Black Hat Hackers have figured out a way to trick San Francisco's computerized parking meter system into giving away unlimited free parking by cloning the smart cards used to pay fees.
Speaking at the Black Hat security conference in Las Vegas, hackers Jacob Appelbaum, Joe Grand and Chris Tarnovsky said they were able to compromise the system by monitoring the communications that occur between the electronic meters and the smart cards. They were then able to carry out what's known as a replay attack, in which the communications were repeated on their own blank smart cards.
"We own the San Francisco parking meter system," Appelbaum said in an interview with El Reg. "They clearly did not do enough due diligence if at all from a security perspective. The idea that someone is not already exploiting it is sort of laughable."
During their 75-minute talk, the team showed a picture of a cloned smart card in one of the San Francisco parking meters. It's value: $999.99. The team was careful to say they never actually used any of the stored credit to pay for parking.
The hack is only the latest to highlight vulnerabilities in a new generation of electronic payment systems that collect parking fees and bus and train fares. Parking meters in New York were compromised in 2001 using infrared remote controls, and three years later weaknesses in stored-value cards used by San Diego were exposed by a hacker who goes by the name H1kari.
Last year, three undergrads from the Massachusetts Institute of Technology uncovered critical vulnerabilities in electronic fare-payment systems used by Boston's mass transit system, but were prevented from speaking about them during the Defcon hacker conference.
The process used to hack the San Francisco system was fairly straightforward and took only three days to devise. It involved using an off-the-shelf smart-card shim, and monitoring what happened using an oscilloscope. The team then analyzed the data using pen and paper and wrote a program that would repeat the process with programmable smart cards they bought off the internet.
The smart cards work in McKay Guardian XLE meters, which can accept either coins or electronic payments. Many other cities use the same model parking meters, but because of differences in the way they are configured, the team couldn't say whether the technique they used would work outside of San Francisco.
The researchers said they gained valuable insights into the meter's inner workings by purchasing them on eBay and watching how they functioned. They said their research was intended to expose weaknesses that could cost San Francisco taxpayers millions of dollars in lost revenue, and not to enable people to actually carry out the attacks.
They plan to release the source code for their replay software but will modify important bits to prevent script kiddies from using it to get free parking. ®