SLIDESHOW

Black Hat Researchers Find 'Free' Parking in San Francisco

Tech-savvy hackers discover San Francisco's parking meters can't discern a genuine payment card from a fake.

Free Parking

At Black Hat this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco's smart parking metersystem.

According to Joe Grand, owner of Grand Idea Studio, San Francisco's parking meters have no way of telling the difference between a genuine payment card and a fake. These cards can be used to pay 23,000 meters citywide.

Grand, who hadn't worked worked much with smart cards said that the work wasn't particularly hard to do. His card that simply replays the same signals used by genuine cards to the meter. Although he never actually used the card to get free parking, Grand says he was able to build a card with a balance of $999.99 -- the maximum possible -- that would never run out of funds.

"If I found this problem, chances are somebody else knows about the problem and possibly is exploiting it," he said. "That's costing all of us taxpayers money."

To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.

See related stories

Quiz: How Much Do You Know About Black Hat?

Another High-profile Hack, DDOS Probe Goes Global

Twitter Hack: How It Happened and What's Being Done

A Technician Works on San Francisco's Smart Meters

As part of their research, Grand's co-researcher Jacob Appelbaum gathered information on the systems by simply asking city workers technical questions about the meters.

See related stories

Quiz: How Much Do You Know About Black Hat?

Another High-profile Hack, DDOS Probe Goes Global

Twitter Hack: How It Happened and What's Being Done

Chemistry 101

To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing.

See related stories

Quiz: How Much Do You Know About Black Hat?

Another High-profile Hack, DDOS Probe Goes Global

Twitter Hack: How It Happened and What's Being Done

Shim-my Shake

The researchers put this shim between the smartcard and the reader so they could monitor the transaction with an oscilloscope.

See related stories

Quiz: How Much Do You Know About Black Hat?

Another High-profile Hack, DDOS Probe Goes Global

Twitter Hack: How It Happened and What's Being Done

A Different View

Another view of the custom shim used to read the smart card transaction, complete with Joe Grand's Grand Idea Studio logo.

See related stories

Quiz: How Much Do You Know About Black Hat?

Another High-profile Hack, DDOS Probe Goes Global

Twitter Hack: How It Happened and What's Being Done

The Payoff

A San Francisco parking meter showing the balance on Joe Grand's hacked card.

See related stories

Quiz: How Much Do You Know About Black Hat?

Another High-profile Hack, DDOS Probe Goes Global

Twitter Hack: How It Happened and What's Being Done

A Grand Idea

Joe Grand at Black Hat in Las Vegas Tuesday, after giving a tutorial on hardware hacking.

See related stories

Quiz: How Much Do You Know About Black Hat?

Another High-profile Hack, DDOS Probe Goes Global

Twitter Hack: How It Happened and What's Being Done