Meter Hackers Find Free Parking in San Francisco

San Francisco's ambitious plans to roll out computerized smart parking meters have hit a snag: They can be hacked for free parking.

By Robert McMillan

Thu, July 30, 2009 — IDG News Service — San Francisco's ambitious plans to roll out computerized smart parking meters have hit a snag: They can be hacked for free parking.

Security researchers say that it is easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking. To prove their point, they will talk about how they built just such a card in about three days at a computer security conference Thursday.

According to Joe Grand, owner of Grand Idea Studio, San Francisco's parking meters have no way of telling the difference between a genuine payment card and a fake. These cards can be used to pay 23,000 meters citywide.

Grand, who hadn't worked much with smart cards, said that the work wasn't particularly hard to do. His card simply replays the same signals used by genuine cards to the meter. Although he never actually used the card to get free parking, Grand said he was able to build a card with a balance of US$999.99 -- the maximum possible -- that would never run out of funds.

"If I found this problem, chances are somebody else knows about the problem and possibly is exploiting it," he said. "That's costing all of us taxpayers money."

To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.

San Francisco uses McKay Guardian XLE meters, Grand said, but because these meters are implemented differently in different cities, his technique may not work outside of San Francisco.

Cities across the U.S. are rolling out computerized parking meter systems designed to be easier to pay and manage. San Francisco's smart meters were rolled out as part of a broader program, known as SFpark, which will eventually deploy parking sensors that can detect when a space is empty and transmit that information wirelessly to drivers looking for spots.

But there have been some problems. In May, about 125 smart meters in Chicago stopped working properly, prompting speculation that the machines may have been hacked.

City officials attributed the failure to a computer glitch, and Grand said that the city's explanation sounds about right. "I think personally that the failures were a firmware problem, a bug in the system," he said.

BLACK HAT
Loading...
Security MarketSpace
How to Develop Your Strategy for Business and Compliance
This whitepaper will provide guidance on developing a strategic approach to managing and monitoring logs that enables more efficient compliance with regulatory mandates and more effective defense against security threats. Learn more »
A Hidden Benefit of Desktop Virtualization?
This IDG eZine explores the many user benefits of desktop virtualization. Learn more »
Assess Your Data Loss Exposure
Secure and compliant collaboration and access.
The paper then describes how IBM offers an adaptable, business-driven, holistic approach to security that addresses the different risk domains across organizations. Learn more »
Develop Effective User Management
With IBM, organizations can develop comprehensive solutions to help gain visibility into business continuity risks, achieve control over utilization of sensitive business assets and automate a variety of processes for managing access to critical assets and data. Learn more »
Enhance and Secure Critical Business Operations
Learn how to help mitigate enterprise security risks by leveraging IBM solutions to drive business innovation and success, while reducing complexity and costs along the way. Learn more »
Escaping PCI Purgatory
Read this white paper as IBM reveals five key 'sticking points' organizations have been facing on the path to PCI DSS compliance. Learn more »
Increase E-Discovery Efficiencies
Adopt a hybrid approach of in-house discovery, combined with expert services. Learn more »
 
SPONSORED LINKS
 

Simplifying Risk Management: Is Your Company Measuring Up?

Let Progress Software help your business make progress.

Register for more Windows Enterprise Webcasts today.

Entrust IdentityGuard  Strong Authentication for your Enterprise

Supercharge Your End Users with Desktop Virtualization

Take the Netezza TwinFin TestDrive!

Best Practices to Reduce IT Operational Costs

Maximizing efficiencies with unified communications.

Taking the Service Desk to the Next Level

Midsized company CIOs and experts connect at infoBOOM!

Core" i5 vPro" Processor: Control meets cost savings in the most intelligent PC processors ever!

Article: The Dynamic Virtual Client offers thin client advantages with rich client user experience & mobility.

Manage limitless content todayread EMCs 15-minute guide to ECM.

HP Exstream. Get a Free Document Assessment for Financial Services.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

See why ShoreTel is named best overall VoIP provider by Nemertes Research

Turn your desk phone and mobile phone into one with Sprint Mobile Integration.

Stay informed with custom newsletters from Tech Dispenser

How Healthcare CIOs Achieve a High-Performance Emergency Department

Webcast: Solve Your Data Visualization Needs with Open Source BI

Webcast: Delivering the Enterprise-Ready Cloud

Ensure cost effective application delivery. Learn More.

Cloud Computing: The Impact CIOs See

Enterprise Capture: Your Onramp to Business Process Automation

Unlocking the Mainframe: Modernizing Legacy System to SOA

Trend Micro ranked #1 against real-world malware. Read more.

Google Webinar: Why Cloud-Based Security and Archiving Make Sense

HP pays back. Trade in your old printer and get up to $1000

Counting Up the End User Benefits of Desktop Virtualization

Build a smart, practical path to the internal cloud.

Verint Systems. Discover the Power of Intelligence in Action"

Efficiency goes up. Costs come down.

Achieving Business Agility with Application Grid

Seven Ways ITIL Can Help You in an Economic Downturn

Read report on how to improve decision making with business analytics.

Dynamic Virtual Client: Whats in store for client technology going forward?

The ISP that focuses exclusively on information security? SecureWorks.

Does your IDS really work? Find out with a free Endace Audit

CA ARCserve r12.5 is More Than Backup! Download Trial Version Today

Enterprise search helps employees get more done. Get the facts from Google.

Real-world testing ranks Trend Micro #1 against malware. See results.

Dark Fiber from Sunesys Save on Unlimited Bandwidth with Fixed Costs.

Trend Micro ranked #1 against real-world malware. Read more.

Selecting the Right Reporting Technology

An IT Leadership Action Plan for the Economic Recovery

Consolidate data centers and lower IT service costs. Learn How.

WAN optimization techniques significantly improve application performance. Read More.

The Revolution and Evolution of Private Cloud Computing

What's New in SOA Suite 11g?

Unleash the Power of Java with Oracle JRockit Real Time

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords