LAS VEGAS – Scofflaws could hack the smart cards that access electronic parking meters in large cities around the United States, researchers are finding. The smart cards pay for parking spots, and their programming could be easily changed to obtain unlimited free parking.

It took researcher Joe Grand only three days to design an attack on the smart cards. The researchers examined the meters used in San Francisco, but the same and similar electronic meters are being installed in cities around the world.

"It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it," said Grand, a designer and hardware hacker and one of the hosts of the Discovery Channel's Prototype This show. "It seems like the system wasn't analyzed at all."

Grand and fellow researcher Jake Appelbaum present their findings Thursday afternoon at the Black Hat security conference (.pdf) here. The researchers did not contact the San Francisco Municipal Transportation Agency or the meter maker prior to their talk, and asked reporters not to contact those organizations ahead of their presentation, for fear of being gagged by a court order. At last year's DefCon hacker conference, MIT students were barred from talking about similar vulnerabilities in smartcards used by the Massachusetts Bay Transportation Authority after the MBTA obtained a restraining order. They spoke with Threat Level about their findings prior to the presentation.

"We're not picking on San Francisco," Grand said. "We're not even claiming to get free parking. We're trying to educate people about ... how they can take our research and apply it to their own cities if they are trying to deploy their own systems or make them more secure.... Cities all over the nation and all over the world are deploying these smartcard meters [and] there's a number of previously known problems with various parking meters in other cities."

San Francisco launched a $35-million pilot project in 2003 to deploy smart meters around the city in an effort to thwart thieves, including parking control officers who were skimming money from the meters. The city estimated it was losing more than $3 million annually to theft. In response, it installed 23,000 meters made by a Canadian firm named J.J. MacKay, which also has meters in Florida, Massachusetts, New York, Canada, Hong Kong and other locales.

The machines are hybrids that allow drivers to insert either coins, or a pre-paid GemPlus smart card, which can be purchased in values of $20 or $50. The machines also have an audit log to help catch insiders who might skim proceeds.

To record the communication between the card and the meter, Grand purchased a smartcard shim – an electrical connector that duplicates a smartcard's contact points – and used an oscilloscope to record the electrical signals as the card and meter communicated. He discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. The card doesn't have to know the password, however, it just has to respond that the password is correct.

The cards sold in San Francisco are designed to be thrown out when the customer has exausted them. But the researchers found that the meters perform no upper-bounds check, so hackers could easily boost the transaction limit on a card beyond what could legitimately purchased. They could also program a card to simply never deduct from the transaction count.

"We're residents of San Francisco and our taxes are going towards a broken system that they could potentially be losing money on and we pay the consequences of that," Grand said.

Other cities around the country are using smart meters and electronic pay boxes built on different kinds of systems and varying implementations. Some are centrally controlled through a wireless network, while others are stand-alone units, like the ones in San Francisco.

Last May in Chicago, some 250 new electronic pay-and-display parking boxes made by Cale Parking Systems suddenly stopped working one day in the city's central business district. The machines stopped issuing tickets that drivers were required to place on their dashboards. It took technicians most of the day to get the machines working again, and initially some were concerned that the systems might have been hacked.

In 2001 in New York, the city's 7,000 MacKay Guardian smart meters were found to have a glitch that would allow someone with a TV remote to reset the time left on a meter to zero, leading drivers to be ticketed for exceeding their limit. All that was required was for someone to point a universal remote at a meter's infrared sensor and hold down a button for more than a minute.

Appelbaum says that type of attack could be a nightmare for a driver who's ticketed or towed because someone reduced the time on their meter. "[Even] when the machine is saying something that is actually factually wrong, you have no recourse," he says, because the machine is assumed to be right.

The researchers say they've barely scratched the surface of parking meter hacking. They didn't retrieve and examine any code to conduct their attack, though doing so would have given them more insight into other ways to attack the cards and meters, including the audit logs. They also didn't examine the PDA that parking control officers use to communicate with the meters to change the rates, extract logs and perform other functions.

"If we had access to one of these [PDAs], if we could figure out the communications protocol that a legitimate administrator would use, that's a completely different set of attacks that we would love to look at," Grand said.

Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA. There is also the possibility that vulnerabilities exist in other types of meters, such as the pay-and-display payment boxes that accept credit card payments. In the case of the latter machines, the researchers say an attacker might be able to skim credit card data from it in real time by tapping the bus on the reader. An attacker would need physical access to the circuitry, but the payment boxes are secured with mechanical locks that are known to be pickable.

"From looking at previous meters we know there is no anti-tamper mechanisms or any secure hardware design techniques once you have physical access," Grand said. "If you get physical access, you can just tap onto lines. . . . and a lot of parking meter companies are assuming no one will ever get physical access to the device."

Photo: SF parking meter with smart card. (Jon Snyder/Wired)

See also: