 I am Joe Grand, and we are talking about smart parking meters. Just to give you a little bit of background, I'm an electrical engineer, a hardware hacker, I live and breathe electronics, I love this stuff, and the reason I got into looking at parking meters is there's a lot of them in San Francisco where I live, and I use them all the time, and I said, hey, these things are electronic, they look fun, let's maybe do something security related. I don't know, I guess that's about it for me. I designed the Defcon badge this year. I'm interested in photography and BDSM. Chris isn't here today, he was here with us at Black Hat, but for various reasons he's gone, but he's an amazing hardware hacker, he's one of the best, right? You want to decap a chip or dump something from it, you talk to him. Chris talked last year about silicon dianalysis, and he's one of the best smart card hackers in the world, for sure. We'll make up stuff on his slides. We'll hand wave. So why parking meters? I mentioned why I was into it, but why in general? Parking meters are these, they're just everywhere, they're in every city, and every city in the world, these things on sticks, every few feet away, and we just totally take them for granted. We go, we park our car, put some money in, walk away, we don't think about it at all. But it's one system that we thought needed a little kick in the ass, because a lot of these meters now are electronic, they're essentially individual computer systems that can now be analyzed. I think globally hacked locally. Yes. Clearly I'm the son of a hippie. And there's also big money, so anywhere there's money, there's going to be fraud, there's going to be people taking advantage of the system. So the parking industry is a $28 billion industry annually, I think just in the U.S. alone. And there's a bunch of stuff that can go on, so not only like the financial fraud of getting free parking, but there are social issues and legal issues and we're going to get into all of that. So generally the thing we wanted to do was understand the current state of the unfair collection systems, or fair collection systems, and we wanted to be able to demonstrate some attacks, we wanted to be able to come here and show that something had been done, it's not just enough to say how some things work, we also wanted to show you how they don't work, or how they work when you probably don't want them to work that way. Anyway, we also wanted to show the whole process from start to finish, because for me this was my first real hardware hacking project where we took some foreign things and we basically understood them as best as we could and then using that we were able to go all the way to a full break, and so this should hopefully take you from start to finish if you've never done it before, which I think it's important to bring people to the next level, and Joe really thinks that, so he brought us together to work on this, so it's pretty epic to be able to work with him and Chris. And of course we took on the SFMTA, but of course it's also important to say that this is not really specific to San Francisco, other than our particular case study, right? The meters that we examine all had pretty much the same problems, and we just happened to live in San Francisco, so it was just kind of a no-brainer to kill that one. Yeah, so going through the process is the most important part that you should take out of this, because you can apply this to other parking meter systems in your area, or you can apply it to other products. Anything you're looking at sort of goes through this general process of analysis and gathering information and stuff like that, so you'll see it, and then we'll hit the case study towards the end. We're going to talk about more general parking meter stuff, and general process stuff, and then go into specifics of San Francisco. Yeah, so there's some different things that are kind of interesting about the parking meters in San Francisco, and of course generally everywhere. You've got these single space meters that are everywhere lining the streets, and some cities like Oakland, they've cut them down and put in multi-space meters, which have really confused a lot of people, but the idea with the single spaces you put in some change, or you use a smart card or some cell phone token, and the multi-space you usually get like a printed paper token, and some cities you tape it to your window, and other ones you put it on your dash. And the meters generally are sold with this idea that they'll stop people from lifting money, like the meter-mates from lifting money, and so they have audit logs, so they should know about how much the meters are used, and also about how much money should be in the meters. And maybe they also have roll separation, so the audit logs are pulled by someone other than the person that collects the money. And then of course they have different ways to repair the meters, so the person that repairs the meter might not pull the audit logs, they also might not pull the change. And I think this is generally a pretty important thing to do in a security system, but it's kind of ironic because the things that we found problems with would be probably even worse if the threat model was that an insider was attacking the system. So a lot of these systems were sold with the idea that you basically would want to have this so you could stop your employees from like skimming money. And I think it was in San Francisco actually, someone was arrested with 7,000 coins. In 2007 or 1997 or something, it was a news article we found online. Oh yeah, actually no, that was a different thing. I think they landed on the moon, right? Yeah, I'm not sure. Anyway, so the idea though that the insider is the threat means that they probably designed this wrong because we're not insiders either. But I mean, it seems like there's some pretty bad design flaws. So the way parking meter technology