 I am Joe Grand and we are talking about smart parking meters. Just to give you a little bit of background, I'm an electrical engineer, a hardware hacker, I live and breathe electronics. I love this stuff and the reason I got into looking at parking meters is there's a lot of them in San Francisco where I live and I use them all the time and I said, hey these things are electronic, they look fun. Let's maybe do something security related. I don't know. I guess that's about it for me. I designed the Defcon badge this year. I'm interested in photography and BDSM. Chris isn't here today. He was here with us at Black Hat but for various reasons he's gone but he's an amazing hardware hacker. He's like one of the best. You want to decapitate it or dump something from it, you talk to him. Chris talked last year about silicon dyanalysis and he's one of the best smart card hackers in the world for sure. We'll make up stuff on his slides. We'll hand wave. Why parking meters? I mentioned why I was into it but why in general? Parking meters are these, they're just everywhere. They're in every city, they're in every city in the world. These things on sticks every few feet away and we just totally take them for granted. We go, we park our car, put some money in, walk away. We don't think about it at all but it's one system that we thought needed a little kick in the ass because a lot of these meters now are electronic. They're essentially individual computer systems that can now be analyzed. Think globally, hack locally. Yes. Clearly I'm the son of a hippie. And there's also big money. So anywhere there's money there's going to be fraud, there's going to be people taking advantage of the system. So the parking industry is a $28 billion industry annually, I think just in the U.S. alone. And there's a bunch of stuff that can go on. So not only like the financial fraud of getting free parking but there's social issues and legal issues and we're going to get into all of that. So generally the thing we wanted to do was understand the current state of the unfair collection systems or fair collection systems and we wanted to be able to demonstrate some attacks. We wanted to be able to come here and show that something had been done. It's not just enough to say how some things work. We also wanted to show you how they don't work or how they work when you probably don't want them to work that way. Anyway, we also wanted to show the whole process from start to finish because for me this was my first real hardware hacking project where we took some foreign things and we basically understood them as best as we could and then using that we were able to go all the way to a full break. So this should hopefully take you from start to finish if you've never done it before, which I think it's important to bring people to the next level. Joe really thinks that so he brought us together to work on this. So it's pretty epic to be able to work with him and Chris. And of course we took on the SFMTA, but of course it's also important to say that this is not really specific to San Francisco other than our particular case study. The meters that we examine all had pretty much the same problems and we just happened to live in San Francisco so it was just kind of a no-brainer to kill that one. Yeah, so going through the process is the most important part that you should take out of this because you can apply this to other parking meter systems in your area or you can apply it to other products. Anything you're looking at sort of goes through this general process of analysis and gathering information and stuff like that so you'll see it. And then we'll hit the case study towards the end. We're going to talk about more general parking meter stuff and general process stuff and then go into specifics of San Francisco. Yeah, so there's some different things that are kind of interesting about the parking meters in San Francisco and of course generally everywhere. You've got these single space meters that are everywhere lining the streets and some cities like Oakland they've cut them down and put in multi-space meters which have really confused a lot of people but the idea with the single spaces you put in some change or you use a smart card or some like cell phone token and the multi-space you usually get like a printed paper token in some cities you tape it to your window and other ones you put it on your dash and the meters generally are sold with this idea that they'll stop people from lifting money like the meter maids from lifting money and so they have audit logs so they should know about how much the meters are used and also about how much money should be in the meters and maybe they also have role separation so the audit logs are pulled by someone other than the person that collects the money and then of course they have different ways to like repair the meter so the person that repairs the meter might not pull the audit logs they also might not pull the change and this is I think this is generally a pretty important thing to do in a security system but it's kind of ironic because the things that we found problems with would be like probably even worse if the threat model was that an insider was attacking the system so a lot of these systems were sold with the idea that you basically would want to have this so you could stop your employees from like skimming money I can in I think it was San Francisco actually someone was arrested with seven thousand coins in 2000 2007 or 1997 or something it was a news article we found online oh yeah actually no that was a different thing I think they landed on the moon right yeah yeah I'm not sure anyway so the idea though that the insider is the threat means that they probably designed this wrong because we're not insiders either but I mean it seems like there's some pretty bad design flaws so the way parking meter technology sort of started was obviously mechanical based in the early 90s these hybrid meters started coming up so it was mechanical based where you put your money in and you turn the knob in some way to feed the money through but then there was an electronic system very minimal to keep track of the timing possibly for sending out some startup messages or some administrative messages but now as I mentioned everything is just a pure electronic system you know going from the coin detection which is some inductive method using coils and some electronics and processing to figure out the coin type to microprocessor with memory and now we treat these systems as actual embedded systems and we would go about analyzing them and breaking them the same way we would any other type of hardware products so you know we've gone from mechanical to essentially solid state so here you can see some