Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Get Free Parking In San Francisco

timothy posted more than 5 years ago | from the usually-spots-at-the-end-of-the-judah-line dept.

Security 221

Hugh Pickens writes "PC World reports that at the Black Hat security conference this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking meter system. 'It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it,' says Joe Grand. 'It seems like the system wasn't analyzed at all.' To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. Grand discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

cancel ×

221 comments

Sorry! There are no comments related to the filter you selected.

Parking Meter Botnet (5, Funny)

sopssa (1498795) | more than 5 years ago | (#28894465)

Examining the meters themselves could yield additional vulnerabilities that might allow someone to conduct other kinds of attacks, such as propagating a virus from meter to meter via the smart cards or a meter minder's PDA."

I, for one, welcome our new parking meter botnet overlords.

Re:Parking Meter Botnet (1)

morgan_greywolf (835522) | more than 5 years ago | (#28894531)

Yes, but do they run Linux?

Re:Parking Meter Botnet (-1, Flamebait)

Jurily (900488) | more than 5 years ago | (#28894541)

Seriously, is anyone upset by this? Oh noes, they didn't pay to leave their car somewhere for a limited amount of time!!! Thinkofthechildren!!!

Re:Parking Meter Botnet (4, Insightful)

jellomizer (103300) | more than 5 years ago | (#28894643)

Yes I am upset by this.
If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.
The reason for meters besides revenue collection is to control the availability of parking spots. Metered parking helps keeps store front spots open for customers. As well keeps abandoned or broken cars sitting indefinitely in good parking spots.

Re:Parking Meter Botnet (1, Funny)

PopeRatzo (965947) | more than 5 years ago | (#28894649)

Yes I am upset by this.

Well, you are easily upset.

Re:Parking Meter Botnet (0)

Anonymous Coward | more than 5 years ago | (#28894653)

what was wrong with coin operated meters? Why do they need computers?

Re:Parking Meter Botnet (4, Insightful)

Shaltenn (1031884) | more than 5 years ago | (#28894767)

Maybe the fact that 90% of the time people don't have change on them? Society as a whole is becoming a lot more dependent on ATM cards, credit cards, etc as opposed to cash money. This means that people don't have coinage nor dollars, but instead a plastic card in their wallet. I have seen machines that take cards and coins and even dollar bills. This seems like the best idea. Any te

Re:Parking Meter Botnet (1)

nagnamer (1046654) | more than 5 years ago | (#28895339)

Maybe the fact that 90% of the time people don't have change on them? Society as a whole is becoming a lot more dependent on ATM cards, credit cards, etc as opposed to cash money. This means that people don't have coinage nor dollars, but instead a plastic card in their wallet. I have seen machines that take cards and coins and even dollar bills. This seems like the best idea. Any te

Large amounts of money that is being used today is virtual money sitting in bank accounts and transferred directly to and fro such accounts. So it's no doubt convenient from economies worldwide to make the switch asap.

Re:Parking Meter Botnet (2, Interesting)

Anonymous Coward | more than 5 years ago | (#28894845)

It costs $20 per hour plus pension and health insurance for a meter maid to go collect coins.

Re:Parking Meter Botnet (5, Informative)

xaxa (988988) | more than 5 years ago | (#28894899)

what was wrong with coin operated meters? Why do they need computers?

Crimanal gangs target coin operated metres. For instance [blogs.com] , "Cashless parking was trialled in Westminster [London] in October 2006 and in early 2007 the decision was taken to extend cashless parking city [of Westminster] wide. One of the primary drivers was the estimated £120,000 per week being lost to organised crime. Organised crime which led to murder on the streets of Westminster." (The murder was after one gang started taking the money from meters in another gang's "territory").

A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

Re:Parking Meter Botnet (2, Insightful)

Jah-Wren Ryel (80510) | more than 5 years ago | (#28895171)

Crimanal gangs target coin operated metres.

And they will target electronic metres too, just as soon as they figure out how to do it.

One of the primary drivers was the estimated £120,000 per week being lost to organised crime [and a murder].

If, as jellomizer postulated, the reason for having meters in the first place is to prevent "tragedy of the commons" type results for public parking spaces, then organized crime's theft of the money collected really doesn't affect that goal.

A metal detector under the parking space and a camera nearby, and the computer could automatically issue a ticket (or automatically bill for the correct duration). And tell drivers how many spaces are available.

It is really amazing how all public problems seem to lead us gently down the path of good intentions and into the maw of big brother.