sort of started was obviously mechanical based. In the early 90s these hybrid meters started coming up, so it was mechanical based where you put your money in and you turn the knob in some way to feed the money through, but then there was an electronic system, very minimal to keep track of the timing, possibly for sending out some startup messages or some administrative messages. But now, as I mentioned, everything is just a pure electronic system. You know, going from the coin detection, which is some inductive method using coils and some electronics and processing to figure out the coin type, to microprocessor with memory. And now we treat these systems as actual embedded systems and we would go about analyzing them and breaking them the same way we would any other type of hardware product. So, you know, we've gone from mechanical to essentially solid state. So here you can see some reconnaissance, just kind of like accidental reconnaissance. Yeah, I just happened to walk up right to her. Yeah, so basically it looks like this person has like a small electronic device stuck into the key slot and it's, if you look at the crash cart that you have there, that's kind of crazy, your meter system has a crash cart. But it looks like she has a small handheld device, which if you read some of the documentation for this particular meter, you'll find out that they have like a super secure Windows CE device that you can plug into the serial bus that's in the coin slot or in the key lock. But it doesn't look like the lock is open, so it's as if they made the actual lock into a serial port, which seems like kind of crazy. Right, so we think that this person, this was in San Francisco, and we think that this person was going around and grabbing audit logs or updating the meter in some way. So she wasn't there to pull the money out. So even though the serial interface for this PDA was through the coin lock, she couldn't get access to it. So that's the exact point of the roll separation. Most parking meters have some sort of user interface. You can pay it, whether it's coin, smart card, credit card. Some now accept text messages in some form. And then there's administrator interfaces. Some of them are the same. So the coin slot, the smart card interface could be used for, depending on the system, for administrator access through some piece of hardware. Usually it's some serial interface. The coin slot because it has inductive, it has coils, so you could do some really short range wireless. Then you have infrared capabilities and other wireless capabilities and then other stuff that might be completely meter specific, like the serial via the coin lock. So a lot of interfaces out there, and the more interfaces that are out there per meter, we can target each of those. It's like every single interface is an attack vector. The attack service for some of these meters is just ridiculous. I don't know how the designers of these systems thought they could get away with putting something like this in front of every single person all the time, especially something that often makes people mad. It seems like a lot of the design work that had gone on for security is just for vandalism. The designers didn't think about this next generation of attacks. Basically, if you read some of the documentation, they say stuff like the smart card slot is modular so that it can service the sacrificial part. So they're like, AUG is going to attack our meter. AUG has tin foil. AUG has shorted out smart card reader. Well, we can totally protect against AUG. No problem. All right. So we took a few pictures of some parking meters just from various cities. This one has a smart card interface from Austin. This is a Chicago multi-space meter, which we'll mention in a few slides when we talk about some previous work and problems. For those of you that know me, you know that I love Canada. And this meter is great. It's also by the same company that designed the San Francisco Meters, JJ McKay. And this one's interesting. I didn't actually use it. I didn't have a car when I was in Vancouver. And apparently you call this number or you text message this number and you basically don't actually change the value on the meter. But the meter may have like a log that shows which ones have paid by that way. And then even though it's expired, they won't give you a ticket because they know the time in which it's supposed to be up. Which is kind of an interesting system here. So you have a completely separate system that overrides the mechanical meter. So you could in theory give everyone free parking or something like that by doing that. Like attacking this other system. So it's like, who designed the systems? Did they know they would work together? It's like, that's a really interesting idea. And if they haven't done some due diligence with that, it could be very, very bad. That one's also, it seems sort of labor intensive because if normally a meter mate will drive by the meters and they'll look at the back sides to see if time's expired. But in this case, if somebody is paying online and the meter actually does stay at zero, they're gonna have to stop at each one and check to see if the person had paid via phone instead. Yeah, it's pretty rough. Here's a parking meter from Jerusalem that was near the old city. And it's just, there's a few different major brands of parking meter manufacturer and we'll talk about those. But this was, I believe this was POM. So some of the prior problems, we're not the first to look at parking meters and hopefully we're not gonna be the last. But there's been people messing with these things as long as they've been around. New York City in 2001, when some of the early electronic parking meters came out, they had infrared capability for their administrator interface. And somebody figured out that they could take a universal remote control and hit some, one of the buttons to reset the value of