Black Hat 2009: Parking meter hacking

For day two of Black Hat, we sat in on on [Joe Grand], [Jacob Appelbaum], and [Chris Tarnovsky]‘s study of the electronic parking meter industry. They decided to study parking meters because they are available everywhere, but rarely considered from a security perspective.

They focused on the San Francisco’s MTA implementation of electronic smart card meters. To start they purchased several meters on eBay just to see the different styles. SF MTA lets you purchase disposable payment cards with values of $20 or $50. They decided to sniff the interaction between the meter and the smartcard using a shim. With that first capture they were able to easily replay the transaction. This didn’t require a smartcard reader, just an oscilloscope. They then took the attack a little further.

[Joe] built a smartcard emulator using a PIC16F648A. They used it to capture multiple transactions and then decoded the interactions by hand. Luckily, the card was using the IEC 7816 standard so they had some insight into the protocol. They found that the card has a stored maximum value and only writes how many times the value has been decremented. As a proof of concept, they change the maximum value, which you can see on the meter above. They could also have just changed the acknowledgement so that the card never writes any deductions.

The PIC16F648A was a good choice because it’s available in a smart card format called a ‘silver card‘. You can find the emulator code and slides from the talk on [Joe]‘s site about the project.

53 thoughts on “Black Hat 2009: Parking meter hacking

  1. No encryption? They were just able to look at the traffic and decode it? Then what was the point of using a smart card? They could have designed the system on punch cards and ended up with the same security.

    1. Candy machines? easy!!! Pop bottle cap liners. Pull them out and put them in the machines that you turn the knob to get candy/prizes. Sometimes you need 2 or 3 of them and most of the time it only works on the dollar machines. For quarter machines use one quarter on one of the machines with the small multicolored bubble gum, then take some of the gum and flatten it to the size of a quarter, it should work just fine. I used to use both of these methods to get free candy from them.

  2. The physical key is weak too, I had a key from the bike lock which was able to open them, my buddies thought of opening them but then decided that it too dangerous if caught and abandoned the idea

  3. @therian

    Are they the round hole type like on vending machines? I read somewhere that you can get into them with BIC pens. I tried it on a cabinet at work once and it worked but maybe it was a lower quality lock. You just pull out the writing end, jam it in (REALLY HARD) and twist. I bet if you soften the plastic with a lighter first it will be easier because you basically have to get the pen to conform to it.

    Kind of funny because I remember way back in middle school someone broke into the school at night and unsuccessfully tried to break into one of the vending machines. There where marks from a blowtorch and bent parts from a crowbar and all they needed was a pen! XD

  4. @shibathedog
    I don’t remember by now, it was long time ago in junior high, key look like (probably I should not say) and it did not fit naively but was able to turn and pull round thing out, but I get paranoid and newer fully open any, just pull round thing a little bit out and back

  5. Most parking meters in the UK are coin op, they require you to enter your reg number and the bay that you stay in. Theres been a new wave of mobile phone top up ones, No doubt theres ways to exploit it! Ha ha ha

  6. Your talking about these locks right? The ones that used to be computer “keylocks”?

    Yea, I can see how that would work. But only the cheap vending companies use them. Others use fancier locks like these:

    http://tinyurl.com/ktkbod

    That looks a bit harder to crack.

  7. I understand that it is fun to make a fool out of companies for poor implementation and had a quick look at the sliedes. I especially enjoyed the thread on a newsgroup where the a senior developer at one of the companies inquires about how to use this cvs-program-thingy.

    Is it possible to design a secure, tamperproof cashless payment system? They all seem to fail (e.g. mifare/subway cards). Any recomendations as a comment would be apreciated.

  8. @anonymous

    The question is not whether one could design a secure cashless payment system. A more important question is *should they?*

    Cash is the one thing that assures anonymity in a purchase. Why is that important? Because it is no one’s business what books you read, how many rounds of ammo you have on hand, or whether or not you enjoy a glass of wine with your dinner. It’s bad enough that private companies mine your data. It’s downright scary that the government does… and will I guarantee it: data mining comes with any mechanism for cashless transactions.

    The day cash goes away is the day we all become slaves– permanently.