Maybe the tragedy of the commons problem isn't so bad after all. Maybe we should just reduce parking enforcement to the barest minimum - have a guy with a piece of chalk walk around marking tires - pay his salary from the property taxes of the stores along his route. If a car is in place for more than a couple of days, tow it. Leave it at that and forget about all the expense - monetary and socially - of massively complex and invasive enforcement systems.

After all, its not fort knox, its just a fucking parking place.

Re:Parking Meter Botnet (1)

xaxa (988988) | more than 5 years ago | (#28895489)

Crimanal gangs target coin operated metres.

And they will target electronic metres too, just as soon as they figure out how to do it.

That might be easier to trace.

Other advantages: no need for expensive security guards to empty the meters, probably less problems with broken metres, easy to enforce other rules (e.g. "Max 2 hour, no return within 2 hours" is typical in the UK).

If, as jellomizer postulated, the reason for having meters in the first place is to prevent "tragedy of the commons" type results for public parking spaces, then organized crime's theft of the money collected really doesn't affect that goal.

I'm sure the income from parking is significant. Without it, tax would be higher (or services reduced).

It is really amazing how all public problems seem to lead us gently down the path of good intentions and into the maw of big brother.

I didn't really mean it seriously ;-). I'd like to see the same done in central London as has been done in Copenhagen -- a reduction in the number of available parking spaces every year, to reduce congestion and leave more space for people in the city.

Re:Parking Meter Botnet (1)

timeOday (582209) | more than 5 years ago | (#28895265)

what was wrong with coin operated meters? Why do they need computers?

If you think the security of the new system is bad, just compare it to something that can be fooled by a little disc of sheet metal.

Whenever people talk about exotic hacks on ATMs, I always think of how laughably insecure checks are, and credit cards. You give them one number and they get access to your entire available credit? Ridiculous.

Re:Parking Meter Botnet (1)

timeOday (582209) | more than 5 years ago | (#28895295)

I wasn't very clear - by "little disc of sheet metal," I meant a fake quarter to drop into a coin-operated meter.

Re:Parking Meter Botnet (0)

Anonymous Coward | more than 5 years ago | (#28894721)

If you can't beat them, join them.

Seriously, if it is that easy, just make your own unlimited card and then you won't have to worry about how much the "legal" way costs...

Re:Parking Meter Botnet (1)

ddusza (775603) | more than 5 years ago | (#28895005)

I am shaking my fist in complete upsetness, you insensitive clod!

Re:Parking Meter Botnet (1)

rhook (943951) | more than 5 years ago | (#28895015)

The fix is simple, just use encryption. And no, its not an expensive fix.

Re:Parking Meter Botnet (1)

zippthorne (748122) | more than 5 years ago | (#28895049)

First, decide what your goals are. If it's just to keep people from staying in a space too long, there's no need to charge, just have a timer hooked up to a proximity sensor of some kind (maybe like the ones at traffic lights), which activates a camera. If the car is over the limit, snap pictures every so often and send a fine. Call a tow if it's way too long.

If the goal is to make money, then there's no need for time limits. Just have something people can swipe their credit cards or a token card, or an account based on registration number (easily read with a curb-side camera as the previous example) and bill based on availability and time of day. (but don't change the price while people are away from the meter.)

There are small tyrannies everywhere. Sometimes we put up with them to get something we want or need, but we need to evaluate periodically to make sure we aren't just inconveniencing and oppressing people because "that's the way it's always been done." Technology changes, and things that wouldn't be possible (or thought of) just a few years ago are inexpensive now.

And yes, I realize that there are more important things to bitch about, but there are also thousands of these little things that added up really rob you of a substantial portion of your life.

The meter pays for... (1)

tepples (727027) | more than 5 years ago | (#28895303)

If it's just to keep people from staying in a space too long, there's no need to charge, just have a timer hooked up to a proximity sensor of some kind (maybe like the ones at traffic lights), which activates a camera.

The meter pays for the proximity sensor and the monitoring to exclude false positives.

Just have something people can swipe their credit cards

Credit card companies tend to charge a prohibitive percentage for small transactions.

Re:The meter pays for... (3, Informative)

blincoln (592401) | more than 5 years ago | (#28895483)

Credit card companies tend to charge a prohibitive percentage for small transactions.

Seattle seems to have worked out a deal with them. All of the parking meters here accept credit cards.

Re:Parking Meter Botnet (1)

baegucb (18706) | more than 5 years ago | (#28895215)

So explain why there are parking meters in front of where I work. No stores are within at least a half mile. parking meters are only for generating revenue imho.