money on the meter. Which is one of the exact social attacks that we had kind of come up with. Is Hikari here in the audience? Are you here, David? No, okay. It's a pretty awesome paper in an uninformed journal which if you don't read, does anybody here read uninformed? Raise your hand. Wow, okay. You should all read uninformed. It's the most hardcore technical journal that basically sends frack. So if you're not reading it, you're probably uninformed. So you should read uninformed and be informed. But this is a great text file by Hikari and it talks about attacking the San Diego stored value card, which is pretty, it's a good one. Yeah, it's an interesting, it's a completely different smart card implementation. It's almost a different type of smart card. So it's worth seeing so you can kind of get a view of how very smart cards are used. And then Chicago recently deployed a bunch of multi-space parking meters all over the city in June. How many people here are from Chicago? Have you seen these parking meters? Yes. Do you love them? Yeah. Nobody in Chicago seems to like parking. Right, so I mean, Chicago has been notorious for taking the parking situation there. Meters are always being vandalized. They're always being damaged. And I don't know, for some reason, when some of these parking meters came out, these multi-space meters, some of them failed. And they weren't working and the media said, oh no, hackers have taken over our parking meters. And they got in touch with me and Jake politely declined to talk to them. I just deleted their email. But I called them back and had to give them my view, which was, sorry, it's not hackers. It's probably a firmware problem because the multi-space meters that failed, and I don't exactly know how they failed, I think they just didn't work, were all situated in one neighborhood of Chicago that had a different rate than the rest of the city. And it was like a really expensive rate. And I don't think they tested that rate, so there might have been some firmware problem or some overflow or something. So it was in the news, it was all over the place, and then it quietly disappeared. I don't know if anybody from Chicago knows the real result of that. No. Are you suggesting that greed might have caused a firmware bug? Possibly. Yeah. They're like, let's jack up the rate as much as we can. That's pretty bad if you hit an overflow condition from raising your prices. And Chicago too also has some sort of wireless communication back up to the cell phone network and then back to some mothership. So they were connected and that opens up a whole new range of attacks. Who here thinks that just because you're using a cell phone, the file layer is secure? I mean, how many people have you seen around here just using cell modems? It seems like if there's some sort of cell modem back into these things, you should all start hacking on CDMA and GSM stuff. I mean, it's not hard, right? I'm sure someone is. Right. Well, definitely. Using a new radio. So this is just the general process of how we approach the problem and how we approach sort of any hardware problem. Kind of think about some attacks. We postulate some various attacks about what we could do, you know, from the most lofty goals to kind of the most maybe obvious or low-hanging fruit. Then we gather information. We will analyze hardware. We analyze firmware if necessary and then we look at any external interfaces. In our case, there's a smart card interface so we looked at that. So no pun intended while saying this with a member of the loft on stage, but the loftiest one we thought was the covert channels. Imagine you know someone's serial number for their smart card or you know how to pay via cell phone. You could potentially set up the LCD so that it sends a message like, oh, hello, Joe, the crow flies at midnight. Modifying the firmware. Right. I think it was Jeff Moss. He suggested, well, you know, if you have these RF interfaces and the meters were exploitable, you could have a set of cards between meters. I mean, if they're a mesh, then, you know, mesh it. Yeah. And then denial of service are sort of these destructive attacks, but depending on the attacker's goals, might still be valid. So setting a meter to out of order, just preventing people from parking there because a lot of cities, if the meter is out of order, you're not allowed to park there. Or you're only allowed to park there for an hour. Which would... And then you'll get a ticket. And that could also be useful if you're like, yeah. And then, of course, destroying any sort of user interface, smart card interface or coin processing circuitry with a little ESD pulse using a little discharge tool. Some of the meters are designed to be electrically isolated, but, you know, I think that if you have a taser or a stun gun, you could find out how well they did that. I'm not suggesting that I tested this, but if you just look at some of the boards that you can buy or the meters on eBay, you see that they very clearly take the route of, oh, well, the smart card interface is the one that's going to get attacked, but they forget about maybe like the external serial bus or something. Yeah. And then, you know, possibly even if you know how the system operates, causing a legitimate user to be added to some fraud list, if there is a fraud list implemented in the city, say based on serial number. So, if I know Jake's serial number of his prepaid card that he's using, you know, maybe I would clone his card and use it all over the city all the time and generate some flag somewhere to prevent him from legitimately using his card. So, it's also possible that you could do some sort of immediate deduction of credit, so someone walks up and they put in three hours and then they leave. We mentioned this at Black Hat when we were talking about this, and some guy from Montreal is like, oh, yes, we love to do that in Montreal. We hate those fucking