Hacking meters

Pub date August 26, 2009

news@sfbg.com

Joe Grand and his accomplices, Jacob Appelbaum of Noisebridge and Chris Tarnovsky of Flylogic Engineering, have had their way with San Francisco’s new "smart" parking meters, hacking their way into the systems, exposing how easily they are manipulated, and sharing the entire experience with whoever would listen.

The three men, all highly skilled computer programmers, built a smart card capable of fooling San Francisco’s parking meter system into giving up that sweet parking space for free, and right in front of our eyes. "You can do pretty much anything on the streets. No one in San Francisco cares," Grand, who also goes by Kingpin and is head of Grand Idea Studios, told the Guardian.

The three men shared their account in a PowerPoint presentation at Black Hat Conference, a security conference held in Las Vegas last month. "We found out through the media," said Judson True, spokesperson for the San Francisco Municipal Transportation Agency, which administers the city’s parking system.

In three days the trio managed to create a device that could infiltrate the meter and then, using an oscilloscope (a device used to translate electronic signals into readable data), they recorded the communication between the meter and card.

Grand was then able to analyze the communication and, by adjusting it, created a new card with a value of $999.99, the highest amount a meter can display.

San Francisco has spent $35 million to deploy 23,000 smart meters throughout the city and the hack was intended to get city officials to improve the system. "San Francisco has been grasping for straws for what to do with metered parking. We wanted to enlighten people to the potential problems," Grand told us.

Since the news about their findings has gone public, Grand has met with SFMTA officials. "They were very responsive, more so than many other security groups. They seemed to be more concerned with vandalism and money being skimmed during collection than with high-tech attack. They wanted to understand the mindset of the people perpetrating these attacks. They were already looking for similar types of fraud."

To defend against fraud, the SFMTA monitors the audit logs of all the meters. If a card has been used more than its possible value (cards are sold in denominations of $20 and $50) then the city can block the card and these crimes are avoided. "We have not found any fraud," says True.

This smart meter technology is used in cities across the country. In Massachusetts, several MIT students were able to find ways to manipulate smart meters in Boston. Two of the three men who found the vulnerabilities in SF’s meters live in the city. "We’re San Francisco residents and we want our money to be used well. We need a secure system that will protect its citizens. A system that is at risk trickles down to the taxpayers."

SFMTA met with J.J. MacKay, the vendor of these meters. "It was the best system for the time and the price," says True. "They are huge improvements over the mechanical machines."

San Francisco is currently planning with MacKay about next-generation meters that will be capable of processing credit cards. "As long as the credit card’s info is processed right away and not stored, then there is no real chance of fraud," Grand said. But plans for purchasing such meters are far in the future, and no decisions have been made about which model will be used.
The plan to replace all the old meters with smart meters by early next year. The smart meters are a key element to the SFMTA’s SF Park pilot program, which uses market pricing and other tools to control parking demand (see "The Politics of Parking" cover package, July 1).
The hackers’ PowerPoint presentation’s "Final Conclusions" offered a couple of hints into their worldview. They began with "Systems need to be fully tested before deployment" and ended with "Consider a world without parking meters. Ride a bicycle!"