Re:Parking Meter Botnet (1)

EtherMonkey (705611) | more than 5 years ago | (#28895253)

[...] The reason for meters besides revenue collection is to control the availability of parking spots. Metered parking helps keeps store front spots open for customers. As well keeps abandoned or broken cars sitting indefinitely in good parking spots.

Theoretically, yes. But in practice it fails. Local employees just feed the meters (which itself might be illegal but is much more difficult to enforce). Meanwhile, the people you want to attract -- new customers -- have to worry about having change or a parking card AND finding a convenient, open parking spot before they can visit your store.

Re:Parking Meter Botnet (4, Insightful)

Aceticon (140883) | more than 5 years ago | (#28895273)

Many cities around the world deploy parking meters in places where there is no lack of parking places as a form of revenue for the local authorities.

Also parking meters are usually deployed in such a way as to eliminate all other parking alternatives (if the purpose was to make parking spaces available for those who really need it, then only some of the places would need to be made "premium" with parking meters while most spaces would remain free)

To further enhance the income from parking, most parking meter systems are also designed in such a way (pay first) that users either have to overpay (pay more time than you use) or are hit with significant fines for going overtime.

This is why most people hate parking meters and other paid parking system in public spaces.

I for one welcome our new parking meter infecting virus overlords.

Re:Parking Meter Botnet (1)

sunking2 (521698) | more than 5 years ago | (#28895527)

The solution to this is pretty simply. Levy a $100,000 fine if you are caught. This will deter most people from doing it and those that do, any that are caught will more than make up the extra money in fines.

Re:Parking Meter Botnet (0, Troll)

Runaway1956 (1322357) | more than 5 years ago | (#28895555)

It's California, after all. The land of milk and honey. Only rich people live there, as proven by the ready availability of free health care and free education for illegal immigrants and illegal migrant workers. Not to mention free legal services for those illegals who are to stupid to stay underground, and obey other laws. Nothing to worry about.

If stuff like this really bothers you, get involved with the idiots who run your government, and hold them accountable. Tell them that you want the old fashioned meters back, that took quarters and dimes to operate. There never was any widespread abuse of them, because they WORK. There was no need to spend however many zillion dollars to upgrade to insecure networked card reading meters.

Re:Parking Meter Botnet (0)

Anonymous Coward | more than 5 years ago | (#28895727)

The problem isn't the guys that figure out how and then tell you about it. The problem is those that figure out how and then use it as much as they like.

Re:Parking Meter Botnet (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28895759)

Yes I am upset by this.
If more then just a small handful of people start doing this then they will raise the price for parking for the people who do it legally.
They may have to go and fix the system causing us to pay for it in taxes, as well future systems will need to be more expensive as they need to deal with hackers breaking the system all the time.

The tone of your post seems to imply you are upset at the hackers for this, instead of upset at who's fault it is.
(If I misread your intent, feel free to disregard this)

The fault is not with the hackers pointing out the screw up by the city and meter manufacturer.
It isn't the hackers who took your tax money and spent it on a product that does not do what is needed (in this case, the need is to meter parking.)

It isn't as if the hackers could keep quiet, and the real criminals will somehow unlearn what they already knew long before the hackers figured it out. Nor is it the fault of the hackers that the machines were built to function this way.

If you want to be upset at someone, be upset at the city for spending your taxes on some magical beans (that don't sprout like in the story), and/or the manufacturer who falsely represented how the meter functioned to the city to get them to hand over said tax monies.

Humanity collectivly hiding our heads in the sand and pretending there is a locked door when clearly there is no door at all, let alone a lockable one, does not security make. And the first step to a functional solution is to admit there is a problem.

If you honestly believe that these things have not been exploited by insiders and organized criminals since practically the day they were installed, and the hackers are actually letting secrets out or something, then you are only fooling yourself.

Re:Parking Meter Botnet (4, Interesting)

sortius_nod (1080919) | more than 5 years ago | (#28895053)

I remember doing an easier hack on the parking meters in Newcastle AU. Grab a used Telstra smart card phone card, shove it in, meter breaks, free parking for a few days for everyone.

It seems that the parking meter OS was unable to handle cards that didn't send the right data back, so went in to "out of order" mode.

I suppose they got wise on these kind of simple hacks and changed the smart card system.

Re:Parking Meter Botnet (0)

Anonymous Coward | more than 5 years ago | (#28894543)

Amen.

