| Tuesday July 29th 2014

Feedburner

Subscribe by email:

We promise not to spam/sell you.


Search Amazon deals:

Black Hat 2009: Parking meter hacking


For day two of Black Hat, we sat in on on Joe Grand, Jacob Appelbaum, and Chris Tarnovsky’s study of the electronic parking meter industry. They decided to study parking meters because they are available everywhere, but rarely considered from a security perspective.pwnt parking meter

They focused on the San Francisco’s MTA implementation of electronic smart card meters. To start they purchased several meters on eBay just to see the different styles. SF MTA lets you purchase disposable payment cards with values of $20 or $50. They decided to sniff the interaction between the meter and the smartcard using a shim. With that first capture they were able to easily replay the transaction. This didn’t require a smartcard reader, just an oscilloscope. They then took the attack a little further.


Joe built a smartcard emulator using a PIC16F648A. They used it to capture multiple transactions and then decoded the interactions by hand. Luckily, the card was using the IEC 7816 standard so they had some insight into the protocol. They found that the card has a stored maximum value and only writes how many times the value has been decremented. As a proof of concept, they change the maximum value, which you can see on the meter above. They could also have just changed the acknowledgment so that the card never writes any deductions.

The PIC16F648A was a good choice because it’s available in a smart card format called a “silver card.” You can find the emulator code and slides from the talk on Joe’s site about the project.

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.