RSS Alerts

Share

More services

Related Links

Related Stories

  • Black Hat: Legal issues come free with cloud computing
    The complications and concerns around cloud computing should not be underestimated, argued Alex Stamos, co-founder and partner of iSEC Partners, at the Black Hat conference in Las Vegas, 30 July 2009.
  • Black Hat: Department of Defense call for three cyber-czars
    This morning, 30 July, at the Black Hat conference in Las Vegas, Robert Lentz, Senior Information Assurance Official for the Department of Defense, declared the need for two extra cyber-czar roles: one for identity, and one for information security training and education.
  • Monster slain by hackers
    Careers website Monster.com and USAjobs.gov, the careers site for the US federal government, have been targeted by hackers, who have harvested user information including IDs, passwords and addresses.
  • Big phish-hunters make small tank vulnerable
    PhishTank, a mass-participation website used to track phishing sites, is susceptible to voting fraud by criminals, according to researchers at Cambridge University’s Computer Laboratory.
  • Spend less on IT security, says Gartner
    Organisations should aim to spend less of their IT budgets on security, Gartner vice-president John Pescatore told the analyst firm’s London IT Security Summit on 17 September.

Top 5 Stories

News

Black Hat: San Francisco meters hacked for free parking

31 July 2009

At the Black Hat security conference in Las Vegas, researchers have revealed how the security of San Francisco's plans to become a showcase for the US on computerised parking has been compromised.

Joe Grand, the director of Grand Idea Studio, told his audience at Black Hat that it took just three days to create a smart payment card to allow them to park for free at the city's parking meters.

The problem, he said, is that the meters have no way of knowing whether a card is genuine or a fake, meaning that creating a smart card that simply `plays' out the data that the meter is interrogating it for, fools the machine into thinking it has a valid card inserted.

In this way, he explained, the fake card can then be used to pay at all 23 000 meters across San Francisco.

Grand's methodology in creating the fake card is interesting, Infosecurity notes, as he appears to have created a card that, when interrogated, tells the reader it has a balance of $999.99 - the maximum possible on the card system.

Grand said that, in order to work out how to circumvent the payment card system, he wired a portable oscilloscope to a parking meter and monitored what signals were generated when he used a genuine card.

By working through the data signals manually, he worked out what signals the meter was expecting and created a computer program to emulate the smart card chipset - and respond accordingly.

Once he calculated the correct responses to the interrogative requests from the meter, he was able to program a smart card that simply played back the required data responses.

According to the security researcher, the meters used in San Francisco are Mackay Guardian XLE units, which are fitted with a secure access module (SAM) from a third-party financial institution.

Because of this, he said it is unlikely that his hack would work in different cities across the USA that are also rolling out smart card-driven parking meters.

This article is featured in:
Application Security • Data Loss  • Malware and Hardware Security • Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012