Portable Oscilloscope? (1)

n1ckml007 (683046) | more than 5 years ago | (#28894525)

Re:Portable Oscilloscope? (1)

morgan_greywolf (835522) | more than 5 years ago | (#28894549)

Yes. I work in a place that has many of these that you can sign out from the property cage.

Re:Portable Oscilloscope? (4, Insightful)

rodrigoandrade (713371) | more than 5 years ago | (#28894565)

Geez, at those prices, wouldn't it be cheaper to just pay for the damn parking card???

Re:Portable Oscilloscope? (0)

Anonymous Coward | more than 5 years ago | (#28894609)

A portable oscilloscope is the easiest solution, but you can build a small logic analyzer yourself from parts that every electronics hacker has in their toy box. Snooping on the communication between a host and a smart card is not rocket science, especially if there are no hardware mechanisms isolating the smart card from the outside while the card is in use.

Re:Portable Oscilloscope? (1)

TheP4st (1164315) | more than 5 years ago | (#28894651)

Sure if it only is for your self it probably would not make that much sense to buy one of the more expensive ones but I saw a USB one going for 72$, seem quite a reasonable investment for unlimited parking to me. And, if you start massproducing cards and selling them for let's say 5 buck a pop it should not take long before you do break even on a fluke 225.

Re:Portable Oscilloscope? (1)

TheP4st (1164315) | more than 5 years ago | (#28894669)

Should have been 25 buck a pop and Fluke 125.

Re:Portable Oscilloscope? (1)

sdpuppy (898535) | more than 5 years ago | (#28895075)

Saves a lot of money until you get caught with the counterfeiting equipment.

I'm sure eventually the city will notice the discrepancy and figure out what's going on and investigate.

Guess where will the money come to pay to fix the meters (even if it's just changing a couple lines of code it will not be inexpensive).

Re:Portable Oscilloscope? (1, Funny)

Anonymous Coward | more than 5 years ago | (#28895319)

Saves a lot of money until you get caught with the counterfeiting equipment.

I'm sure eventually the city will notice the discrepancy and figure out what's going on and investigate.

Guess where will the money come to pay to fix the meters (even if it's just changing a couple lines of code it will not be inexpensive).

Also script kiddies, don't forget what will happen to your asshole.
Of course some of you might be looking forward to that.
Not that there's anything wrong with that.
To each his own.

Re:Portable Oscilloscope? (1)

Pinckney (1098477) | more than 5 years ago | (#28894691)

Make up for it by making and selling bottomless parking cards.

Oscilloscopes in San Francisco? Oh, Great... (1)

RobotRunAmok (595286) | more than 5 years ago | (#28894787)

Can't wait for the trends to start: half the populace will be covering them in WD-40 and sticking them up their ass, and the rest will be basing a new religion around them, tattooing sine waves onto their foreheads.

Re:Portable Oscilloscope? (1)

RichardJenkins (1362463) | more than 5 years ago | (#28894957)

Only for the person who gathers and distributes the data, and only then if he doesn't already own one.

Re:Portable Oscilloscope? (1)

Raven42rac (448205) | more than 5 years ago | (#28895229)

I don't think you need it every time, just to figure out how the thing worked. The way it works doesn't really surprise me, municipalities take this amazing technology, apply bad practices, lowest common denominator stuff, and use horrendous security at an inflated cost for not much benefit.

Re:Portable Oscilloscope? (1)

twistah (194990) | more than 5 years ago | (#28895633)

Please tell me you don't seriously think they did this to get away with not paying for parking.

The usual solution (5, Interesting)

drgould (24404) | more than 5 years ago | (#28894527)

The usual bureacratic solution in a case like this is to make it illegal to hook-up oscilloscopes to parking meters in San Francisco.

Re:The usual solution (5, Funny)

n1ckml007 (683046) | more than 5 years ago | (#28894535)

Sir is that an oscilloscope in your pocket... ?

Re:The usual solution (5, Funny)

kimvette (919543) | more than 5 years ago | (#28894633)

Sir, do you have a concealed oscilloscope permit?

Re:The usual solution (1)

Hijacked Public (999535) | more than 5 years ago | (#28894965)

In San Francisco you can only open carry your "oscilloscope".

Re:The usual solution (1)

Missing_dc (1074809) | more than 5 years ago | (#28895225)

In San Francisco you can only open carry your "oscilloscope".

Only if it is unloaded* and you can expect people to flip out, call the cops and to have your "oscilloscope" forcefully checked to see if it is loaded.

*You can have the batteries displayed next to it and ready to load though

Re:The usual solution (1)

drinkypoo (153816) | more than 5 years ago | (#28895373)

*You can have the batteries displayed next to it and ready to load though

Not in California.