parking meters. And so, apparently, the deal is that you park the car, you put in the change, and you are not allowed to refill it. So, if you put in more change, the incentive system, yes, there's that fine gentleman there, it resets to zero. So, apparently, there's like a social fad about going and dropping in coins across the whole block in order to raise doubts about the meter system. And basically, anyone can contest a ticket because it's so easy to break that system. So, in a way, I mean, that's great. They showed that the machine was not, you know, perfect, which is important. And this is exactly what people in New York were doing with the infrared remote controls as well. So, it's one of the favorite things would be, hey, there's some guy that you don't like, he just parked his car, go remove all his credit, call the tow truck, call the parking officials, give him a ticket. There's also, of course, the possibility that you could change the audit log. So, it doesn't look like any of the meters are actually using any sort of computational infeasibility, right? So, it's not like there's a cryptographic problem you have to solve. It's generally just, do you know something? Like, do you know how it works? So, that sounds a lot like security through obscurity to me, which means that it's what? Is that secure? Probably not. And, of course, if you wanted to, well, you're better at this part of the slide. I don't know about that. But, so, changing the time and date could always be fun, right? If you, you know, everybody gets free parking on Sunday, so what could you do? You know, change the date, and it's like, every day is Sunday, Sunday, Sunday, free parking in the city. They're already here. We don't have to get their money. I don't understand why you're saying that. For those of you that ever watched The Simpsons was growing up, thanks for the two that got the reference. Is that the monorail episode? I don't even know. I think it's the one where, what's his face goes and works at the racetrack, and they're building everybody. Anyway, so the least lofty goal just so happens to be the one that probably everybody wants, which is unlimited payment via smart card. And that one is kind of incredible, because you think, you know, you look at a smart card and you're like, oh, that's got to be secure. It's smart. It's a smart car, right? So that's got to be secure, because I mean, even that's smart in the name. And it's really tiny. Yeah, and so it must be like, you know, smart. Must be high tech. So that's actually what we're looking at for the case study in San Francisco, is the unlimited payment via smart card. Not so smart card. Yeah. So here's the process just on information gathering. Of course, you do stuff like Google and browse the internet, but... Yeah, you know, there's... I'll talk about a little bit in the San Francisco case study, but I mean, social engineering can get you really far. I mean, just, you know, if you ask, technically incorrect, but really specific questions that are maybe really eager to someone who cares about their job, they'll tell you the most amazing information about their system. And generally speaking, if they only tell you a little piece and someone else tells you another piece, you now have enough to put, you know, something together that is really useful. And combining that with, say, press releases, where everyone's always tuning their own horn about all of the details of their system and how good it is, you can start to realize where they're lying before you even look at their systems, too, which is great. Like, for example, it's secure? Probably not. Yeah. And yeah, part of the hard-racking process or any sort of analysis process is just gathering clues. So you do your social engineering, and you might get one bit of information. You find something on Google. You find something in the trash. All these things, you might not know how they all fit together until you start your work, and then you're like, oh, I can use that piece. So another thing is we said, you know, globalism. What does globalism have to do with, you know, parking meters in a city? Well, I mean, if you roll your own stuff, you can control your own stuff, right? You can make sure no one ever sells it on eBay. But if there's a meter company and they build a piece of hardware and they sell it to another city and they test it in that city, and then that city buys a new implementation because they didn't like it, they're going to possibly sell that meter to an infrastructure online. And now you can buy that and legitimately own something that's very similar to the meter that's in your city. And then you can attack that, and you don't need to take a meter or do something illegal. You're totally legally, which is exactly what we did for our case study. Thank you, eBay. Yeah, eBay is a magical place. And when we started looking at hardware, you know, in general, we just wanted to get an idea about parking meters because it's not often that you can, you know, walk up to one on the street and take it away. So we wanted to buy some, and we did some searches on parking meters on eBay over a span of like two months, and we bought every type that we could. And there were three that was available. The Duncan EMM 7700 is the oldest one, the POM APM, and then the McKay Guardian, which is the early revision of the McKay Guardian XLE, which is used in San Francisco. So we were hoping that we could get some clues about the system. And being a designer, I know this for a fact that revisions of products typically are based on previous revisions of the design. So we can learn a lot about current systems by looking at older systems and getting an idea about how, you know, even from a system level, how the design is, and maybe even from an electrical level about, you know, what microprocessor is being used, what memory do they like using, what's the interfaces, you know, what things