reconnaissance just kind of like accidental reconnaissance yeah I just happened to walk up right to her yeah so basically it looks like this person has like a small electronic device stuck into the key slot and it's if you look at the crash cart that you have there that's kind of crazy your meter system has a crash cart but it looks like she has a small handheld device which if you read some of the documentation for this particular meter you'll find out that they have like a super secure Windows CE device that you can plug into the serial bus that's in the coin slot or in that in the key lock but it doesn't look like the lock is open so it's as if they made the actual lock into a serial port which seems like kind of crazy right so we think that that this person this was in San Francisco and we think that this person was going around and grabbing audit logs or updating the meter in some way so she wasn't there to pull the money out so even though you know the coin the the serial interface for this PDA was through the coin lock she couldn't get access to it so that's the exact point of the the roll separation most parking meters have some sort of user interface you can pay it whether it's coin smart card credit card some now accept text messages in some form and then there's administrator interfaces some of them are the same so the coin slot the smart card interface could be used for depending on the system for administrator access through some piece of hardware usually it's some serial interface the coin slot because it has inductive it has coils so you could do some really short-range wireless then you have infrared capabilities and other wireless capabilities and then other stuff that might be completely meter specific like the serial via the key the coin lock so a lot of interfaces out there and the more interfaces that are out there per meter we can target each of those you know it's like every single interface is an attack vector the attack service for some of these meters is just ridiculous like I don't know how the designers of these systems thought they could get away with putting something like this in front of every single person all the time especially something that often makes people mad so yeah it seems like a lot of the a lot of the design work that had gone on for security is just for vandalism and they never they the designers didn't think about you know this next generation of attacks basically that if you read some of the documentation they say stuff like the smart card you know slot is modular so that it can serve as the sacrificial part so they're like ah ah is going to attack our meter ah guys tin foil ah ah guys shorted out smart card reader well we we can totally protect against ag no problem all right so we took a few pictures of some parking meters just from various cities this one has a smart card interface from Austin this is a Chicago multi space meter which will mention a few slides when we talk about some previous work and problems for those of you that know me you know that I love Canada and this meter is great it's also by the same company that designed the San Francisco meters JJ McKay and this one's interesting I didn't actually use it I didn't have a car when I was in Vancouver and apparently you call this number or you text message this number and you basically don't actually change the value on the meter but the meter may have like a log that shows which ones have paid by that way and then even though it's expired they won't give you a ticket because they know the time in which it's supposed to be up which is kind of an interesting and kind of an interesting system here so you have a completely separate system that overrides the mechanical meter so you could in theory give everyone free parking or something like that by doing that like attacking this other system so it's like who designed the systems did they know they would work together it's like that's a really interesting idea and if they haven't done some due diligence with that it could be very very bad that one's also it seems sort of labor-intensive because if you know normally a meter mate will drive by the meters and they'll look at the back sides to see if time's expired but in this case if somebody is paying online and the meter actually does stay at zero they're gonna have to stop at each one and check to see if the you know if the person had paid via phone instead yeah it's pretty rough here's a here's a parking meter from Jerusalem that was near the old city and it's just there's a few different major brands of parking meter manufacturer and we'll talk about those but this was I believe this was POM so some of the prior problems we're not the first to look at parking meters and hopefully we're not gonna be the last but there's been people messing with these things as long as they've been around New York City in 2001 when some of the early electronic parking meters came out they had infrared capability for their administrator interface and somebody figured out that they could take a universal remote control and hit some want one of the buttons to reset the value of money on the meter which which is the one of the exact social attacks that we had that we had kind of come up with so is it is Hikari here in the audience are you here David no okay but he wrote a pretty awesome paper in the uninformed journal which if you don't read done does anybody here read uninformed raise your hand wow okay you should all read uninformed it's the most hardcore technical journal that basically since frack so if you're not reading it you're probably uninformed so you should read uninformed and be informed but this is a great text file by Hikari and talks about attacking the San Diego stored value card which is pretty it's a good one yeah it's an interest it's a different completely different smart card implementation but it's almost a different type of smart card so it's worth seeing so you can kind of get a get a view of how very smart cards are used and then Chicago recently deployed a bunch of multi-space parking meters all over the city in June how many people here from Chicago have you seen these parking meters yes do you love them yeah nobody in Chicago think globally right so I mean Chicago has been notorious for disliking the parking situation there meters are always being vandalized are always being damaged and I don't know for some reason when some of these parking meters came out these multi-space meters some of them failed and they weren't working and the media said oh no hackers have taken over our parking meters and they got in touch with me and Jake politely declined to talk to them I just deleted there you know but I called them back and and had to had to give give them my view which