Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Get Free Parking In San Francisco

Posted by timothy on from the usually-spots-at-the-end-of-the-judah-line dept.

Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. 'It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it,' says Joe Grand. 'It seems like the system wasn't analyzed at all.' To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

30 of 221 comments (clear)

  1. Parking Meter Botnet by sopssa · · Score: 5, Funny

    Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

    I, for one, welcome our new parking meter botnet overlords.

    1. Re:Parking Meter Botnet by jellomizer · · Score: 4, Insightful

      Yes I am upset by this.
      If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
      They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.
      The reason for meters besides revenue collection is to control the availability of parking spots. Metered parking helps keeps store front spots open for customers. As well keeps abandoned or broken cars sitting indefinitely in good parking spots.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Parking Meter Botnet by Shaltenn · · Score: 4, Insightful

      Maybe the fact that 90% of the time people don't have change on them? Society as a whole is becoming a lot more dependent on ATM cards, credit cards, etc as opposed to cash money. This means that people don't have coinage nor dollars, but instead a plastic card in their wallet. I have seen machines that take cards and coins and even dollar bills. This seems like the best idea. Any te

      --
      If you were offended by anything I said... No, I'm not sorry. Please lighten up.
    3. Re:Parking Meter Botnet by xaxa · · Score: 5, Informative

      what was wrong with coin operated meters? Why do they need computers?

      Crimanal gangs target coin operated metres. For instance, "Cashless parking was trialled in Westminster [London] in October 2006 and in early 2007 the decision was taken to extend cashless parking city [of Westminster] wide. One of the primary drivers was the estimated £120,000 per week being lost to organised crime. Organised crime which led to murder on the streets of Westminster." (The murder was after one gang started taking the money from meters in another gang's "territory").

      A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

    4. Re:Parking Meter Botnet by sortius_nod · · Score: 4, Interesting

      I remember doing an easier hack on the parking meters in Newcastle AU. Grab a used Telstra smart card phone card, shove it in, meter breaks, free parking for a few days for everyone.

      It seems that the parking meter OS was unable to handle cards that didn't send the right data back, so went in to "out of order" mode.

      I suppose they got wise on these kind of simple hacks and changed the smart card system.

    5. Re:Parking Meter Botnet by Aceticon · · Score: 4, Insightful

      Many cities around the world deploy parking meters in places where there is no lack of parking places as a form of revenue for the local authorities.

      Also parking meters are usually deployed in such a way as to eliminate all other parking alternatives (if the purpose was to make parking spaces available for those who really need it, then only some of the places would need to be made "premium" with parking meters while most spaces would remain free)

      To further enhance the income from parking, most parking meter systems are also designed in such a way (pay first) that users either have to overpay (pay more time than you use) or are hit with significant fines for going overtime.

      This is why most people hate parking meters and other paid parking system in public spaces.

      I for one welcome our new parking meter infecting virus overlords.

    6. Re:Parking Meter Botnet by Rasperin · · Score: 4, Insightful

      What are you talking about, it's very expensive to fix. First you have to pay for the code updates, that's going to be a million, take a year, and be delivered late. Then, you have to do a mass software update, that's going to be another 10 million. Then lastly, the most expensive part, a "hardware update" issuing new cards to be compliant with the new standard to match. I don't even want to dream how much that would cost.

      *My numbers may be artificially inflated from working with IBM.

      --
      WTF Slashdot, why do I have to login 50 times to post?
    7. Re:Parking Meter Botnet by blueskies · · Score: 4, Insightful

      They made that decision when they bought shitty meters.

  2. The usual solution by drgould · · Score: 5, Interesting

    The usual bureacratic solution in a case like this is to make it illegal to hook-up oscilloscopes to parking meters in San Francisco.

    1. Re:The usual solution by n1ckml007 · · Score: 5, Funny

      Sir is that an oscilloscope in your pocket... ?

    2. Re:The usual solution by morgan_greywolf · · Score: 3, Funny

      Sir! Put down the oscilloscope and back away....slowly....

      --
      My blog
    3. Re:The usual solution by kimvette · · Score: 5, Funny

      Sir, do you have a concealed oscilloscope permit?

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    4. Re:The usual solution by JustOK · · Score: 5, Funny

      in a sinusoidal manner

      --
      rewriting history since 2109
    5. Re:The usual solution by Shrike82 · · Score: 3, Funny

      "What's that Billy? Trespassers? Get my oscilloscope from above the fireplace!"

      --
      You can advertise in this sig from as little as £99.99 a month!
    6. Re:The usual solution by Daley_G · · Score: 3, Informative

      I first read of this on some other site where it explains they bought various meters off ebay. At that point, nothing illegal was done as they owned the meters they were experimenting on. Granted, there was no money to be gained by doing this, but exploiting the vulnerability is probably worth quite a bit - to someone.

  3. Re:Portable Oscilloscope? by rodrigoandrade · · Score: 4, Insightful

    Geez, at those prices, wouldn't it be cheaper to just pay for the damn parking card???

  4. how can this help us by onepoint · · Score: 3, Insightful

    Well, I RTFA, and I have to admit, I liked the hack, I only hope that they do fix it, otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

    I really do hate it when people hog a meter all day, paying for daily parking in certain towns is just way out of control.

