Hackers Bypass S.F.'s E-Parking Meters

(WCBS)
A three-man team of programmers and engineers announced on Thursday that they have found a way to park for free by bypassing the security of "smart" parking meters used in cities including San Francisco, which has about 25,000 of them.

The parking meters are manufactured by J.J. MacKay Canada and accept coins and prepaid plastic cards that can be purchased in $20 and $50 denominations from local drugstores and grocery stores.

Although MacKay claims its meters use "sophisticated security algorithms to deter fraud," it took the trio of hackers three days to figure out how to decode how the stored value card worked and boost its value to $999.99.

"We don't want people to walk away from this saying, 'Oh my God, they can steal money,'" said Jacob Appelbaum. "We want them to think there's a whole computer in here. What kind of due diligence are people doing?"

"If they're not using encryption, they're probably doing it wrong," Appelbaum added.

Appelbaum and his colleagues are presenting their research on Thursday afternoon at the Black Hat security conference in Las Vegas. The other two team members are Joe Grand, a hardware engineer and president of Grand Idea Studio and Chris Tarnovsky, who runs Flylogic Engineering, which performs security analyses of semiconductors.

"We're concerned about this news and we'll do everything we can to work with MacKay and see what we can do to make the meters more secure," Judson True, a spokesman for the San Francisco Municipal Transportation Agency, said in an interview with CBSNews.com on Thursday afternoon.

One option would be for the city to flag cards with suspicious activities and reprogram every parking meter -- they're visited every two or three days for coin removal purposes -- to ignore that card, True said.

In addition, the problem may eventually disappear as hardware is replaced, True said. "We are moving forward in the next few years to replace all these meters with meters that accept credit cards. We may still have some version of a parking card. That may be a medium-term solution. In the interim, we'll see what we can do in terms of additional security for the meters an

MacKay did not respond to multiple requests for comment on Thursday.

San Francisco has purchased about 25,000 MacKay parking meters -- from the Guardian XLE series -- to replace the old ones that used only coins. A 2002 article in the San Francisco Chronicle put the cost of the conversion at more than $37.7 million.

Updated 9pm ET: With a response from the San Francisco Municipal Transportation Agency.
  • Declan McCullagh On Twitter»

    Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.

Comments