was sorry it's not hackers it's probably a firmware problem because the multi-space meters that failed and I don't exactly know how they failed I think they just didn't work we're all situated in one neighborhood of Chicago that had a different rate than the rest of the city and it was like a really expensive rate and I don't think they tested that rate so there might have been some firmware problem or some overflow or something so it was in the in the news it was all over the place and then it quietly disappeared so I don't know if anybody from Chicago knows the real result of that no are you suggesting that greed might have caused a firmware bug possibly whoops yeah they're like let's jack up the rate as much as we can that's pretty bad if you hit like an overflow condition from raising your prices right and Chicago too also has some sort of wireless communication back up to the cell phone network and then back to some mothership so they were connected and that opens up a whole new range of attacks who here thinks that just because you're using a cell phone the file layer is secure I mean how many people have you seen around here just using like cell modems like it seems like if there's some sort of cell modem back into these things you should all start hacking on CDMA and GSM stuff I mean it's not hard right I'm sure someone is right well definitely using a new radio so this is this is just the general process of how we approach the problem and how we approach sort of any hardware problem kind of think about some attacks we postulate some various attacks about what we could do you know from the most lofty goals to kind of the most maybe obvious or low hanging fruit then we gather information we will analyze hardware we analyze firmware if necessary and then we look at any external interfaces and in our case there's a smart card interface so we looked at that so no pun intended while saying this with a member of the loft on stage but the loftiest one we thought was the covert channels like imagine you know someone serial number for their smart card or you know how to pay via cell phone you could potentially set up the LCD so that it sends you know a message like oh hello Joe the crow flies at midnight modifying the firmware right and I think it was Jeff Moss he suggested well you know if you have these RF interfaces and you know the meters were exploitable why don't you just you know make some malware that spreads between meters I mean if they're a mesh then you know mesh it yeah and then denial of service are sort of these destructive attacks but depending on on the attackers goals might still be valid so setting a meter to out of order just preventing people from parking there because a lot of cities if the meter is out of order you're not allowed to park there or you're only allowed to park there for an hour which you'll get a ticket then that could also be useful if you're like well you know I got a leaf I'll set the meter to out of order and I'll come back right yeah and then of course destroying any sort of user interface smart card interface or coin processing circuitry with a little ESD pulse using a little discharge tool some of the meters are designed to be electrically isolated but you know I think that if you have a taser or stun gun you could find out how well they did that and not suggesting that I tested this but if you just look at some of the boards that you can buy or the meters on eBay you see that they very clearly take the route of oh well the smart card interface is the one that's going to get attacked but they forget about maybe like the external serial bus or something yeah and then you know possibly even if you know if you know how the system operates causing a legitimate user to be added to some fraud list if there is a fraud list implemented in in the city say based on serial number so if I know if I know Jake serial number of his prepaid card that he's using you know maybe I would clone his card and use it all over the city all the time and generate some some flag somewhere to prevent him from legitimately using his card so it's also possible that you could do some sort of immediate deduction of credit so someone walks up and they put in three hours and then they leave we mentioned this a black hat when we were talking about this and some guy from Montreal's like oh yes we love to do that in Montreal we hate those fucking parking meters and and so apparently the deal is that you you you park the car you put in the change and you are not allowed to refill it so if you put in more change the incentive system yes as that fine gentleman there it resets to zero so apparently there's like a social fad about going and dropping in coins across the whole block in order to raise doubts about the meter system and basically anyone can contest a ticket because it's so easy to break that system so in a way I mean that's great they they showed that the machine was not you know perfect which is important and and this is exactly what people in New York were doing with the infrared remote controls as well so it's a you know one of one of the favorite things which would be hey you know there's some guy that you don't like he just parked his car go remove all his credit call tow truck call the call the parking officials give him a ticket yeah there's also of course the possibility that you could change the audit log right so it doesn't look like any of the meters are actually using any sort of computational infeasibility right so it's not like there's a cryptographic problem you have to solve it's generally just do you know something like do you know how it works so that sounds a lot like security through obscurity to me which means that it's what is that secure probably not and of course if you wanted to well this you're better at this this part of the slide and I'll know about that but I'm so I'm changing the time and date could always be fun right if you you know everybody gets free parking on Sunday so what could you do you know change the date and it's like every day is Sunday Sunday Sunday they're already parking in the city you know they're already here we don't have to get their money I don't understand why you're saying that for those of you that ever watched the Simpsons was growing up thanks for you they got the reference is that the monorail episode I don't even know so I think it's the one where what's his face goes and works at the racetrack and they're built anyway so the least lofty goal just so happens to be the one that probably everybody wants which is unlimited payment via smart card and that that one is kind of incredible because you think you know you look at a smart card you're like oh that that's got to be secure it's you know it's smart it's a smart car right right so that's got to be secure because I mean even as smart in the name and it's really tiny yeah and it so it must be like you know smart be high-tech so that's that's actually what we're looking at for the case study in San Francisco is the unlimited payment via smart card not so smart card yeah so here's here's the process just on information gathering of course you do stuff like Google and browse the internet but yeah you know there's I'll talk about a little bit in the in the San Francisco case study but I mean social engineering can get you really far I mean just you know if you ask technically incorrect but really specific questions that are maybe really eager to someone who cares about their job they'll tell you the most amazing information about their system and generally speaking if they only tell you a little piece and someone else tells you another piece you now have enough to put you know something together that is really useful and combining that with say press releases where everyone's always tuning their own horn about all the details of their system and how good it is you can start to realize where they're lying before you even look at their systems too which is great like for example it's secure probably not yeah and yeah part part of the hard-working process or any sort of analysis process is just gathering clues so you do your social engineering and you might get one bit of information you find something on Google you find something in the trash all these things you might not know how they all fit together until you start your work and then you're like oh I can use that piece so another thing is we said you know globalism what does globalism have to do with you know parking meters in a city well I mean if you roll your own stuff you can control your own stuff right you can make sure no one ever sells it on eBay but if there's a meter company and they build a piece of hardware and they sell it to another city and they tested in that city and then that city buys a new implementation because they didn't like it they're gonna possibly sell that meter infrastructure online and now you can buy that and legitimately own something that's very similar to the meter that's in your city and then you can attack that and you don't need to take a meter or do something illegal you totally legally which is exactly what we did for our case study yeah eBay yeah eBay is a magical place and when we when we started looking at hardware you know in general we just want to get an idea about parking meters because it's not often that you can you know walk up to one on the street and take it away so we want to buy some and you know we did some searches on parking meters on eBay over over a span of like two months and we bought every every type that we could and there were three that was available the Duncan EMM 7700 is the oldest one the Palm APM and then the McKay Guardian which is the early revision of the McKay Guardian XLE which is used in San Francisco so we were hoping that we could get some clues about the system and being a design being a designer I know this for a fact that revisions of products typically are based on previous revisions of the design so we can learn a lot about current systems by looking at older older systems and getting an idea about how you know even from a system level how how the design is and maybe even from from a electrical level about you know what microprocessors being used what memory do they like using what's the interfaces you know what things can we look at so it gives us gives us clues and there's also actually details and similarities between competing products which is sort of interesting like most of these are low power for example and some of the things are kind of elegant and then you think like for some of the problems that they want to solve they might do something kind of I don't know a little like it's almost like a Rube Goldberg machine in some of these meters like this Duncan meter is kind of cool in that it actually is sort of like a hybrid mechanical electronic meter where they have like you can see on this slide here there's some little screws in there those are actually buttons and you put a coin in and then it weighs just a precise area out of the turning implement and turns like so and when it turns it scrapes across the heads of the screws and pushes an electronic button underneath so there's sort of this sequence of if you put a quarter in it might hit say here's a picture of the circuitry it might hit one one of the buttons like button number one button number three and then button number four but if it's a dime it might hit button number two button number three and button number four so there's a sequence to program the time corresponding to that value onto the screen there's also some so this is a circuitry this is this is the oldest one as I mentioned from 1991 there's a bunch of the buttons that are used for the coin stuff but there's also some administrator reset buttons which are cool there's infrared so people have been using infrared for a really long time and it's still in use and from what I know all of that stuff is just being sent if not in clear with some just very poor encoding anybody see the microprocessor on this board anyone know where it is it has to be there somewhere right there's something anyone take a shot at it win my shirt win my shirt wow that's pretty generous do you have another one to wear afterwards no I don't yeah so the microprocessor is actually hidden under the LCD which might not be an intentional thing to you know from a security point of view it might just be because a lot of the pinouts go to drive the LCD which is right there but it is under the LCD which means if you want to get access to it and this has a internal ROM then you need to tear the meter apart the palm APM this is a meter from Israel it takes shekels but it's made by palm in the US so there is this cross pollination of various countries sharing their devices which could be ripe for international espionage I guess yeah I don't know I mean it it seems like it's if you have someone designing the whole system in in another country there's a different set of economic and legal implications for the person that breaks that system they maybe never need to set foot in that country and they could like sell cards or something and mail them abroad and make money from it like oh broke the system so like an insider understanding how this works if it isn't something that's actually secured by some infeasibility problem that's just like a disaster waiting to happen I think yeah and some of you guys might be thinking all well you know there's no way someone's ever going to get access to a parking meter there's there's big locks on the meters that's just physical protection and if you're at DEF CON you might realize that physical protection and locks don't really stop everybody maybe Barry's here and he could tell us how good locks are mechanical I mean there's no real mechanical lock that is unbreakable right so I mean you you might need to be buried to break some of them but essentially if you are relying on physical security to ensure you don't have what amounts to a class break for your entire city you're probably doing it wrong right key diversity is something that could be really useful to you here probably both in the actual physical keying of the metering infrastructure but also in software so there's a few more I'm just going to breeze through these there's some debug ports that I thought were interesting on the palm the palms also modular so you can replace the various parts if they break easy access to the ROM here's another view easy access to the microprocessor as well there's a reset button make a guardian so this is one that was decommissioned from Tallahassee Florida that we bought on eBay oh I should mention to the prices price range was from 99 cents for meter on eBay to $500 so you know well within a budget of most curious people here's the McKay again easy access to the microprocessor in this case is a CLT 8402 3 1 G which is a custom ASIC with a Z80 core so if you were to pull off the ROM which is a an at MLW prom you could decompile that or disassemble it toss it into IDA pro and start looking around yeah another interesting thing about the Guardian is there's this cool RJ 45 connector on the lower right and reading through some of the data sheets available on their website it had made mention of some test connector some interface so we're like oh okay maybe you know it says something about having a serial port and having some I2C which is an interchip communication port so we said oh maybe we should look at that you know we have the meter it's open it works we might as well look at it so we hooked it up to to my little lab set up with the with with my digital oscilloscope and some level shifter circuitry and we're probing all the different pins trying to figure out what's what because if there's an interchip communication maybe that's something useful to drive the display but more importantly I want to see the serial interface if that was the debug port for sucking audit log information and they had infrared on this particular version and what we figured out is that on reset on power up the infrared port would spew out a bunch of stuff that also correlated to some data we were seeing over the wire so sort of infrared and serial information being set out and we tried to probe that for a while and we're just kind of playing around we didn't exactly figure out how it worked but you given time we definitely would have yeah it was only mildly interesting but just looking at the way that it was designed we realized that if this was sort of like the parent of the San Francisco meters then that's not that does not bode well for San Francisco is purchasing decision right and then firmware analysis which we did not do in our in our case but just in general if you do end up getting access to memory devices or to microprocessors the first thing you do is suck all of the data out of them suck all the program code out of them and then reverse engineer them decompile them do whatever you need to do right so I mean if you know the company that's building the system and you understand how what compiler they're using for example and you toss it into Ida Pro you can help like guide Ida Pro for example that would be pretty useful if you want to use obstump and grep I guess you could also do it that way so it would be really useful because maybe there's like some particular portion of a problem you want to solve but you can't figure out the generalized algorithm or you can't figure out like exactly what they're doing maybe they have some sort of like shift feedback register thing going on it would be useful to see the structure of the firmware so that you could better understand what's actually happening without just you know doing an intercept yeah and you can also target specific areas if you don't want to reverse engineer the whole thing because you just want to get clues or maybe figure out an access point to get to like an administrator menu but what I like to do since I'm not the greatest reverse engineer for for for for binaries and for firmware and stuff for source code I I usually run stuff through strings first to see if there's any you know information any cool constants and texts that are there and usually there are because engineers like to leave stuff in that's going to help them debug messages stuff like that and usually those are left in production products and then I'm smart card analysis again I mentioned I mentioned in this case if you have an external interface that is a smart card you would do this if you have an external interface for other things you would analyze those this is the process that we went through modern communications you might want to try to decode the protocols emulate the protocols so one thing that's really good about this is that looking at press releases can be really helpful for this especially when they're from the company they'll say something like it's secure and we use this standard so then you go and read that standard and you think to yourself this isn't secure at all right and that's really useful especially when you start to do the decoding and you want to do the emulation because you can implement part of the standard and then when you've done that you of course know that that is not true that it is secure so coffee is almost working almost a few more minutes all right so now we're going to jump into the case study of the San Francisco MTA and the city of San Francisco for a long time has sort of been grasping at straws of what parking infrastructure should we use you know should we use electronic meters single-space meter should we use multi-space meters that's made by company called Rhino the smart card that you see in the single-space meter also works in the Rhino so there is some modularity there and this system was essentially a pilot program in 2003 and it cost 30 35 million dollars which we'll get to but it's it's it's we should make a disclaimer first yeah about this yeah well yeah go ahead so first of all contrary to wired totally fucking us with the title of their story saying free parking for all which we expressly told them not to say because that we didn't want to end up like the MBTA kids we are not trying to get people to defraud the San Francisco Park meters the point here is more to undermine its authority I think that's much more important and we