Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Get Free Parking In San Francisco

Posted by timothy on from the usually-spots-at-the-end-of-the-judah-line dept.

Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. 'It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it,' says Joe Grand. 'It seems like the system wasn't analyzed at all.' To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

11 of 221 comments (clear)

  1. Re:Portable Oscilloscope? by rodrigoandrade · · Score: 4, Insightful

    Geez, at those prices, wouldn't it be cheaper to just pay for the damn parking card???

  2. how can this help us by onepoint · · Score: 3, Insightful

    Well, I RTFA, and I have to admit, I liked the hack, I only hope that they do fix it, otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

    I really do hate it when people hog a meter all day, paying for daily parking in certain towns is just way out of control.

    Now if the hack is really as simple as presented in the 60+ page report, the black market for this is huge, selling 999.00 cards for $50.00 a pop, I know of at least 100 buyers, and if marketed correctly, the entire business district will be a net loss for those towns whom don't execute a plan quickly.

    Before anyone talks about the 3 million in savings, Please note, that's just the theft that the meter people were pocketing. What should happen is that the long term savings should increase by the labor savings, please see past example of easy-pass toll system of NY & NJ, where within 2 weeks rush-hour was reduced by 25 to 50 minutes and toll takers were reduced by 1 or 2 people per exit.

    --
    if you see me, smile and say hello.
  3. Re:"other people are probably already doing it" by Antique+Geekmeister · · Score: 3, Insightful

    Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports? (http://blogs.zdnet.com/storage/?p=540) Most RFID implementations simply are not secure: they're typically no more reliable than a barcode, which is also easily spoofed.

    And sadly, it's the fault of both the technology (which remains limited by budget marketing to very simply devices) and by inabilities to agree on updates to their encryption and authentication techologies (look up 'new encryption standards for RFID' on Google for references). The infighting among the vendors is horrible, and is delaying improved technologies.

  4. Re:Free parking! Just uh.. oh crap. by Canazza · · Score: 5, Insightful

    He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
  5. Re:Parking Meter Botnet by jellomizer · · Score: 4, Insightful

    Yes I am upset by this.
    If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
    They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.
    The reason for meters besides revenue collection is to control the availability of parking spots. Metered parking helps keeps store front spots open for customers. As well keeps abandoned or broken cars sitting indefinitely in good parking spots.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  6. Re:"other people are probably already doing it" by Vellmont · · Score: 4, Insightful


    Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system

    Stupid knowledge! You just ruin it for everyone. If only we'd be more ignorant and stick our heads in the sand there would be no problem.

    Did you ever think that someone beyond curious hackers looking for a few free hours of parking might be interested in this? Like say.. criminals selling counterfeit parking cards at 1/3 the price?

    --
    AccountKiller
  7. Re:Parking Meter Botnet by Shaltenn · · Score: 4, Insightful

    Maybe the fact that 90% of the time people don't have change on them? Society as a whole is becoming a lot more dependent on ATM cards, credit cards, etc as opposed to cash money. This means that people don't have coinage nor dollars, but instead a plastic card in their wallet. I have seen machines that take cards and coins and even dollar bills. This seems like the best idea. Any te

    --
    If you were offended by anything I said... No, I'm not sorry. Please lighten up.
  8. Anyone could do it?? Don't think so.. by Viol8 · · Score: 3, Insightful

    "To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing."

    Err ,yeah, I do that sort of thing every day in my kitchen!

    Lets be honest , "anyone" is a relative term here - anyone whos a whizz with low level logica gate analysis plus knows some chemistry and has access to occiliscopes etc may be able to do it - a normal office guy like me can't. Perhaps a bit too much false modesty on the part of the article author.

  9. Re:Parking Meter Botnet by Aceticon · · Score: 4, Insightful

    Many cities around the world deploy parking meters in places where there is no lack of parking places as a form of revenue for the local authorities.

    Also parking meters are usually deployed in such a way as to eliminate all other parking alternatives (if the purpose was to make parking spaces available for those who really need it, then only some of the places would need to be made "premium" with parking meters while most spaces would remain free)

    To further enhance the income from parking, most parking meter systems are also designed in such a way (pay first) that users either have to overpay (pay more time than you use) or are hit with significant fines for going overtime.

    This is why most people hate parking meters and other paid parking system in public spaces.

    I for one welcome our new parking meter infecting virus overlords.

  10. Re:Parking Meter Botnet by Rasperin · · Score: 4, Insightful

    What are you talking about, it's very expensive to fix. First you have to pay for the code updates, that's going to be a million, take a year, and be delivered late. Then, you have to do a mass software update, that's going to be another 10 million. Then lastly, the most expensive part, a "hardware update" issuing new cards to be compliant with the new standard to match. I don't even want to dream how much that would cost.

    *My numbers may be artificially inflated from working with IBM.

    --
    WTF Slashdot, why do I have to login 50 times to post?
  11. Re:Parking Meter Botnet by blueskies · · Score: 4, Insightful

    They made that decision when they bought shitty meters.