At Black Hat this week, security researchers say that it is pretty easy for a technically savvy hacker to make a fake payment card that gives them unlimited free parking on San Francisco’s smart parking metersystem.
According to Joe Grand, owner of Grand Idea Studio, San Francisco’s parking meters have no way of telling the difference between a genuine payment card and a fake. These cards can be used to pay 23,000 meters citywide.
Grand, who hadn’t worked worked much with smart cards said that the work wasn’t particularly hard to do. His card that simply replays the same signals used by genuine cards to the meter. Although he never actually used the card to get free parking, Grand says he was able to build a card with a balance of $999.99 — the maximum possible — that would never run out of funds.
“If I found this problem, chances are somebody else knows about the problem and possibly is exploiting it,” he said. “That’s costing all of us taxpayers money.”
To figure out how the payment system worked, Grand hooked up an oscilloscope to a parking meter and monitored what happened when he used a genuine payment card. He then analyzed that data by hand, and wrote a software program that would emulate the smart card. After some trial and error, he finally figured out what his program needed to say to the meter in order to work. Then he built a card that would replay the same data, using a programmable smart card called a Silver Card.
See related stories
Quiz: How Much Do You Know About Black Hat?
Another High-profile Hack, DDOS Probe Goes Global
Twitter Hack: How It Happened and What’s Being Done