For those who don't get it, in the state we're talking about, if you have the ammo next to it and ready to load it's considered loaded. Nice try though.

Re:The usual solution (1)

nagnamer (1046654) | more than 5 years ago | (#28895453)

In San Francisco you can only open carry your "oscilloscope".

You mean to tell me you can't carry your friend's "oscilloscope"?

Re:The usual solution (1)

Bright Apollo (988736) | more than 5 years ago | (#28895103)

Nope, I'm just glad to see you.

Re:The usual solution (3, Funny)

morgan_greywolf (835522) | more than 5 years ago | (#28894573)

Sir! Put down the oscilloscope and back away....slowly....

Re:The usual solution (5, Funny)

JustOK (667959) | more than 5 years ago | (#28894707)

in a sinusoidal manner

Re:The usual solution (-1, Offtopic)

Hijacked Public (999535) | more than 5 years ago | (#28895013)

Best comment possibly ever.

Since I just posted in this story I'm going to sprinkle all 5 of my mod points across your previous 5 comments.

Re:The usual solution (2, Insightful)

chill (34294) | more than 5 years ago | (#28894693)

Looking at the pictures of how they accomplished that, including disassembling the parking meter and removing epoxy by dipping parts in heated fumeric acid... I'm fairly certain what he did was already illegal. It isn't as if the parking meters come with external JTAG points or something.

Re:The usual solution (1)

The_Wilschon (782534) | more than 5 years ago | (#28894813)

Just cut one off like Paul Newman in Cool Hand Luke and take it home with you. When you're done, dump it someplace. No one's the wiser. OTOH, you could move away from San Francisco and enjoy free parking in most of the rest of the country.

Re:The usual solution (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28894923)

It occurs to me that things didn't work out so well for Cool Hand Luke in that movie.... what's next advice on faking insanity to get an easy sentence as in One Flew Over the Cukoo's Nest?

Re:The usual solution (1)

chill (34294) | more than 5 years ago | (#28894925)

Yeah, I know that is how a criminal would handle it. Thanks for the reference. I couldn't remember which movie.

And I'm in Chicago. Don't talk to me about parking meters! Ugh!

Re:The usual solution (3, Informative)

Daley_G (1592515) | more than 5 years ago | (#28894941)

I first read of this on some other site where it explains they bought various meters off ebay. At that point, nothing illegal was done as they owned the meters they were experimenting on. Granted, there was no money to be gained by doing this, but exploiting the vulnerability is probably worth quite a bit - to someone.

Re:The usual solution (2, Informative)

Anonymous Coward | more than 5 years ago | (#28894947)

The paper lists many attack vectors which could be used against more advanced meters. Hacking the San Francisco system required only a smart card "shim", which extends the contacts to a legitimate card outside the meter, and a portable oscilloscope or logic analyzer for recording the communication between the meter and the legitimate card. The trivial protocol was then implemented on a programmable smart card. This is in reach of most electronic hobbyists and requires no dangerous materials or tools.

Re:The usual solution (3, Funny)

Shrike82 (1471633) | more than 5 years ago | (#28894713)

"What's that Billy? Trespassers? Get my oscilloscope from above the fireplace!"

Re:The usual solution (1)

ACMENEWSLLC (940904) | more than 5 years ago | (#28895353)

>>The usual bureacratic solution in a case like this is to make it illegal to hook-up oscilloscopes to parking meters in San Francisco.

And make the minimum punishment 5 years in jail and %50,000 fine. After all, they do have cameras everywhere, right? It is just a matter of paying someone to sift through the video until they spot the guy doing this, then arrest him.

While I understand that this system's not very secure, I don't know if I think attempting to make it perfectly secure is worth it when the above is good enough. No matter what system they put in place, eventually a way around it could be found. In this case, preventing the crime versus punishing the criminal doesn't seem to make sense.

"other people are probably already doing it" (1)

Hebbinator (1001954) | more than 5 years ago | (#28894559)

"It wasn't technically complicated and the fact that I can do it in three days means that other people are probably already doing it and probably taking advantage of it"

Is it just me, or is this like a nationally publicized "Hey guys, try this!" The article lacks the detail to replicate this guy's code, but the other methods he used are all there. Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system (or one that begs to be comprimised by publicity and the copy-cat nature of hackers and hacker upstarts) that may be rendered useless? Now there are 23000 meters in San Fran that may need to get new software..

