Free Parking
At Black Hat this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco’s smart parking metersystem.
According to Joe Grand, owner of Grand Idea Studio, San Francisco’s parking meters have no way of telling the difference between a genuine payment card and a fake. These cards can be used to pay 23,000 meters citywide.
Grand, who hadn’t worked worked much with smart cards said that the work wasn’t particularly hard to do. His card that simply replays the same signals used by genuine cards to the meter. Although he never actually used the card to get free parking, Grand says he was able to build a card with a balance of $999.99 — the maximum possible — that would never run out of funds.
“If I found this problem, chances are somebody else knows about the problem and possibly is exploiting it,” he said. “That’s costing all of us taxpayers money.”
To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.
See related stories
Quiz: How Much Do You Know About Black Hat?
A Technician Works on San Francisco’s Smart Meters
As part of their research, Grand’s co-researcher Jacob Appelbaum gathered information on the systems by simply asking city workers technical questions about the meters.
See related stories
Quiz: How Much Do You Know About Black Hat?
That Takes Guts
The guts of a Mackay Guardian smart meter.
See related stories
Quiz: How Much Do You Know About Black Hat?
Inner Workings
Chemistry 101
To get a closer look at the chips on the cards, researchers used acetone to remove the pastic surrounding them, put them in a small vial of heated fuming nitric acid, rinsed them in acetone and then placed them in a ceramic package for probing.
See related stories
Quiz: How Much Do You Know About Black Hat?
Shim-my Shake
The researchers put this shim between the smartcard and the reader so they could monitor the transaction with an oscilloscope.
See related stories
Quiz: How Much Do You Know About Black Hat?
A Different View
Another view of the custom shim used to read the smart card transaction, complete with Joe Grand’s Grand Idea Studio logo.
See related stories
Quiz: How Much Do You Know About Black Hat?
The Payoff
A San Francisco parking meter showing the balance on Joe Grand’s hacked card.
See related stories
Quiz: How Much Do You Know About Black Hat?
A Grand Idea
Joe Grand at Black Hat in Las Vegas Tuesday, after giving a tutorial on hardware hacking.
See related stories
Quiz: How Much Do You Know About Black Hat?