can we look at. So it gives us clues. And there's also actually details and similarities between competing products, which is sort of interesting. Like most of these are low power, for example. And some of the things are kind of elegant. And then you think, like, for some of the problems that they want to solve, they might do something kind of, I don't know, like it's almost like a Rube Goldberg machine in some of these meters. Like this Duncan meter is kind of cool in that it actually is sort of like a hybrid mechanical electronic meter where they have, like, you can see on this slide here, there's some little screws in there. Those are actually buttons. And you put a coin in, and then it weighs just a precise area out of the turning implement, and it turns like so. And when it turns, it scrapes across the heads of the screws and pushes an electronic button underneath. So there's sort of this sequence of, if you put a quarter in, it might hit, say here's a picture of the circuitry, it might hit one of the buttons, like button number one, button number three, and then button number four. But if it's a dime, it might hit button number two, and then button number four. So there's a sequence to program the time corresponding to that value onto the screen. There's also some, so this is the circuitry, this is the oldest one, as I mentioned, from 1991. There's a bunch of the buttons that are used for the coin stuff, but there's also some administrator reset buttons, which are cool, there's infrared. So people have been using infrared for a really long time. And it's still in use, and from what I know, all of that stuff is just being sent, if not in clear, with some just very poor encoding. Anybody see the microprocessor on this board? Anyone know where it is? It has to be there somewhere. Right, there's something. Anyone take a shot at it? Win my shirt, win my shirt. Wow. That's pretty generous. Do you have another one to wear afterwards? No, I don't. So the microprocessor's actually hidden under the LCD, which might not be an intentional thing from a security point of view, it might just be because a lot of the pinouts go to drive the LCD, which is right there. But it is under the LCD, which means if you want to get access to it and this has internal ROM, then you need to tear the meter apart. The POM APM, this is a meter from Israel. It takes shekels, but it's made by POM in the U.S. So there is this cross-pollination of various countries sharing their devices, which could be ripe for international espionage, I guess. Yeah, I don't know. I mean, it seems like if you have someone designing the whole system in another country, there's a different set of economic and legal implications for the person that breaks that system. They maybe never need to set foot in that country and they could like sell cards or something and mail them abroad and make money from it. Like, oh, broke the system. So like an insider, understanding how this works, if it isn't something that's actually secured by some infeasibility problem, it's just like a disaster waiting to happen, I think. Yeah, and some of you guys might be thinking, oh, well, you know, there's no way someone's ever going to get access to a parking meter. There's big locks on the meters. That's just physical protection. And if you're at DEF CON, you might realize that physical protection and locks don't really stop everybody. Maybe Barry's here and he could tell us how good locks are, mechanical locks, right? I mean, there's no real mechanical lock that is unbreakable, right? So, I mean, you might need to be Barry to break some of them, but essentially, if you are relying on physical security to ensure you don't have what amounts to a class break for your entire city, you're probably doing it wrong. Key diversity is something that could be really useful to you here, probably both in the actual physical keying of the metering infrastructure, but also in software. So there's a few more. I'm just going to breeze through these. There's some debug ports that I thought were interesting on the POM. The POM is also modular, so you can replace the various parts if they break. Easy access to the ROM. Here's another view. Easy access to the microprocessor as well. There's a reset button. McKay Guardian. So this is one that was decommissioned from Tallahassee, Florida that we bought on eBay. Oh, I should mention, too, the price range was from 99 cents per meter on eBay to $500. So well within a budget of most curious people. Here's the McKay. Again, easy access to the microprocessor, easy access to the ROM. The microprocessor in this case is a CLT840231G, which is a custom ASIC with a Z80 core. So if you were to pull off the ROM, which is an ATMLWProm, you could decompile that or disassemble it. Toss it into Ida Pro and start looking around. Another interesting thing about the Guardian is there's this cool RJ45 connector on the lower right. Reading through some of the data sheets available on their website, it had made mention of some test connector, some interface. So we're like, oh, OK, maybe it says something about having a serial port and having some I2C, which is an interchip communication port. So we said, oh, maybe we should look at that. We have the meter, it's open, it works. We might as well look at it. So we hooked it up to my little lab set up with my digital oscilloscope and some level shifter circuitry. And we're probing all the different pins, trying to figure out what's what. Because if there's an interchip communication, maybe that's something useful to drive the display. But more importantly, I want to see the serial interface if that was the debug port for sucking audit log information. And they had infrared on this particular version. And what we figured out is that on reset, on power up, the infrared port would spew out a bunch of stuff that also correlated to some data we were seeing over the wire. So sort of infrared