Re:"other people are probably already doing it" (3, Insightful)

Antique Geekmeister (740220) | more than 5 years ago | (#28894599)

Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports? (http://blogs.zdnet.com/storage/?p=540) Most RFID implementations simply are not secure: they're typically no more reliable than a barcode, which is also easily spoofed.

And sadly, it's the fault of both the technology (which remains limited by budget marketing to very simply devices) and by inabilities to agree on updates to their encryption and authentication techologies (look up 'new encryption standards for RFID' on Google for references). The infighting among the vendors is horrible, and is delaying improved technologies.

Re:"other people are probably already doing it" (2, Interesting)

Acer500 (846698) | more than 5 years ago | (#28894973)

Is it better for cities to rely on such stupid pieces of low-bidder refuse for tools like parking meters and US passports?

Erm... one is not like the other... I don't think that parking meters require the highest level of protection possible. Passports, OTOH...

Re:"other people are probably already doing it" (1)

DissociativeBehavior (1397503) | more than 5 years ago | (#28895657)

The security is in the passport, not the reader or the transport layer. There is an international standard [icao.int] for passport. The smartcard must also be certified before it can be used in a passport.

Re:"other people are probably already doing it" (1)

ComputerDruid (1499317) | more than 5 years ago | (#28894629)

Is it just me or isn't that the point? Then it will be fixed for everyone, which is fair. Isn't that what the Black Hat conf is about?

Re:"other people are probably already doing it" (4, Insightful)

Vellmont (569020) | more than 5 years ago | (#28894697)


Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system

Stupid knowledge! You just ruin it for everyone. If only we'd be more ignorant and stick our heads in the sand there would be no problem.

Did you ever think that someone beyond curious hackers looking for a few free hours of parking might be interested in this? Like say.. criminals selling counterfeit parking cards at 1/3 the price?

Re:"other people are probably already doing it" (3, Informative)

solevita (967690) | more than 5 years ago | (#28894765)

The article lacks the detail to replicate this guy's code

That's what you get for reading the press release... Here [grandideastudio.com] is the original site; here [grandideastudio.com] is the code.

Re:"other people are probably already doing it" (1)

TheP4st (1164315) | more than 5 years ago | (#28894943)

Now there are 23000 meters in San Fran that may need to get new software..

A valuable lesson they will learn from. Hopefully.

Would it have been better to have a system with a few hackers taking advantage and skipping some parking fees, versus a now-comprimised system (or one that begs to be comprimised by publicity and the copy-cat nature of hackers and hacker upstarts) that may be rendered useless?

Only the harshest of lessons work with stupidity on such a grand scale.

Dangerous game (0)

Anonymous Coward | more than 5 years ago | (#28894569)

While there may not be a way to prevent this, are you sure that it can't be detected? After all, it's your car with your license plate that's standing in front of such a fraudulently paid meter for hours. It's certainly better to build some security into the hardware, but this seems like an application where enforcement has a realistic chance of catching people who exploit the system.

how can this help us (3, Insightful)

onepoint (301486) | more than 5 years ago | (#28894583)

Well, I RTFA, and I have to admit, I liked the hack, I only hope that they do fix it, otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

I really do hate it when people hog a meter all day, paying for daily parking in certain towns is just way out of control.

Now if the hack is really as simple as presented in the 60+ page report, the black market for this is huge, selling 999.00 cards for $50.00 a pop, I know of at least 100 buyers, and if marketed correctly, the entire business district will be a net loss for those towns whom don't execute a plan quickly.

Before anyone talks about the 3 million in savings, Please note, that's just the theft that the meter people were pocketing. What should happen is that the long term savings should increase by the labor savings, please see past example of easy-pass toll system of NY & NJ, where within 2 weeks rush-hour was reduced by 25 to 50 minutes and toll takers were reduced by 1 or 2 people per exit.

security through obscurity (2, Informative)

morgan_greywolf (835522) | more than 5 years ago | (#28894673)

Cool? I dunno, it's pretty simple really. Here's the C source code [grandideastudio.com] for the hack. Basically he's just programming a smart card with a value of $999.99, and then asking the meter for the password, which it seems more than happy to provide for some reason.

IOW, the meters are simply using security through obscurity, which is the same as no security at all.

Re:security through obscurity (1)

morgan_greywolf (835522) | more than 5 years ago | (#28894687)

s/meter/card

You need a good parking pass.

Re:how can this help us (1)

PopeRatzo (965947) | more than 5 years ago | (#28894729)

otherwise it will always be employee's of the stores that have parking and people shopping will not have access to the stores.

Huh?

