For day two of Black Hat, we sat in on on [Joe Grand], [Jacob Appelbaum], and [Chris Tarnovsky]‘s study of the electronic parking meter industry. They decided to study parking meters because they are available everywhere, but rarely considered from a security perspective.

They focused on the San Francisco’s MTA implementation of electronic smart card meters. To start they purchased several meters on eBay just to see the different styles. SF MTA lets you purchase disposable payment cards with values of $20 or $50. They decided to sniff the interaction between the meter and the smartcard using a shim. With that first capture they were able to easily replay the transaction. This didn’t require a smartcard reader, just an oscilloscope. They then took the attack a little further.

[Joe] built a smartcard emulator using a PIC16F648A. They used it to capture multiple transactions and then decoded the interactions by hand. Luckily, the card was using the IEC 7816 standard so they had some insight into the protocol. They found that the card has a stored maximum value and only writes how many times the value has been decremented. As a proof of concept, they change the maximum value, which you can see on the meter above. They could also have just changed the acknowledgement so that the card never writes any deductions.

The PIC16F648A was a good choice because it’s available in a smart card format called a ‘silver card‘. You can find the emulator code and slides from the talk on [Joe]‘s site about the project.

Peripheral manufacturer Datel has been hard at work attempting to crack the PSP 3000 since its release. They’ve developed the Lite Blue Tool battery to force the PSP into service mode so hackers can run any arbitrary code they want. According to MaxConsole, Datel performed a silicon level investigation of the PSP’s chips to determine how to break into service mode. This means they decapsulated the the chips and reverse engineered any cryptographic protections. We’d love to hear exactly what chips were being used since some are fundamentally flawed.

Silicon hacking has always been a favorite topic of ours and we suggest you check out [Chris Tarnovsky]‘s decapsulation technique to learn more about it.