Hackers: We can bypass San Francisco e-parking meters

A trio of programmers and engineers say they can bypass the security mechanisms of the city's electronic parking meters and create "prepaid" cards with a value of $999.99.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
2 min read
MacKay parking meter reads $999.99
MacKay parking meter reads $999.99 Joe Grand, Jacob Appelbaum, Chris Tarnovsky

A three-man team of programmers and engineers announced on Thursday that it has found a way to park for free by bypassing the security of "smart" parking meters used in cities including San Francisco, which has about 25,000 of them.

The parking meters are manufactured by J.J. MacKay Canada and accept coins and prepaid plastic cards that can be purchased in $20 and $50 denominations from local drugstores and grocery stores.

Although MacKay claims (PDF) its meters use "sophisticated security algorithms to deter fraud," it took the trio of hackers three days to figure out how to decode how the stored value card worked and boost its value to $999.99.

"We don't want people to walk away from this saying, 'Oh my God, they can steal money,'" said Jacob Appelbaum. "We want them to think, 'There's a whole computer in here. What kind of due diligence are people doing?'"

"If they're not using encryption, they're probably doing it wrong," Appelbaum added.

Appelbaum and his colleagues are presenting their research on Thursday afternoon at the Black Hat security conference in Las Vegas. The other two team members are Joe Grand, a hardware engineer and president of Grand Idea Studio, and Chris Tarnovsky, who runs Flylogic Engineering, which performs security analysis of semiconductors.

"We're concerned about this news and we'll do everything we can to work with MacKay and see what we can do to make the meters more secure," Judson True, a spokesman for the San Francisco Municipal Transportation Agency, said in an interview on Thursday afternoon.

One option would be for the city to flag cards with suspicious activities and reprogram every parking meter -- they're visited every two or three days for coin removal purposes -- to ignore that card, True said.

In addition, the problem may eventually disappear as hardware is replaced, True said. "We are moving forward in the next few years to replace all these meters with meters that accept credit cards. We may still have some version of a parking card. That may be a medium-term solution. In the interim, we'll see what we can do in terms of additional security for the meters and for the cards."

MacKay did not respond to multiple requests for comment on Thursday.

San Francisco has purchased about 25,000 MacKay parking meters--from the Guardian XLE series--to replace the old ones that used only coins. A 2002 article in the San Francisco Chronicle put the cost of the conversion at more than $37.7 million, though the city estimates that the cost of the meters was closer to $25 million.

Updated: With a response from the San Francisco Municipal Transportation Agency.