    Now if the hack is really as simple as presented in the 60+ page report, the black market for this is huge, selling 999.00 cards for $50.00 a pop, I know of at least 100 buyers, and if marketed correctly, the entire business district will be a net loss for those towns whom don't execute a plan quickly.

    Before anyone talks about the 3 million in savings, Please note, that's just the theft that the meter people were pocketing. What should happen is that the long term savings should increase by the labor savings, please see past example of easy-pass toll system of NY & NJ, where within 2 weeks rush-hour was reduced by 25 to 50 minutes and toll takers were reduced by 1 or 2 people per exit.

    --
    if you see me, smile and say hello.
  5. Re:"other people are probably already doing it" by Antique+Geekmeister · · Score: 3, Insightful

    Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports? (http://blogs.zdnet.com/storage/?p=540) Most RFID implementations simply are not secure: they're typically no more reliable than a barcode, which is also easily spoofed.

    And sadly, it's the fault of both the technology (which remains limited by budget marketing to very simply devices) and by inabilities to agree on updates to their encryption and authentication techologies (look up 'new encryption standards for RFID' on Google for references). The infighting among the vendors is horrible, and is delaying improved technologies.

  6. l0pht by Anonymous Coward · · Score: 5, Informative

    For reference, Joe Grand is one of the members of the l0pht hacker group that were announced to be making a comeback [url=http://news.slashdot.org/story/09/07/26/167251/Hacker-Group-L0pht-Making-a-Comeback?art_pos=1]here[/url]

  7. Re:Free parking! Just uh.. oh crap. by Canazza · · Score: 5, Insightful

    He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
  8. Re:"other people are probably already doing it" by Vellmont · · Score: 4, Insightful


    Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system

    Stupid knowledge! You just ruin it for everyone. If only we'd be more ignorant and stick our heads in the sand there would be no problem.

    Did you ever think that someone beyond curious hackers looking for a few free hours of parking might be interested in this? Like say.. criminals selling counterfeit parking cards at 1/3 the price?

    --
    AccountKiller
  9. Re:Free parking! Just uh.. oh crap. by value_added · · Score: 5, Funny

    He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

    San Francisco may be different, but I'd imagine that in most cities, if someone was seen beating a parking meter with a baseball bat, people passing by would nod approvingly, or perhaps cheer.

  10. Re:"other people are probably already doing it" by solevita · · Score: 3, Informative

    The article lacks the detail to replicate this guy's code

    That's what you get for reading the press release... Here is the original site; here is the code.

  11. 10 spaces away by surmak · · Score: 5, Funny

    In Monopoly just remember what is 10 spaces away from free parking (actually, in either direction). Something tells me that those who try this "Free Parking" trick may well end up rolling a pair of fives on their next move.

    Do not pass go, do not collect $200.

  12. Re:Free parking! Just uh.. oh crap. by langelgjm · · Score: 5, Interesting

    Indeed, that sort of social engineering is all about looking the part.

    I once knew someone who was able to swipe an unused payphone in broad daylight at lunchtime on a busy strip with lots of outdoor seating. The trick? Navy blue pants, blue "repairman" style shirt, a tool bag, and looking like you are supposed to be doing what you are doing.

    --
    "Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
  13. Anyone could do it?? Don't think so.. by Viol8 · · Score: 3, Insightful

    "To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing."

    Err ,yeah, I do that sort of thing every day in my kitchen!

    Lets be honest , "anyone" is a relative term here - anyone whos a whizz with low level logica gate analysis plus knows some chemistry and has access to occiliscopes etc may be able to do it - a normal office guy like me can't. Perhaps a bit too much false modesty on the part of the article author.

  14. Finding a space. by bezenek · · Score: 4, Interesting

    Having a hacked card is of no use if one cannot find a parking space. Most people who have attempted to park in SF know the time wasted finding a space is usually worth more than the cost of the parking.

    Nevertheless, hacking the system is interesting.

    -Todd

    --
    Omne ignotum pro magnifico.
  15. Re:The meter pays for... by blincoln · · Score: 3, Informative

    Credit card companies tend to charge a prohibitive percentage for small transactions.

    Seattle seems to have worked out a deal with them. All of the parking meters here accept credit cards.

    --
    "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  16. Re:Free parking! Just uh.. oh crap. by cfa22 · · Score: 3, Informative

    Back in the 90's in Berkeley (across the bay from SF) they had serious problems with people hacksawing the meters right off their posts and lobbing them into the bay. There is apparently more than one way to hack parking meters to get free parking.

  17. Drawing attention to the problem by russotto · · Score: 5, Funny

    So the hackers, having figured out how to rig the meters, set up their own meters at a few places in the city. With them they place large signs "Hacker Parking Only, Everyone Else $1,000,000". One day they notice a Porsche 959 pull up to the meter. A somewhat geeky looking man in his mid-50s gets out, looks at the sign, places a card in the meter, and it flips over to "2 hours paid". One of the hackers then walks up to the man and says "Hey, Bill Gates! I knew you started out as a hacker but I didn't know you still kept in the game!". And Gates says "What hack? I just paid the meter".