and serial information being set out. And we tried to probe that for a while and we're just kind of playing around. We didn't exactly figure out how it worked, but given time, we definitely would have. Yeah, it was only mildly interesting. But just looking at the way that it was designed, we realized that if this was sort of like the parent of the San Francisco meters, then that does not bode well for San Francisco as purchasing decision. Right. And then firmware analysis, which we did not do in our case, but just in general, if you do end up getting access to memory devices or to microprocessors, the first thing you would do is suck all of the data out of them, suck all the program code out of them, and then reverse engineer them, decompile them, do whatever you need to do. Right, so I mean, if you know the company that's building the system and you understand what compiler they're using, for example, and you toss that into Ida Pro, you can help guide Ida Pro, for example. That would be pretty useful if you want to use Obstump and Grip, I guess. You could also do it that way. So it would be really useful because maybe there's some particular portion of a problem you want to solve, but you can't figure out the generalized algorithm or you can't figure out exactly what they're doing. Maybe they have some sort of shift feedback register thing going on. It would be useful to see the structure of the firmware so that you could better understand what's actually happening without just doing an intercept. Yeah, and you can also target specific areas if you don't want to reverse engineer the whole thing because you just want to get clues or maybe figure out an access point to get to an administrator menu. But what I like to do, since I'm not the greatest reverse engineer for binaries and for firmware and stuff, for source code, I usually run stuff through strings first to see if there's any information, any cool constants and text that are there. And usually there are because engineers like to leave stuff in that's going to help them with messages, stuff like that. And usually those are left in production products. And then smart card analysis. Again, I mentioned in this case if you have an external interface that is a smart card, you would do this if you have an external interface for other things, you would analyze those. This is the process that we went through. Modern communications, you might want to try to decode the protocols, emulate the protocols. So one thing that's really good about this is that looking at press releases can be really helpful for this, especially when they're from the company. It's secure and we use this standard. So then you go and read that standard and you think to yourself this isn't secure at all. And that's really useful, especially when you start to do the decoding and you want to do the emulation because you can implement part of the standard and then when you've done that you of course know that that is not true that it is secure. My coffee is almost working. Almost, a few more minutes. All right, so now we're going to jump into the case study of the San Francisco MTA. The city of San Francisco for a long time has sort of been grasping at straws of what parking infrastructure should we use? Should we use electronic meters, single-space meters, should we use multi-space meters? That's made by a company called Rhino. The smart card that you see in the single-space meter also works in the Rhino, so there is some modularity there. This system was essentially a pilot program in 2003 and it costs $35 million, which we'll get to, but we should make a disclaimer first about this. Yeah, go ahead. First of all, contrary to Wired totally fucking us with the title of their story saying free parking for all, which we expressly told them not to say because we didn't want to end up like the MBTA kids, we are not trying to get people to defraud the San Francisco parking meters. The point here is more to undermine its authority. I think that's much more important and we should all do our job to undermine authority wherever we can, especially when it isn't necessarily duly received. San Francisco essentially wants to create revenue here. I think it's good to put doubt in the perfection of the machine. I think that when people get parking tickets, you should be able to contest them. I can't do it, but I'm going to quote John Luke Picard. This is going to be good. There can be no justice when rules are absolute. Okay, that's true. Machines are not perfect. There was a 19th century anarchist who said something along the lines of, it is not that I fear that machines will begin to think like men. No, no, it is that I fear that men will begin to think like machines. We have to fight against that, I think. So hopefully this is like, you know, chipping away at that. We're the one anarchist audience represent. We are both San Francisco residents and we pay a lot of tax to the city. And it's just that it's okay for a city to try to figure out what parking system they want. And that's fine. Here's two other parking meters that are available in the city. This one's a credit card based machine that says the smart cards don't work on them. It's just our tax dollars are at work and a lot of money is being spent on systems that aren't being analyzed. Or if they're being analyzed, the problems are just being ignored. Somewhere in San Francisco or actually is there anyone from the city of San Francisco here? No, not where you work for the city of San Francisco. I'm sure that there are people here. Do you work for the city? Do you work for the DPT? Anybody from the DPT here? You are. So somebody here from the Bay Area. So as Jake mentioned, the meter that we're looking at, the McKay Guardian XLE, there's 23,000 of them in the city that replaced mechanical meters in 2002 with a $35 million pilot program. And to me, a pilot is like a test, right? It's like an