"Smart Parking Meters" not as smart as the hackers who pwn them


A group of tinkerers and security researchers announced findings that prove it is possible to bypass the controls of "e-meter" parking meters -- which means it's possible to park for free where such meters are in use. The group announced their findings last week at the 2009 Black Hat Briefings in Las Vegas. Snip:

Throughout the United States, cities are deploying "smart" electronic fare collection infrastructures. In 2003, San Francisco launched a $35 million pilot program to replace approximately 23,000 mechanical parking meters with electronic units that boasted tamper resistance, payment via smart card, auditing capabilities, and an estimated $30 million annually in fare collection revenue. Other major cities, including Atlanta, Boston, Chicago, Los Angeles, New York, Philadelphia, Portland, and San Diego, have made similar moves. This presentation details our evaluation of electronic parking meters, including hardware disassembly, smart card protocol emulation, and silicon die analysis.
Slides and presentation: Smart Parking Meters: Grand Idea Studio.

News coverage: CBS, PC World, Venturebeat, internetnews, infoworld, CNET (thanks, Jake Appelbaum).


  1. As one who has done some serious locksmithing, I’m always torn on this sort of thing. Yes, it’s good to find the vulnerabilities so they can be fixed. But it would be more responsible to inform the manufacturers, give them a fair chance to prepare (and ideally distribute) the fix, THEN go public.

    I know that isn’t the hacker culture… but I think it’s time for the hackers to grow up just a bit.

  2. Not sure where globalization comes into play, unless these manufacturers have shipped their QA off to cheap, quick, uninvested and unfamiliarized offshore firms.

  3. So, when I fly into SF and want to drive into the city in my rental car for a few hours before continuing on to my parents’ house, I can no longer park without figuring out where to buy one of these smart cards, and hoping either the shop is open, or the machine that sells me one for $10 worth of credit for 1 hour in a parking spot isn’t broken and vandalized?

    How convenient. Because no tourists EVER visit SF.

  4. @#3 ANONYMOUS: Did you even look at the picture? There’s a coin slot right next to the card slot. RTFA.

  5. I really detest these new parking meters. They are annoying, rarely work, and the instructions posted on them do not accurately portray how a person can actually get a parking sticker out of them. I would rather have to scare up $10 in change before I go downtown than use one of these machines.

    And @#4 – 90% of the time, in my experience anyway, the coin slot is either out of order or jammed full of garbage so it cannot be used. The last time I had to use one of these machines, I had to walk several blocks to find one that wasn’t completely borked beyond use, and every single one I encountered had a broken coin slot.

  6. The thing that bothers me about these kinds of findings is that you have these really smart people analyzing this technology, but after the fact. It is the same story with voting machines. It bothers me that these really smart people aren’t usually involved in the design and deployment of these technologies. Sometimes it’s because taking the path to having a novel technology adopted at the policy level will drag you through all sorts of mud, but I think a lot of the time is that the cutting-edge minds that built up the internet aren’t acknowledging their broader-scope opportunity to better the world in a far more general sense.

  7. I didn’t read the link, but I suspect the mention of globalization is related to the trend of privatizing municipal parking to global corporations.

    Also, why would you want to tell the manufacturers? They’re fucking me over. I don’t code or hack, but i know i sure do hate whitehats.

  8. As to whether or not I’d let the manufacturer know about the vulnerability before going public, it’d have something to do with how much their product inconveniences me. If the company made parking meters or traffic cameras, I’d probably want to embarrass them as much as possible.

  9. The thing that bothers me about these kinds of findings is that you have these really smart people analyzing this technology, but after the fact. It is the same story with voting machines. It bothers me that these really smart people aren’t usually involved in the design and deployment of these technologies.

    That’s exactly what the “globalization” dig in the title of the talk is all about.

    Rather than paying market rates for bright people like these hackers, corporations farm work out to the lowest bidder in a 3rd world country.

    If you want products designed by these really smart people, and not hacked by them, vote with your dollars, and only support companies that hire skilled engineers rather than cheap ones.

  10. The companies that make these things truly don’t care about security. What they care about is that under the specified test conditions the product will worked as speced. “you can’t manage what you can’t measure” ( a slogan that proved that manager was an idiot , “it’s not a bug unless a customer reports it” was another) and there isn’t any way of measuring security because it is like proving a negative. On the other hand if you find a problem the project will go over budget it’s bad for your manager and he’ll probably try to get rid of you.

    In these companies view there is no point in spending money on security

  11. I wonder if anybody here railing against parking meters as “the man” has read Donald Shoup’s “The High Cost of Free Parking,” where he pinpoints underpriced parking meters as one of the causes of you not being able to find parking when you need it.

  12. Obviously, whenever you aren’t given something for free, it’s The Man screwing you over.

  13. When I can’t park in the city I live in because of tourists and sporting events, yes, it is the man screwing me over. Because I definitely am not getting streets or parking for free.

  14. So, you want to ban tourists and sporting events? Or is it that you think giving everyone free parking will somehow discourage those things?

  15. Chill Moriarty. My reading of Redconsensus’ comment is that they *want* tourists and out-of-town visitors to pay, so residents aren’t saddled with all the burden and inconvenience.

  16. Perhaps San Francisco should just buy parking meters from companies that already manufacture, install, and maintain them.

    Here in Norway there are plenty of parking meters that take credit cards as well as coins. Why should anyone need any new development or pilot project; it’s off the shelf technology. Why require a fancy smart card when the Visa/Mastercard/Amex/et. card that everyone already has will do the job just as well?

  17. Best advice at the end of the presentation is to do away with parking meters altogether and ride a bicycle.

    But pleasse note, Technogeek, that the authors also present very simple recommendations at the end of the presentation that manufacturers could have implemented to prevent such tampering. Security of the system in the design phase was probably an afterthought, and not likely considered important enough to incorporate into the product.

    Interesting that the kind of SmartCards these meters like to use are exactly the same kinds of cards Diebold liked to use in their “AccuVote” touch-screen voting machines that have now been de-certified by the California Secretary of State.

  18. In Denmark, the banks gave vinyl clock faces with hands that stuck to the interior of the windshield. The driver set the clock to arrival time. Ten minute parking? Present time minus ten minutes. Bingo. Not honest on arrival time, if caught by the clock reading ahead of present time. Bingo. No machines, no smart cards. Honor bound, anyone?

  19. “it’d have something to do with how much their product inconveniences me. If the company made parking meters”

    Uhh, because having absolutely no parking available (which is what would happen if it was free) is so much better than having to pay for parking?

  20. Great, now with smart cards the city can have a record of where I parked, when, and for how long. And can sell this data to marketers, employers, insurance companies, paparazzi, stalkers…

    I have serious problems with a product that compromises my privacy, and for some people, even their safety.

Comments are closed.