and how they can be tricked into giving you free parking.
While parking meters may not seem like a big deal, they generate roughly $28 billion a year in revenues for contractors and city governments around the country. If they’re compromised, that could put a wrench in the plans of cities that are trying to get more money from parking collection and stop fraud by human meter coin collectors during the recession.
One of the problems is that cities started to shift to electronic meters in the 1990s, when security measures were fairly primitive. But even decades later, many of the devices remain unprotected, even though they can be used to process smart card or credit card transactions.
For the past eight years, security researchers have been developing hacking techniques; in 2001, one hacker figured out how to use infrared technology to reset a parking meter. San Francisco has spent $35 million converting from mechanical parking meters to electronic ones since 2003. The 23,000 meters generate $30 million a year.Yet the researchers found that there was very little thought put into how to protect the meters, which have built-in computers.
“Our attack isn’t great technology at all and it shouldn’t even be possible in 2009,” Appelbaum said (pictured, middle; Grand, pictured left; Tarnovsky, pictured right).
Grand said that the research on parking meters took a couple of months, but the hack itself took only three days from start to finish.
In the case of San Francisco (full description here), the trio hacked the parking meters via a process of deduction. The hackers collected data on a variety of parking meters, which vary by manufacturer and city. They bought older parking meters on eBay in order to find out what electronics they used. Used parking meters were available for anywhere from 99 cents to $500. They found an early version of the MacKay Guardian meter, which San Francisco uses.
Once they disassembled the meters, they found there wasn’t that much protecting the computer inside. The systems were meant to protect against vandalism, but not against hacking. The researchers used hardware detection devices to figure out how the chips worked and then reverse engineered what the software running on the chips did. None of the data paths in the devices were encrypted.
They also used a digital oscilloscope to read the values on smart cards. The key flaw in the San Francisco system is that the interaction between the smart card and the meter’s electronic reader was unprotected. Grand said it’s hard to implement such protection, but the problem of being able to hack a smart card has been known for many years.
Once the researchers figured out the smart card protocol and how it worked, they figured out you can change the code on a smart card to reload the dollar value. In fact, they showed a picture of a parking meter where they had changed the value of money stored on a card to $999.99.
San Francisco is in trouble because it may have to audit its logs every day to prevent massive fraud. There are also serious privacy implications where the logs could show where you’ve parked and which smart card you’ve used to pay for the parking.
The hackers said they ran some risk of getting sued by the city of San Francisco for their talk. But they weren’t sued as of the time of the talk, and they did take a step toward protecting themselves. Since the San Francisco meter technology was customized, they left out some data in their report that would allow someone to reproduce the attack entirely and then defraud the city of parking revenues. Grand said he still hasn’t heard from city officials, but he is happy to help them with the task of creating protection for the meters. He said there is no point in shooting the messenger.
“If we could figure this out in three days, I guarantee you that somebody else is out there already doing it,” Grand said.