Do you mind explaining the part about people not having access to the stores because only employees will have the hack, or something?

Don't you think that maybe after the first few days when the parking enforcement notices that they have collected NO money from the parking meters that they might start monitoring a little more closely? Or maybe after, as you say, "people shopping" no longer "have access to the stores"? The store owners might get suspicious when nobody shows up to shop.

So, between the parking meter collections suddenly dropping to zero and the stores suddenly becoming ghost towns that someone might get suspicious?

Re:how can this help us (1)

onepoint (301486) | more than 5 years ago | (#28895007)

>>the parking meter collections suddenly dropping to zero and the stores suddenly becoming ghost towns that someone might get suspicious.

it's government employees, they don't notice anything. and if they do, they file a report that no one reads.

>>Do you mind explaining the part about people not having access to the stores because only employees will have the hack, or something?

If you have ever owned a store front property, you know that parking and walk-by traffic is a major factor in the investment, car spots that are used by the same person all day keep people from getting to your store, and over time, the general public starts thinking "I won't go there, I can never find a spot". I saw it happen in a badly designed area, and every building owner on those 2 block would ask themselves why they did not have enough business. It's just a case of a cursed area. what started the change in that area was the suggestion of free employee parking 2 blocks away, which over 6 months helped a lot and improved the volume of business.

Re:how can this help us (1)

leonardluen (211265) | more than 5 years ago | (#28895427)

except the parking meter collections missing won't really be noticed. The cards are prepaid, and as far as the city knows
the money is already in their account. there is nothing for them to collect at the meter, other than the audit log telling how many people parked at it. the city won't necessarily know that the card used to pay for the parking was a fake. they will just see that 75 cards were used to pay for parking but they had only sold 35. my understanding from the article is that the cards themselves hold the balance that is left on them and that internal balance is deducted (on a legitimate card) when told to do so by the meter.

i wonder (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28894585)

i wonder what kind of attacks would be possible after the city has replaced the meter software by software which actually uses a cryptographic method, like a challenge/response method between the meter and the card...

any ideas?

Free parking! Just uh.. oh crap. (2, Interesting)

RyuuzakiTetsuya (195424) | more than 5 years ago | (#28894591)

I'm not sure how normal that is in the bay area. To see some guy in a DeCSS tshirt hooking an O-scope to a parking meter.

Seriously, how did they achieve *that*? Flat ribbon cable between the card and the meter?

Re:Free parking! Just uh.. oh crap. (5, Insightful)

Canazza (1428553) | more than 5 years ago | (#28894631)

He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

Re:Free parking! Just uh.. oh crap. (5, Funny)

value_added (719364) | more than 5 years ago | (#28894753)

He was probably wearing a high-vis jacket and wearing heavy leather gloves. He'd have looked like an ordinary electrician. If anyone asks he was 'reparing' the meter.

San Francisco may be different, but I'd imagine that in most cities, if someone was seen beating a parking meter with a baseball bat, people passing by would nod approvingly, or perhaps cheer.

Re:Free parking! Just uh.. oh crap. (2, Funny)

srollyson (1184197) | more than 5 years ago | (#28894867)

Small town, not much to do in the evenin'.

Re:Free parking! Just uh.. oh crap. (3, Informative)

cfa22 (1594513) | more than 5 years ago | (#28895549)

Back in the 90's in Berkeley (across the bay from SF) they had serious problems with people hacksawing the meters right off their posts and lobbing them into the bay. There is apparently more than one way to hack parking meters to get free parking.

Re:Free parking! Just uh.. oh crap. (5, Interesting)

langelgjm (860756) | more than 5 years ago | (#28894831)

Indeed, that sort of social engineering is all about looking the part.

I once knew someone who was able to swipe an unused payphone in broad daylight at lunchtime on a busy strip with lots of outdoor seating. The trick? Navy blue pants, blue "repairman" style shirt, a tool bag, and looking like you are supposed to be doing what you are doing.

Re:Free parking! Just uh.. oh crap. (1)

Vovk (1350125) | more than 5 years ago | (#28894667)

i read TFA and it says that they have a custom built shim in between the card and the reader.

Re:Free parking! Just uh.. oh crap. (1, Informative)

Anonymous Coward | more than 5 years ago | (#28894733)

If you click the second link in the summary your question will be answered...