evaluation. It's 2009 and they're still evaluating a system and $35 million to do an attack like we did, which is very, very, very easy as you'll see. It shouldn't be possible and it blows my mind how much money they spent on this. I'm a little conflicted about, so in general I think that this kind of disclosure is good so we can influence social policy. We hope that we can get some of these things to change. San Francisco wants to install 320,000 of these meters in all of the residential areas of all of the city. They think that it will improve, for example, the environment because people won't have to double park. Which sounds like a new speak to me, but I think before they go and spend $320,000 worth of parking meters, I think that maybe we should like question that that's a good idea in the first place. If they want revenue, they should be up front about it. They should say this is the true cost of having a car in the city instead of actually inconveniencing everyone because what will happen is they'll become reliant on the smart card infrastructure which is thoroughly broken. What are you going to do when you're at home? You're going to go get a roll of quarters? That doesn't scale for an entire city. They're definitely some social problems. San Francisco uses the McKay Guardian XLE meter so if you've got a web browser in front of you and you're on the internet here you can look that up right now. There's plenty of information out there about meters because manufacturers want designers and implementers to use their stuff so they make a lot of information available. The way the system works is the smart card interface, the city uses a stored value smart card. They come in $20 and $50 quantities. You buy them in cash at certain places around the city or you use a credit card online. You deduct credit, you put the card into the meter, the meter displays the value remaining on the card and then after a few seconds it starts deducting units like you're putting quarters into the meter. Once the value is depleted on the card, it's not reloadable. It's a one-time thing, you throw it away. The research as you'll see starting right now is it's easy to replay the smart card transaction so even without knowing anything about how it works you can play the entire smart card transaction to the parking meter and emulate a card but then you can also modify certain data to do cooler things and we did this solely by looking at captures of a oscilloscope screen, a digital oscilloscope screen and then analyzing data on a piece of paper over the course of three days. Basically a scope, a pencil and paper are all you needed to break the San Francisco smart card implementation. It was interesting because I never worked with smart cards with them but not really look at them in detail so it was a fun exercise to do that and sort of we came out of it saying wow that was kind of easy and it shouldn't be that easy. I worked a little bit with Moxie you probably saw his SSL talk on some smart card stuff and so I had some I was a little familiar with smart cards but just in general like I hadn't gone in this deep and what actually prompted me to be interested in this is I saw this guy from the DPT who had opened up one of the Rhino multi-space meters and inside of it was a report, I didn't describe this as a black hat but basically it's a small embedded computer and it has an SD card in it which looks like it has several hundred megabytes of space and I just asked him questions like wow I've always wanted to work with computers what's that like and the guy was like well it's a great job the city is really great and they treat you well and we talked for a while I asked him questions like so can I pay with my cell phone I just got one of those wireless cell phones and he's like no no can't pay can't pay that way no these are all disconnected so like just in the course of like a 5 minute conversation where I'm holding my backpack over my 2600 shirt you know the guy like explained to me everything I needed to know is an offline stored payment system and it's not hooked up to the internet they don't do any verification they probably don't do any fraud detection if they do they probably do it badly in a way where you can frame someone etc and the guy didn't realize he was telling me that but he was also giving me a job offer at the same time which is hilarious because they're trying to protect against insider attacks so I'm just going to jump back for one second we mentioned this already you know the goals of this work were to slam San Francisco and get free parking we really want to share the process with everybody we have released code but the code is essentially a template for how our smart card emulator worked we've improved all of the bytes of data that you could use to get free parking in San Francisco so anybody who's in the media who's writing about this the code is essentially useless unless you're curious about how smart card emulators work I change all the bytes to FF it's purely for educational purposes and that's why we're here so some other things with information gathering the internet was sort of useful sometimes a useful tool I really recommend the airplane method of reconnaissance which is that you set W get to run and then you get on an airplane and then you just come back and read it later that's all that matters if you do that you'll be good you'll be totally good surprisingly so yeah the one kind of fun thing here is you would obviously search for product specs and press releases but you might also want to think about discussion forums maybe the company's having technical troubles with a certain portion of their design do you think they have technical troubles Joe? I think they do or at least they did and this was a post that we found on a Sigwin mailing list about some technical problems that one of the software designers were having with his implementation of CVS you should