  9. barrel locks are a bit strange. I doubt you could crack it with nothing more than a bic pen, any more than you can crack a typical lock with nothing more than a key sized plastic tab.
    There are usually either 6 or 9 pins. you still need them all to line up properly (each one has to be pushed down to a different depth, and possibly not at all), and you need to get it to grab the inner shaft and rotate the lock when you turn it.

    They are easy to hack though If you can get your hands on any two broken keys. Each barrel lock has 9 potential key sets, but only one works in the lock. However there is a ‘programmer’ key that you use to set which of the 9 keys will work. If you can get any one of the keys (even one that is not functional in the lock, due to being the wrong key number) you can easily make a programmer key by cutting the tabs off the inside and outside of the barrel.

    broken keys are easy to get if management is slightly stupid. A lot of times, these keys have bent outer tabs. the lock is supposed to capture the key when the lock is unlocked. if the key is damaged, it will open the lock but not capture the key. if the op pulls the key out, it usually wont go back in, unless the tab is totally missing. the lock is trashed and has to be changed, since you cant insert a key to turn it back. the key should be destroyed, but usually just gets tossed by less intelligent management.

    If you can snag the broken key, you can piss people off a number of ways.
    1 – cut the outer tab off only. it will work only in locks set to that key number. Just as the employee trashed the lock, you can do the same to as many as you want before someone gets wise to you.
    2 – cut both the outer and inner tab off. its now a programmer key. it wont open anything, but you can set random locks to random key numbers. usually people only carry the working keys, and will find that none of their keys will open the lock. Many sites only buy a few key numbers rather than all 9. (worse is that chain stores often only register one unique pin set, and give each store a different key number. get one store’s key and you can mess them all up) The only way THEY can get into the lock is to either drill it or dig out the programmer key. It sounds simple to solve, but usually the programmer key is locked away in a safe somewhere, and only a few people have access to it.
    I cant tell you how many times I came to work after a long holiday to find several drilled out locks sitting on my desk.

    1. I don’t know where you got all that from… Barrel locks are extremely easy to open with a bic pen. There are exactly zero pins in a barrel lock, just ball bearings. The ball bearings are all the same size, and the bumps on the keys are all the same size. When you turn the key it pushes the bearings outward allowing you to turn the key all the way around. When you jam the bic pen in there all the bearings are pushed outward which allows you to turn the bic pen fully. Some barrel locks are a bit stronger and can’t be opened simply with a bic pen, but most are very crappy ($2 to $25) and can be opened with ease. Though u-locks for bikes which have barrel locks are even easier, you can hit it a couple times with a hammer and it’s toast. This is from my own personal experience. When I come across something like this I try it instead of knocking it first.

  10. ok ok.. so kryptonites locks can be picked with a friggen pen.. but they dont make locks, they apparently make shoelaces you use to secure things. their pins are always too shallow with relation to each other.

    1. Kryptonite locks can be picked with a couple swings of a hammer, much faster than taking apart and jamming in a bic pen. Any kind of bike lock sold as a bike lock is shit. They’re made from die cast steel which is very weak. Most bike locks can be broken easily by simply grabbing the lock mechanism and bending it back and forth. Combination bike locks are the easiest, break off just one of those plastic dials and you can slide the rest, the actual dial itself is marked and when you slide the rest you can just turn the dials to the right combination. The only safe way to lock up your bike (still not 100% secure) is to buy a 4 foot length of chain and a strong hardened steel lock that takes keys, and not a Master Lock, Master Locks quite often take the same key, and you can often open Master Locks with other Master Lock keys which are similar but not the same as another one. I had a job once where we needed to use a lot of locks, the owner had bought about 50 Master Locks and half the keys worked on one lock though all of the keys were different.

  11. @x: They intentionally did it. This keeps their research from pissing off the vendors and branches so they might make money off a contract of some kind like everyone else has. It’s rarely because the researchers are genuinely that ethical.

    The same thing happens with software reversing. A lot of the updates for software DRM solutions come off consulting sessions with users from forums such as woodman, tuts4you and a few others and it’s never publicized. This is just one of many industry examples of trade obscurity.

  12. Hacking candy machines, lol.

    This got me thinking back to those candy machines you put the quarter in and turn the crank until it dispenses candy. I spent alot of time on car-lot’s as a young kid kid (family was in the business) and they had this mike and ike machine. I would take one of their key rings they used (a standard thin-wire key ring, they had boxes full fo them) and spread it out just a hair to the size of a quarter, wrap a few wraps of scotch tape around it, and feed it through the machine. Free mike and ike’s!