To record the communication between the card and the meter, Grand purchased a smartcard shim -- an electrical connector that duplicates a smartcard's contact points -- and used an oscilloscope to record the electrical signals as the card and meter communicated. /blockquot

Mythbusters (1)

MoreDruid (584251) | more than 5 years ago | (#28895493)

The Mythbusters are located in San Francisco so I can only assume they are used to geeky types doing weird stuff

Re:Free parking! Just uh.. oh crap. (1)

aquatone282 (905179) | more than 5 years ago | (#28895687)

Compared to other things I've seen in the Bay Area, a guy with an o-scope attached to a parking meter would be pretty damn tame.

l0pht (5, Informative)

Anonymous Coward | more than 5 years ago | (#28894601)

For reference, Joe Grand is one of the members of the l0pht hacker group that were announced to be making a comeback [url=http://news.slashdot.org/story/09/07/26/167251/Hacker-Group-L0pht-Making-a-Comeback?art_pos=1]here[/url]

10 spaces away (5, Funny)

surmak (1238244) | more than 5 years ago | (#28894779)

In Monopoly just remember what is 10 spaces away from free parking (actually, in either direction). Something tells me that those who try this "Free Parking" trick may well end up rolling a pair of fives on their next move.

Do not pass go, do not collect $200.

Re:10 spaces away (0)

Anonymous Coward | more than 5 years ago | (#28894999)

Don't forget that if you beat the police in Monopoly, you're only ten spaces away from payday.

We have those (0)

Anonymous Coward | more than 5 years ago | (#28894833)

The City of Tallahassee has those "smart" parking meters with smartcard readers. Of course, the City has never announced any plans to offer parking smartcards.

It would be useless. The City's parking enforcement staff do close to nothing, so meters are considered free parking.

Anyone could do it?? Don't think so.. (3, Insightful)

Viol8 (599362) | more than 5 years ago | (#28894877)

"To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing."

Err ,yeah, I do that sort of thing every day in my kitchen!

Lets be honest , "anyone" is a relative term here - anyone whos a whizz with low level logica gate analysis plus knows some chemistry and has access to occiliscopes etc may be able to do it - a normal office guy like me can't. Perhaps a bit too much false modesty on the part of the article author.

Re:Anyone could do it?? Don't think so.. (1)

nagnamer (1046654) | more than 5 years ago | (#28895659)

Lets be honest , "anyone" is a relative term here - anyone whos a whizz with low level logica gate analysis plus knows some chemistry and has access to occiliscopes etc may be able to do it - a normal office guy like me can't. Perhaps a bit too much false modesty on the part of the article author.

It's not like everyone has to make their own. You can always have one or two such guys produce multiple cards that a interested sponsor may pay for.

Unfair and misleading headline (1)

Chris Pimlott (16212) | more than 5 years ago | (#28894951)

The headline makes it sound like hackers are routinely scamming the system, but there is no indication of this whatsoever in the article. It is improper of /. to impugn these guys when all they have done is demonstrate the vulnerability.

Finding a space. (4, Interesting)

bezenek (958723) | more than 5 years ago | (#28894953)

Having a hacked card is of no use if one cannot find a parking space. Most people who have attempted to park in SF know the time wasted finding a space is usually worth more than the cost of the parking.

Nevertheless, hacking the system is interesting.

-Todd

Can This Technique Be Applied To The Payment (0)

Anonymous Coward | more than 5 years ago | (#28895291)

of U.S. state and federal taxes? This question presumes the
U.S. has NOT collapsed.

Yours In Evasion,
Kilgore Trout

TFA, mostly wrong on the details (2, Insightful)

Ancient_Hacker (751168) | more than 5 years ago | (#28895547)

TFA, kiinda ludicrous.

First of all, how do you hook up an oscilloscope to a parking meter without disassembling it?

Then, what could you get from that that you could not get just by reading the card stripe with a $29 card reader?

One suspects this "black hat" just read a valid card on a card reader, swiped it in a parking meter, then re-read the card and noted the changes.

In any case, since it's unlikely that the parking meters are networked, all he had to do was clone a good card and he's set.

No oscilloscopes or trickery needed.

Drawing attention to the problem (5, Funny)

russotto (537200) | more than 5 years ago | (#28895621)

So the hackers, having figured out how to rig the meters, set up their own meters at a few places in the city. With them they place large signs "Hacker Parking Only, Everyone Else $1,000,000". One day they notice a Porsche 959 pull up to the meter. A somewhat geeky looking man in his mid-50s gets out, looks at the sign, places a card in the meter, and it flips over to "2 hours paid". One of the hackers then walks up to the man and says "Hey, Bill Gates! I knew you started out as a hacker but I didn't know you still kept in the game!". And Gates says "What hack? I just paid the meter".

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>