Hackers: We can bypass San Francisco e-parking meters

MacKay parking meter reads $999.99

(Credit: Joe Grand, Jacob Appelbaum, Chris Tarnovsky)

A three-man team of programmers and engineers announced on Thursday that it has found a way to park for free by bypassing the security of "smart" parking meters used in cities including San Francisco, which has about 25,000 of them.

The parking meters are manufactured by J.J. MacKay Canada and accept coins and prepaid plastic cards that can be purchased in $20 and $50 denominations from local drugstores and grocery stores.

Although MacKay claims (PDF) its meters use "sophisticated security algorithms to deter fraud," it took the trio of hackers three days to figure out how to decode how the stored value card worked and boost its value to $999.99.

"We don't want people to walk away from this saying, 'Oh my God, they can steal money,'" said Jacob Appelbaum. "We want them to think, 'There's a whole computer in here. What kind of due diligence are people doing?'"

"If they're not using encryption, they're probably doing it wrong," Appelbaum added.

Appelbaum and his colleagues are presenting their research on Thursday afternoon at the Black Hat security conference in Las Vegas. The other two team members are Joe Grand, a hardware engineer and president of Grand Idea Studio, and Chris Tarnovsky, who runs Flylogic Engineering, which performs security analysis of semiconductors.

"We're concerned about this news and we'll do everything we can to work with MacKay and see what we can do to make the meters more secure," Judson True, a spokesman for the San Francisco Municipal Transportation Agency, said in an interview on Thursday afternoon.

One option would be for the city to flag cards with suspicious activities and reprogram every parking meter -- they're visited every two or three days for coin removal purposes -- to ignore that card, True said.

In addition, the problem may eventually disappear as hardware is replaced, True said. "We are moving forward in the next few years to replace all these meters with meters that accept credit cards. We may still have some version of a parking card. That may be a medium-term solution. In the interim, we'll see what we can do in terms of additional security for the meters and for the cards."

MacKay did not respond to multiple requests for comment on Thursday.

San Francisco has purchased about 25,000 MacKay parking meters--from the Guardian XLE series--to replace the old ones that used only coins. A 2002 article in the San Francisco Chronicle put the cost of the conversion at more than $37.7 million, though the city estimates that the cost of the meters was closer to $25 million.

Updated: With a response from the San Francisco Municipal Transportation Agency.

[biffhenerson]

It always amuses me when I hear about software that is grossly insecure such as these cards and meters. There is absolutely no excuse. Its just sloppy. Encryption is simple to implement. To how many sites do you give your credit card? How many store the credit card in their database unencrypted? Alot! Crossing the T's and dotting the I's is what separates the software developer Men ($$$,$$$) from the boys ($$,$$$).

[Dalmatian28]

It doesn't mean that software was not written well enough!!! If you know anything about programing you should know that there is no such a thing as perfect software. It comes down to the skill level of the programmer and the reality is that there will always be someone out there that is better at it! Hackers don't need to worry about the code logic and its performance....all they worry is to find the loophole in the system and that is good enough for them! San Francisco has the worst parking policy in the nation and I am not surprised that this has happen! I use to love this city... but the greed and dirty tricks that this city is using to extort the money from its residents has gone way too far! If you want to park in SF you will have to bend over to DPT ...until your eyes pop! I really want to thank all those guys that put an effort into cracking parking meters....just hope that they could place the code on the torrent site! It is time to teach SF city government that being too greedy doesn't pay off!

[Walt French]

This comment -- and the author of the story, as well as creators of the hack -- suggest that encryption falls into two categories: perfect or badly flawed ("grossly insecure").

Security has costs that have to be traded off against benefits, which is why you can have a simple, easy-to-hack PW for Facebook, while your bank requires a tougher one. Likewise, a parking card can't afford an ARM or Atom-class CPU to ensure that only valid modifications go through, and you can't expect every parking meter to require a link to the 'net to ensure the balance is consistent with the last use of a card.

Yes, there ARE possible approaches, such as embedding chips with fusible links representing remaining value that can physically only go down in value. Of course, a whole range of options should be considered.

But saying that it's a major scandal for parking meters, which IMHO *should* be low-cost items, is totally bogus. What is the greater cost beyond the fraud perpetrated by anybody who plays cute with these things? Only to require more expense to city residents to pile on an additional layer of security.

[BruinGuy]

Good old San Francisco. Daring to go into the future with blinders on.

[Perry_Clease]

Yes, San Francisco is the ONLY city using that model parking meter.

[The_happy_switcher]

Must be running on Windows.

[monkeyfun14]

And you must be a troll.

[pentest]

It is too much to see trolls calling other trolls.

[uptheironsrafi]

Its funnier to see a troll point out another troll calling someone else a troll...

[The_happy_switcher]

It's even funnier to see a troll pointing out a troll point out another troll calling someone else a troll...

[Vegaman_Dan]

While it is indeed possible to use a WinCE embedded OS in this type of product, Linux, in fact, is pretty much the default for these systems.

[Gazz6037]

@Perry_Clease

Why don't you read the article first?
"...parking meters used in cities including San Francisco."

How am I not surprised that it was so easy to hack these...

Cheers, Brian.

[gggg sssss]

Of course they could do like Boston and threaten to jail them if they disclose.

[cowspeak]

Please show us how to hack the meters in Chicago. Our stupid mayor signed the contact to a private firm and they raised the fee 6X what it used to be.

[jaguar717]

I don't think stupid is the word. Tyrant in his petty fiefdom? Yes. My guess is next time his perpetual reelection is threatened, he demonizes the private firm, voids the contract, and then gets the meters back but with everyone used to the 500% price increases.

Win-win for him, lose-lose as usual for anyone trying to work for a living. Not that there's much of a middle class left in Chicago after the last couple decades of Rule by the Anointed Ones.

The really fun part is that instead of letting the failures caused by machine-politics die off, the thug tactics are now being subsidized by the country and taken nationwide via Chicago-on-the-Potomac.

[baconstang]

Way to stay on topic, loser.

[pentest]

This is very much like last year with boston transit, at this this group of incompetent ninnies didn't drag the researchers to court and give themselves an even bigger black eye.

Just more evidence that software developers need to be licensed like many engineering professions.

[sodapop2k9]

I want one