I’ve been talking about this for years – Hacking Parking Meters

Anytime a card is used as a credential for transferring money, or as an electronic purse, or as a debit/credit card, you are running a big risk that the person with the card in their hand can manipulate the card and add/delete money to the card without your knowledge. They can also potentially use the card to enter data into your device (be it a pay on foot, pay and display, stand alone meter, or ATM for that matter.

I mentioned the "Black hat" group a month or so ago. Now here is a report on what happened when these folks decided to attack some meters in San Francisco. Here's what they had to say:

"We're not picking on San Francisco," Grand said. "We're not even claiming to get free parking. We're trying to educate people about … how they can take our research and apply it to their own cities if they are trying to deploy their own systems or make them more secure…. Cities all over the nation and all over the world are deploying these smartcard meters [and] there's a number of previously known problems with various parking meters in other cities."

Over 30 years ago, Citibank in New York was using off line magnetic stripe cards to access its brand new ATM and check verifying machines in the city. Someone in the R and D department of the bank decided to see just how secure these devices were. They asked a group of kids from Cal Tech or somewhere to attempt to break into the system. (Granted these aren't just your average kids, but then you need to protect yourself from the smart ones.)

The group opened a bank account, got an ATM Card, and then went away for a week or so. When they came back they were petrified. They had, through only the use of the card and the ATM, opened a new bank account, and transferred a ton of money into it. The only problem they had was that they couldn't enter an address for the account, however they could withdraw money through the ATM.

Their problem? They had just robbed the bank. They fessed up, returned the money but the bank was really worried. This began a rapid change in how ATMs (and most credit/debit systems) work. They are now ON LINE. That means that the card is only a credential telling the machine the assumed identity of the person that is standing in front of it. To complete the transaction you must enter your PIN. The PIN is not on the card, it's held back at the bank's central computer. The PIN must match the card or all sorts of bad things happen. Obviously this isn't foolproof, but it does give the bank some line of defense against hackers.

The problem in SF noted above, and the problem I discussed in another blog entry about Toronto is that the meters worked either in batch mode, or they work off line. The meters in SF simply read the card, asked the person how much parking they want to buy, and if that amount is on the card, it deducts that amount from the card. The problem is that you are giving the card to a potential thief and you are giving them all the time in the world to figure out how to hack the card, change it, and then come and park for free. It is inconceivable to me that the kids in the engineering department at Stanford, Cal, or USF (or for that matter UCLA, Harvard, Cal Tech, UW or pick a school) have paid for parking in years.

The only way to stop this is to have the information about the amount of money on the card held at a central computer and have the meter look there every time a transaction takes place. Oh, people will say that the new "smart" cards with computer chips inside them are fool proof. They haven't proven that to me.

If you system uses credit/debit cards and is on line, my guess is that you are pretty safe. If it uses debit cards that are off line, you had better have your IT people check it out pretty closely. You could have a big problem on your hands.

The process that the folks at "Black Hat" went through is good for the industry. It keeps us on our toes and ensures that manufacturers don't take too much for granted.

UPDATE:

Here's the link to "how to hack a parking meter" —

JVH