July 30, 2009, 10:32 AM — LAS VEGAS (07/30/2009) - San Francisco's ambitious plans to roll out computerized smart parking meters have hit a snag: They can be hacked for free parking.
Security researchers say that it is easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking. To prove their point, they will talk about how they built just such a card in about three days at a computer security conference Thursday.
According to Joe Grand, owner of Grand Idea Studio, San Francisco's parking meters have no way of telling the difference between a genuine payment card and a fake. These cards can be used to pay 23,000 meters citywide.
Grand, who hadn't worked much with smart cards, said that the work wasn't particularly hard to do. His card simply replays the same signals used by genuine cards to the meter. Although he never actually used the card to get free parking, Grand said he was able to build a card with a balance of US$999.99 -- the maximum possible -- that would never run out of funds.
"If I found this problem, chances are somebody else knows about the problem and possibly is exploiting it," he said. "That's costing all of us taxpayers money."
To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.
San Francisco uses McKay Guardian XLE meters, Grand said, but because these meters are implemented differently in different cities, his technique may not work outside of San Francisco.
Cities across the U.S. are rolling out computerized parking meter systems designed to be easier to pay and manage. San Francisco's smart meters were rolled out as part of a broader program, known as SFpark, which will eventually deploy parking sensors that can detect when a space is empty and transmit that information wirelessly to drivers looking for spots.
But there have been some problems. In May, about 125 smart meters in Chicago stopped working properly, prompting speculation that the machines may have been hacked.
City officials attributed the failure to a computer glitch, and Grand said that the city's explanation sounds about right. "I think personally that the failures were a firmware problem, a bug in the system," he said.
Because they had never looked at parking meters before, Grand and his two co-researchers, Jacob Appelbaum and Chris Tarnovsky, also spent some time taking apart a parking meter they picked up on eBay and payment cards to understand how they work. They will present their findings at the Black Hat security conference in Las Vegas Thursday.
They don't intend to provide full technical details on how they built their fake card, however, as that information could be misused to bilk San Francisco.
They say that if San Francisco wants to avoid fraud on its system, it should look at securing the meters by developing a better way to authenticate smart cards. This may involve making the meters even smarter, so that they can communicate with each other and process digital signatures during each transaction.
"Hardware devices should not be trusted, they need to be analyzed before they're deployed," Grand said. "These devices are not secure."