Architecture, Network security, Strategy, Vulnerability management

Black Hat: Hackers crack smart parking meter hole

July 31, 2009
And you thought free parking only existed on the Monopoly board.

A team of hackers disclosed Thursday at the Black Hat conference in Las Vegas that they have discovered a way to create a custom-made smart card for parking meters so they never run out.

Joe Grand, a hardware hacker who is president of research-and-development firm Grand Idea Studio, said the purpose of the project was to shed light on the digital security vulnerabilities of embedded devices, such as parking meters, which can be exploited to perpetrate financial fraud.

"Hardware is inherently trusted, and it shouldn't be," Grand said.

Grand, with the help of Jacob Appelbaum, a software hacker and developer of the Tor Project, and engineer Chris Tarnovsky, conducted their test hack in San Francisco, which spent roughly $35 million in 2003 to replace 23,000 mechanical meters with versions that accepted smart cards as payment.

They began their project by purchasing three parking meters on eBay. They used the circa 1990s-models to study the underlying components of the devices.

"You do this research and get as many clues as possible, and then you formulate your attack," said Grand, who also hosts "Prototype This."

One of the meters the three researchers examined was made by J.J. MacKay Canada, a leading manufacturer that also supplied the San Francisco Municipal Transportation Authority (SFMTA) with its smart meters.

"If we find a problem with this one, it will almost certainly apply to that one," Appelbaum said.

Grand said he next purchased a number of smart cards that are used for the meters -- drivers in San Francisco can either get ones with $20 or $50 denominations -- to study how they work. Using an oscilloscope, equipment that provides visual images of an electric signal, the men monitored the communication between the smart cards and the meters.

In three days, the researchers built a custom-made smart card with a value of $999.99 -- the highest amount that can show up on the meter.

Neither SFMTA nor MacKay could be reached for comment, although MacKay claims in literature that its meters are built to defend against fraud.

The speakers said solutions such as daily audit logs, a reduction in access points and anti-tamper mechanisms could be used to prevent such attacks. For example, they said, had the target meter been outfitted with a metal detector, the researchers never could have retrieved the necessary data to build the custom smart card.

Grand said he and his team did not notify the city prior to their presentation, but they plan to soon.

"The goal was not to target San Francisco but to show how parking meters are overlooked and anywhere in the world, they could be attacked," he told SCMagazineUS.com after the talk.
prestitial ad