MacKay parking meter reads $999.99
(Credit: Joe Grand, Jacob Appelbaum, Chris Tarnovsky)A three-man team of programmers and engineers announced on Thursday that it has found a way to park for free by bypassing the security of "smart" parking meters used in cities including San Francisco, which has about 25,000 of them.
The parking meters are manufactured by J.J. MacKay Canada and accept coins and prepaid plastic cards that can be purchased in $20 and $50 denominations from local drugstores and grocery stores.
Although MacKay claims (PDF) its meters use "sophisticated security algorithms to deter fraud," it took the trio of hackers three days to figure out how to decode how the stored value card worked and boost its value to $999.99.
"We don't want people to walk away from this saying, 'Oh my God, they can steal money,'" said Jacob Appelbaum. "We want them to think, 'There's a whole computer in here. What kind of due diligence are people doing?'"
"If they're not using encryption, they're probably doing it wrong," Appelbaum added.
Appelbaum and his colleagues are presenting their research on Thursday afternoon at the Black Hat security conference in Las Vegas. The other two team members are Joe Grand, a hardware engineer and president of Grand Idea Studio, and Chris Tarnovsky, who runs Flylogic Engineering, which performs security analysis of semiconductors.
"We're concerned about this news and we'll do everything we can to work with MacKay and see what we can do to make the meters more secure," Judson True, a spokesman for the San Francisco Municipal Transportation Agency, said in an interview on Thursday afternoon.
One option would be for the city to flag cards with suspicious activities and reprogram every parking meter -- they're visited every two or three days for coin removal purposes -- to ignore that card, True said.
In addition, the problem may eventually disappear as hardware is replaced, True said. "We are moving forward in the next few years to replace all these meters with meters that accept credit cards. We may still have some version of a parking card. That may be a medium-term solution. In the interim, we'll see what we can do in terms of additional security for the meters and for the cards."
MacKay did not respond to multiple requests for comment on Thursday.
San Francisco has purchased about 25,000 MacKay parking meters--from the Guardian XLE series--to replace the old ones that used only coins. A 2002 article in the San Francisco Chronicle put the cost of the conversion at more than $37.7 million, though the city estimates that the cost of the meters was closer to $25 million.
Updated: With a response from the San Francisco Municipal Transportation Agency.
Want to ride the subway for free without having to jump the turnstiles? Well, as of Monday, you'll be able to do that by making a fake transit card.
A scientific paper detailing the security flaws in the Mifare Classic wireless smart card chip used in transit systems around the world is being published by the Radboud University Nijmegen. And a researcher at Humboldt University in Berlin has published a full implementation of the algorithm (PDF).
"Combining these two pieces of information, attacks can now be implemented by anyone," RFID researcher Karsten Nohl told CNET News. "All it takes is a $100 (card) reader and a little software."
Armed with the information in the papers, someone could steal the secret key from a Mifare Classic-based transit card and create a clone of it. As seen in a demonstration, data was collected wirelessly by merely brushing a card reader past someone carrying a card. The data was then used to create a fresh transit card that permitted free access to the London subway.
Subway systems in Amsterdam, Boston, Bangkok and Delhi, among other cities, are also susceptible, as are building access control systems in Europe.
"That's just the tip of the iceberg," said 3ric Johanson, a Seattle-based security consultant. "It's my estimation that approximately 3.5 billion cards have been issued using the Mifare Classic protocol, all subject to financial fraud. There are at least 60 or so major citywide RFID implementations that rely on Mifare Classic."
Nohl, who worked with others to break the Mifare crypto last year and received a Ph.D. in computer security from the University of Virginia, suspects that "hobby hackers who ride the metro everyday and are curious about this technology" will be the first to exploit the vulnerability, "more for fun than profit."
For the less technologically savvy among us, there could soon be mass produced devices that make it easy to forge Mifare Classic cards, Johanson said.
Johanson, an expert in RFID technology, said he has reached out to transit systems to offer help improving their security, but received mixed responses.
There are options for transit authorities who don't want to replace their entire systems. For instance, they can use intrusion detection-type systems that register when a particular card has had a change in value or been cloned, according to Johanson. "I'm highly dubious about a lot of these claims because it's hard to do it right," he said of such measures.
NXP, the company that developed the Mifare Classic chip, could not be reached for comment Monday. The company sued to block publication of the Dutch University paper but a judge ruled in July that the paper could be published.
The Massachusetts Bay Transit Authority (MBTA) took legal action in August to prevent three MIT students from presenting their research on how to "hack" the Boston subway system at the Defcon hacker confab in Las Vegas. A judge later lifted the gag order in that case. Representatives from the MBTA could not be reached for comment.
Security systems like the Mifare Classic that are not peer reviewed are not as trustworthy as systems that can be openly analyzed by researchers looking for flaws, Johanson and Nohl said.
"Developing your own proprietary security mechanisms and not getting public scrutiny on it does not work," Nohl said.
- prev
- 1
- next