should all do we should all do our job to undermine authority wherever we can especially when it isn't you know necessarily duly received I mean this is San Francisco essentially wants to create revenue here I think it's good to put doubt in the perfection of the machine I think that when people get parking tickets you should be able to contest them I think that there isn't I was a god I can't do it but I'm gonna quote John Luke Picard oh this is gonna be good there can be no justice when rules are absolute okay it's true machines are not perfect and that there was a 19th century anarchist who said something along the lines of it is not that I fear that machines will begin to think like men no no it is that I fear that men will begin to think like machines and we have to fight against that I think so hopefully this is like you know chipping away at that and we're the one anarchist in the audience represent and we are both we are both San Francisco residents and we we pay a lot of tax to the city yes here and and and and it's just that it's okay for for a city to try to figure out what parking system they want and that's fine here's two other parking meters that are available in the city this one's a credit card based machine that says the smart cards don't work on them it's just our tax dollars are at work and a lot of money is being spent on systems that aren't being analyzed or if they're being analyzed the problems are just being ignored some tech somewhere in San Francisco are actually is there anyone from the city of San Francisco here not that where you work for the city of San Francisco I'm sure that there are people here do you work for the city do you work for the DPT now anybody from the DPT here you are yeah so somebody here from from the Bay Area cool yeah so so as Jake mentioned this the meter that we're looking at the McKay Guardian XLE there's 23,000 of them in the city that replaced mechanical meters in 2002 as a pilot program thirty five million dollar pilot program and to me a pilot is like a test right it's like an evaluation it's 2009 and they're still evaluating a system and for thirty five million dollars to do an attack like we did which is very very very easy as you'll see it shouldn't be possible and it blows my mind how much money they spent on this so I'm a little conflicted about I mean so in general I think that this kind of disclosure is good so we can influence social policy we hope that we can get some of these things to change San Francisco wants to install 320,000 of these meters in all of the residential areas of all of the city they think that it will improve for example the environment because people won't have to double park which sounds like a new speak to me but I think before they go and spend 320,000 dollars worth of parking meters worth of money I think that maybe we should like question that that's a good idea in the first place if they want revenue they should be upfront about it they should say this is the true cost of having a car in the city instead of actually inconveniencing everyone because what will happen is they'll become reliant on the smart card infrastructure which is thoroughly broken and I mean what are you going to do when you're at home you're going to go get a roll of quarters I mean that doesn't scale for an entire city right so they're definitely some some social problems San Francisco uses the McKay Guardian XLE meter so if you've got a like web browser in front of you and you're on the internet here you can look that up right now yeah there's plenty of information out there about about meters because manufacturers want designers and implementers to use their stuff so they make a lot of information available so the way the system works is the smart card interface the city uses a stored-value smart card they come in $20 and $50 quantities you buy them in cash at certain places around the city or you use a credit card online once you deduct credit you put the you put the card into the meter the meter displays the value remaining on the card and then after a few seconds it starts deducting units like you're putting quarters into the meter when once the values depleted on the card it's not reloadable it's a one-time thing you throw it away and the research as you'll see starting right now is it's easy to replay the smart card transaction so even without knowing anything about how it works you could replay the entire smart card transaction to the parking meter and emulate a card but then you can also modify certain data to do cooler things and we did this solely by looking at captures of an oscilloscope screen a digital oscilloscope screen and then analyzing data on a piece of paper over the course of three days basically a scope pencil and paper are all you needed to break the San Francisco smart card implementation yeah and it was interesting because I'd never worked with smart cards before I kind of dabbled with them but not really look at them in detail so it was a fun exercise to do that and and sort of we came out of it saying wow that was kind of easy and it shouldn't be that easy I worked a little bit with moxie you probably saw as SSL talk on some smart card stuff and so I had some I was a little familiar with smart cards but just in general like I hadn't gone in this deep and what actually prompted me to be interested in this is I saw this guy from the DPT who had opened up one of the rhino multi-space meters and inside of it was like a circuit board I didn't describe this a black hat but basically it's a small embedded computer and it has like an SD card in it which looks like it like has several hundred megabytes of space and I just asked him questions like wow you know I've always wanted to work with computers what's that like and the guy was like well you know it's a great job you know the city is really great and you know they treat you well we talked for a while I asked him questions like so can I like pay with my cell phone I just got one of those wireless telephones so that I can talk to my girlfriend and and he's like no no can't pay can't can't pay that way no these are all disconnected so like just in the course of like a five minute conversation where I'm holding my backpack over my 2600 shirt you know the guy like explained to me everything I needed to know is an offline stored payment system and it's not hooked up to the internet they don't do any verification they probably don't do any fraud detection if they do they probably do it badly in a way where you can frame someone they don't have any actual cryptographic solutions that you'd need to solve it probably replay it etc and the guy didn't realize he was telling me that but he was also giving me a job offer at the same time which is hilarious because