14 DAY TRIAL // A team of researchers told the audience at the Black Hat security conference in Las Vegas how San Francisco's smart parking meters could be tricked to benefit from unlimited parking for free. The hack took three days to devise and uses off-the-shelf equipment.
San Francisco acquired around 25,000 MacKay Guardian XLE electronic parking meters from J.J. MacKay Canada back in 2002. The cost of the devices, which accept smart cards as well as coins, was estimated by the municipality at $25 million.
Jacob Appelbaum, Joe Grand and Chris Tarnovsky revealed their findings during a talk that lasted 75 minutes, during which they showed in a photo one of San Francisco's meters displaying a balance of $999.99 when reading their custom card. This should be impossible, because the pre-paid GemPlus cards that are available for sale do not have values exceeding $50.
The researchers started by using a smart-card shim widely available in specialized stores and monitored the communications exchanged with the smart meter with an oscilloscope. This allowed them to learn that the meter sent a password to the card, which in turn had to confirm that it was correct.
They were able to replicate the signals sent and determine which was the one responsible for reporting the credit balance. The hackers then created a rogue card, which they modified to report a credit of $999.99. However, modifying a card to ignore the meter's requests and never alter its original balance is also possible.
"We own the San Francisco parking meter system. They clearly did not do enough due diligence if at all from a security perspective. The idea that someone is not already exploiting it is sort of laughable," Jacob Appelbaum commented for The Register. The vulnerable model of meters is being used in large cities around the world, but the researchers did not test the hack outside of San Francisco.
Last year, the Massachusetts Bay Transportation Authority obtained a restraining order that prevented three MIT students from disclosing a similar hack on the cards used for the Boston subway transit. In order to avoid a similar scenario, Appelbaum, Grand and Tarnovsky did not contact the San Francisco Municipal Transportation Agency or J.J. MacKay Canada in advance.