Parking metres in San Francisco face fears of hacking

The thing about technology is that everyone is into it. So no matter what kind of formula you equate on something for safe guarding the laws, someone will eventually break it. That’s the cycle. In the states now there is a new fear amongst law makers. The smart cards that access electronic parking meters in larger cities can be tampered with to obtain unlimited free parking. This came about when researcher Joe Grand who only took only three days to design an attack on the smart cards and he said it was as easy as that and it is no wonder that anyone can hack it. Another fellow researcher Jake Appelbaum also did the same. They also presented their findings at the Black Hat security conference (.pdf) here. The researchers did not contact the San Francisco Municipal Transportation Agency or the meter maker prior to their talk, and asked reporters not to contact those organizations ahead of their presentation, for fear of being gagged

San Francisco launched a $35-million pilot project in 2003 to deploy smart meters around the city in an effort to thwart thieves, including parking control officers who were skimming money from the meters. The city estimated it was losing more than $3 million annually to theft. In response, it installed 23,000 meters made by a Canadian firm named J.J. MacKay, which also has meters in Florida, Massachusetts, New York, Canada, Hong Kong and other locales. The machines are hybrids that allow drivers to insert either coins, or a pre-paid GemPlus smart card, which can be purchased in values of $20 or $50. The machines also have an audit log to help catch insiders who might skim proceeds. To record the communication between the card and the meter, Grand purchased a smartcard shim — an electrical connector that duplicates a smartcard’s contact points — and used an oscilloscope to record the electrical signals as the card and meter communicated. He discovered the cards aren’t digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. The card doesn’t have to know the password, however, it just has to respond that the password is correct.The cards sold in San Francisco are designed to be thrown out when the customer has exausted them. But the researchers found that the meters perform no upper-bounds check, so hackers could easily boost the transaction limit on a card beyond what could legitimately purchased. They could also program a card to simply never deduct from the transaction count. So much research into this has anyone thought WHY this is being done? Hacking a metre parking? Why do people have to waste so much time trying to find the answers for the wrong questions?