they're trying to protect against insider attacks so I'm gonna I'm just gonna jump back for one second we mentioned this already you know the goals of this work weren't to slam San Francisco and and get free parking we really want to share the process with everybody we are we have released code but the code is essentially a template for how our smart card emulator worked I removed all of the bytes of data that you could use to get free parking in San Francisco so anybody who's in the media who's writing about this the code is essentially useless unless you're curious about how smart card emulators work I changed all the bytes to ff it's you know purely for educational purposes and that's why we're here right so some other things with with information gathering the internet was sort of useful sometimes a useful tool yeah I really recommend the airplane method of reconnaissance which is that you set up you get to run and then you get on an airplane and then you just come back and read it later that's all that matters if you do that you'll be good you'll be totally good surprisingly yeah the one kind of fun thing here is you know you would obviously search for product specs and and press releases but you might also want to think about discussion forums maybe the company is having technical troubles with a certain portion of their design do you think they have technical troubles Joe I'm just not I think they do yeah or at least they did and this was a post that we found on a sigwin mailing list about some technical problems that the that one of the software designers were having with it with his implementation of CVS you should definitely read that is a little small maybe okay yeah it's a little small so it says it's 2001 it says I'm learning how to use CVS and as part of this process I set up a test repository I almost said suppository to play with tests repository to play with it's it's great it's it's so it's 2001 and he's learning CVS ouch so but there's some interesting clues here if you you maybe can't really see the past but there's some stuff in there JJ McKay so it's obviously a McKay designer met talk is an interface that's used and in described in in some of the some of their doc some of the case documentation about some communications interface there's the gem plus lib path so now we know they're using some gem plus base smart card and we realized they're using GDB and GCC so that gives us clues maybe before if we need to reverse engineer firmware or try to disassemble stuff so here's here's the here's here's Chris Tarnofsky's few slides hi my name is Chris Tarnofsky I reverse engineer silicon dies what we did is I'm the other Chris so no what we did we have to go really fast now yeah we have to go really really fast I bought 20 or 10 stored value $20 smart cards and went to send them to Chris to do some diagnosis on and when I went into the store I go to the same place all the time when I go and buy my parking cards so when I had to buy 10 I was like I don't know a little bit paranoid decided to go somewhere else and I walk in with my $200 in cash and I go up to the guy I'm like yeah I want to buy 10 smart cards and he looks at me is like why do you need 10 I said I'm a sales guy I use the car a lot I drive around a lot he's like oh yeah okay and then he gives me the smart card so and of course one of the things to note is sequential serial numbers on the back of the car yeah they were all sequenced sequential serial numbers which is useful for analysis but I felt pretty good about myself for that quick little like social engineering thing your regular Kevin because I as you probably noticed I smile a lot so I don't know if he was like I don't know he believed me though it's kind of cool I'm no Kevin Mitnick but so Chris Chris is totally badass at hardware hacking and he you know just you know decapped all the chips and then image them for us basically oh yeah I just realized we have like 10 minutes so okay so he decapped the cards with this process that he would discuss if he was here it turns out that there's two different types of smart cards that's indistinguishable to the end user but one of them is the basic gem plus gem club memo card so it's a fixed ASIC ROM that can't be changed and then future versions of the card were or are in 8051 microcontroller emulating the gem club memo stuff which was cool because now those cards could be reprogrammed we didn't do that but they're they're more general purpose so they could be changed and not have to create an entirely new die so general purpose one of course is nice because that means it has some firmware and you could potentially dump the firmware so in theory even if they outlawed the rest of the smart card industry their own system itself can probably be used against itself and these are the die so on the on the left is the ASIC on the right is the general purpose one yeah yeah so so I'm going to skip some of this the the card is based on the ISO 7816 standard which means a lot of the electrical interfaces are are known there's two different types of transmission protocols for 7816 one is asynchronous one is synchronous the card we're looking at is asynchronous there's no external clock needed so the data transfer is on one one line and we can capture that and we did and the way we did it is we used a smart card shim so we had a circuit board that we purchased from one of one of the many kind of satellite TV smart card hacking sites that are out there that we plug the smart card in on one side have a bunch of test points that we could connect to our oscilloscope and then there is a smart card pad on the other side of the of the shim that plugs into the meter so now we can monitor the communications while the communications are actually happening and there's a kind of funny story here so you'll note that that's a shim that's an SFMTA card if you're ever going to break a law or do anything kind of weird or even something kind of sketchy in San Francisco there's one excuse that you can always use they'll get you away with everything which is this for your art project yeah so you know you can so this are our projects you can you can walk to show you our project you can walk up to a parking meter and you can do anything in San Francisco pretty much anyway but you can walk up to a parking meter with whatever tools you need and no one's going to care at all so you know it's a parking meter also so you can park in front of your target and run a wire like with your say AC inverter from your car to your oscilloscope and then just go on up with your art project and you're just making art so and I can document the whole process with my camera because it's art right which I did I did not do I don't have pictures for anybody who's