torsdag 30. juli 2009

Smart parking meters aren’t so hard to hack

In the name of urban anarchy and intellectual stimulation, a team of three hackers have figured out how to break the security systems of a variety of parking meters.
At the Black Hat conference in Las Vegas today, Joe Grand, Jacob Appelbaum and Chris Tarnovsky said used a variety of tactics to figure out how various parking meters work across the country and how they can be tricked into giving you free parking.
While parking meters may not seem like a big deal, they generate roughly $28 billion a year in revenues for contractors and city governments around the country. If they’re compromised, that could put a wrench in the plans of cities that are trying to get more money from parking collection and stop fraud by human meter coin collectors during the recession.
San Francisco has spent $35 million converting from mechanical parking meters to electronic ones since 2003. Yet the researchers found that there was very little thought put into how protect the meters, which have built-in computers.
“Our attack isn’t great technology at all and it shouldn’t even be possible in 2009,” Appelbaum said.
In the case of San Francisco, the trio hacked the parking meters via a process of deduction. The hackers collected data on a variety of parking meters, which vary by manufacturer and city. They bought older parking meters on eBay in order to find out what electronics they used. They found that, once they disassembled the meters, there wasn’t that much protecting the computer inside. They could use hardware detection devices to figure out how the chips worked and then reverse engineered what they did.
Once they figured out the smart card protocol and how it worked, they figured out you can change the code on a smart card to reload the dollar value. In fact, they showed a picture of a parking meter where they had changed the value of money stored on a card to $999.99.
San Francisco is in trouble because they may have to audit their logs every day to prevent massive fraud. There are also serious privacy implications where the logs could show where you’ve parked and which smart card you’ve used to pay for the parking.

Ingen kommentarer:

Legg inn en kommentar