    I showed the salespeople at the dealership how to do it one lazy afternoon, and heard when the candy-guy came by to reload the machine he had a machine full of key rings instead of quarters.

    A trick I learned after that, you can completely drain a mike-and-ike machine with one standard quarter. Simply put the quarter in and begin turning the crank SLOWLY. Wait until you get the first mike-and-ike or two to drop out into the grab-slot, then twist the crank back counter-clockwise as far as you can (it’ll move about half a centimeter). Now rock it back and forth that half-centimeter or so and if you’ve hit the sweet spot you’ll just keep on pouring them, it takes about 10 minutes to totally empty a machine.

    1. You didn’t need to wrap the keyrings in tape, the machine is activated by the pressure of the quarter/whatever else you’re using when you turn the knob. As far as being able to drain a machine, that only works if the machine’s broken already. The machines are designed to drop the next load of candy in the next slot while you’re dropping candy down from the other slot. I have tried this trick so many times, I only had it work once, on a machine that had broken slots. They fixed the machine after half of it got drained, now it doesn’t work.

  13. i think many of the companies that design these products often underestimate the abilities of even the more common hackers… magstrips, i2c, spi whatever are easy pickings. i am surprised that any company would implement unencrypted data in any modern device relating to a cash transaction or other service of value.

  14. @Agent420: Most software and electrical engineers who get on at those companies do text book work, and often huff at open thinkers in the industry.

    You know who I’m talking about, the old kids these days guys in plaid shirts and dockers, or the young ass hole who has the same mentality as the guys in marketing.

    Costs are a minor factor. Major innovation doesn’t come from generic thinking. Those guys are tools who have no place anywhere else in the industry.

  15. bfrosty on the point of the coin candy dispencers i used to just turn the knob back and forth till candy came out no coin needed lol lots of fun and funny skits can be attributed to the simplest thing aint life grand

  16. I’m glad Joe got this out to the public. Travis Goodspeed was trying to snipe this project and take credit for it after Joe told him what he was working on. Congrats Joe! Nice work.

  17. As a qualified locksmith, the existance of a programmer key by cutting off the 2 tabs is not accurate. Well to be blunt it is a load of crap. Maybe it the same as the master key that works all the houses in the USA?

  18. I bought one of these, and am getting it reverse engineered at “Bomarc.org” Schematics should be available after 08/20/09 307 234 3488
    happy hacking.

  19. in the 80s or 90s candy machine hack i learned when i was young is to take bottle cap and cut the top off so you have a round flat plastic coin then
    make it the size of a quater
    cut a flat top 1/8 of an inch much like a “c”
    place it in the coin slot flat side up
    and spin the handle and it spits out candy and misses the notch to drop the coin and stays in the slot to continually turning until diabetes sets in

    i try it again in 2008 and no luck

    1. No luck? It should work… If the machine will still take quarters it should take anything the size of a quarter. I think you cut it too small, in order for the plastic to “miss” and stay in the slot it would have to be slightly bigger than a quarter. Try the pop cap liners, I use 2 or 3 of them back to back in both the quarter and dollar machines, though most machines now have a stronger spring and the liners aren’t hard enough to push the tab. 2012 and it still works.

  20. Security costs money. The consulting engineer for the original DC Metro Farecard was told to make the cardsystem cheap, quick, and reliable. When warned, management said security could wait. That is why you could, for YEARS, cut a $10 card in half, tape it to an erased card, and have two $10 cards. So security costs $$ either way.

  21. @me: You might want to look into the re-keyable tubular locks. They are indeed available with a changekey, in the manner that @MRE describes.

    @Deyjavont: Bumpkeys actually aren’t as useful as the myths about them would suggest, even in places like the USA where most doors have a Kwikset. Knowing how to use a pick is far more universal.

  22. That is an amazing trick,although if the cops saw such a high amount of credit in the meter they would surely question you about it right? I am certain though, say you changed the card’s deduction code so that it would never deduct and perhps change the maximum value to something like $60 or $70 and then you could use the card forever without any suspicion ;)

  23. tubular lock that uses change key is Van Brand lock. Vanlock. Used on vending machines at freeway rest areas, etc. the key has pins and is not impressioned by a bic pen. fun pick. Have fun.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s