considering rating us anyway so here please don't rate us yeah we don't have anything interesting we're telling you everything yeah except the actual details which we're going to tell the city so this is a screenshot of the digital oscilloscope the first thing we did is just see if we could monitor communications and we we know that smart cards always respond after reset with an ATR a four byte ATR so that's how we could figure out we could just guess on the on the bar rate and on the various configuration settings until we got a clean serial data that was decoded by the oscilloscope we got to roll yeah I know we got to get to the money shot so once we once we we could monitor monitor the communications what we did is we captured a bunch of different transactions we had a lot of different cards with different values to capture a bunch of data and then we brought all that data back to my house and sat there offline and just analyzed all the different data figured out what changed based on different values figured out the initialization and how the how everything worked and it was all done by hand no computer needed so here's the deal watch this set watch this setup what's wrong with this right here right you you spot the protocol bug where it might be a bad thing password okay maybe and then what what's that you you read the balance yeah well here right we'll go quick here so there's some initialization stuff that always happens when you put the card in it sends some stuff serial number which could be useful some unknown value sent by the card to the meter that the meter then processes in some way and sends back and says here's the password to you smart card and the smart card says yes that's my password you can work with me now and does that sound like a good idea it's kind of sounds like a good idea to me if I'm not building these we have we capture one set and we have it we're fine but the way that the meter figures out the balance is it reads this value that I call balance to from the smart card and that's a fixed value based on the value of the card so a twenty dollar card is is f zero a f and f one two seven for a fifty dollar card when you deduct a single unit what happens is there's just this transaction that happens it doesn't affect the actual balance to which stays the same it just does sort of a null transaction which increments this thing called a transaction counter in the transaction counter is the only thing that changes on the smart card during the entire process and that's what's used to count how many units have been deducted it's how many units have been used so that value of the maximum balance to minus ninety five decimals the maximum card value and then you would subtract the transaction counter to figure out how much money you have left survey who thinks this is a good idea I'm not not just the okay part but the stored value where it's what would happen if you were to change those values though yeah let's try to change the balance to say it has more money than it does so once we capture all the data the first thing we did was okay let's just do a standard replay attack you know we'll use a legitimate car that we bought let's use that so we did that I built up some circuitry with a microchip pick and we'll show you some pictures of the progress in a few slides but I use a microchip pick wrote the stuff and see there's a little bit of code on there but you go to the website and get the rest of it so once we knew the replay attack worked we said okay let's change the values let's change the balance let's see what happens could it really have 4,000 units sure why not them not that they sell a 4,000 unit card yeah but let's try yeah sure and then we also modified the code so the transaction counter would never increment so your value would always stay at the maximum so this is a automatically refilling itself for every time you take it out right because it resets because it resets itself right and then unbeknownst to me until when I was close to being done is that satellite TV hackers who have existed for a long time decades or at least over 10 years like using microchip pick devices so it just happened that the microchip pick device I used existed in a smart card form already so I could get blank smart cards program them with my code and it would work so the first one you see the shim you see the evolution okay first one on the sketch if you think about like a threshold a sketch hold right you could you got a sketch hold of really sketch where you have Joe's actual last name logo for the board and then you go all the way to the right where you just have a normal smart card looks like everything else and here so here's what happens here's the results and for those that can't see for those that can't see the meter the meter has just read the value of the smart card and thinks it has nine hundred ninety nine dollars and ninety nine cents we removed the card before it started deducting value the city of San Francisco yes if you're interested in projects like this and you live in San Francisco you should come down to the hack lab noise bridge noise bridge net and we work on some stuff like this and we do we do need to mention that we intentionally did not contact the city before this research first of all because we didn't want to encounter the same problem that the MBTA guys did last year but also because we intentionally didn't release the information that could cause them harm but we're reaching out to them now and we're trying to try to give them all the information so here's some some fixes that you could have really good luck with that it's very hard on stand alone systems it's very hard to do any proper cryptographic communications but you can look through these the slides are on the on the def con CDs you can browse through them but it's a very hard to the problem to solve yeah I mean to just to be like real quick because we have basically one minute these meter companies have basically created an e-cash system but they didn't do it right they didn't take into account the privacy implications and they didn't take into account the fraud issues Dr. David Chum actually solves basically all of these problems like over a decade ago working on anonymous e-cash so really they should be thinking about Chum's work and they should be re-implementing that so that's it these are our final thoughts you can read you can really ride a bicycle I guess to avoid this yeah also before you go we'd really like to emphasize that people should join the EFF Jennifer Granik really helped us out and gave us advice that made us feel safe about giving this talk and if you're not a member you should join yes and we're going to be dragged off to some extra room if you get dragged off thanks guys