definitely read that it's 2001 it says I'm learning how to use CVS and as part of this process I set up a test repository I almost said suppository a test repository to play with it's great it's 2001 and he's learning CVS so but there's some interesting clues here if you maybe can't really see the past but there's some stuff in there J.J. McKay so it's obviously a McKay designer Met Talk is an interface that's used and described in some of the McKay's documentation about some communications interface there's the Gempluse LibPath so now we know they're using some Gempluse based smart card and we realized they're using GDB and GCC so that gives us clues maybe if we need to reverse engineer firmware or try to disassemble stuff so here's Chris Tarnofsky's few slides hi my name is Chris Tarnofsky I reverse engineer silicon dies what we did is I'm the other Chris we have to go really fast now I bought 20 or 10 stored value $20 smart cards and went to send them to Chris to do some analysis on and when I went into the store I go to the same place all the time when I go and buy my parking cards so when I had to buy 10 I was like I don't know a little bit paranoid decided to go somewhere else and I walk in with my $200 in cash and I go up to the guy I want to buy 10 smart cards and he looks at me he's like why do you need 10 and I said oh I'm a sales guy I use the car a lot I drive around a lot he's like oh yeah okay and then he gives me the smart card and of course one of the things to note is sequential serial numbers on the back of the car which is useful for analysis but I felt pretty good about myself for that quick little social engineering thing as you probably notice I smile a lot so I don't know he believed me though it was kind of cool I'm no Kevin Mitnick so Chris is totally badass at hardware hacking and he just decapped all of the chips and then imaged them for us basically oh yeah I just realized we have like 10 minutes so he decapped the cards with this process that he would discuss if he was here it turns out there's two different types of smart cards that's indistinguishable to the end user but one of them is the basic gem club memo card so it's a fixed ASIC ROM that can't be changed and then future versions of the card are an 8051 microcontroller emulating the gem club memo stuff which is cool because now those cards can be reprogrammed we didn't do that but they're more general purpose so they could be changed and not have to create an entirely new die so general purpose one of course is nice because that means it has some firmware so in theory even if they outlawed the rest of the smart card industry their own system itself can probably be used against itself and these are the die so on the left is the ASIC, on the right is the general purpose one so I'm going to skip some of this the card is based on the ISO 7816 standard which means a lot of the electrical interfaces are known there's two different types of transmission protocols for 7816 one is asynchronous, one is synchronous the card we're looking at is asynchronous and the card we're looking at is on the right side of the clock needed so the data transfer is on one line and we can capture that and we did and the way we did it is we used a smart card shim so we had a circuit board that we purchased from one of the many kind of satellite TV smart card hacking sites that are out there that we'd plug the smart card in on one side have a bunch of test points that we could connect to our oscilloscope and to the meter so now we can monitor the communications while the communications are actually happening and there's a kind of funny story here so you'll note that that's a shim that's an SFMTA card if you're ever going to break a law or do anything kind of weird or even something kind of sketchy in San Francisco there's one excuse that you can always use they'll get you away with everything which is this for your art project so this is our art project you can walk up to a parking meter you can do anything in San Francisco but you can walk up to a parking meter with whatever tools you need and no one's going to care at all so you know it's a parking meter also so you can park in front of your target and run a wire like with your say AC inverter from your car to your oscilloscope and then just go on up with your art project and you're just making art and I can document the whole process with my camera because it's art which I did not do I don't have pictures for anybody who's considering rating us please don't rate us we don't have anything interesting except the actual details which we're going to tell the city so this is a screenshot of the digital oscilloscope the first thing we did is just see if we could monitor communications and we know that smart cards always respond after reset with an ATR, a 4 byte ATR so that's how we could figure out we could just guess on the on the bar rate and on the various configuration settings until we got a clean serial data that was decoded by the oscilloscope we got a roll off the list we got to get to the money shot so once we we could monitor the communications what we did is we captured a bunch of different transactions, we had a lot of different cards with different values to capture a bunch of data and then we brought all that data back to my house and sat there offline and just analyzed all the different data, figured out what changed based on different values, figured out the initialization and how everything worked and it was all done by hand, no computer needed so here's the deal, watch this setup what's wrong with this right here right, you could you spot the protocol bug where it might be a bad thing password okay maybe and then what, what's that, you read the balance we'll go quick here so there's some initialization stuff that always happens when you put the card in it sends some stuff, serial number which could be useful, some unknown value sent by the card to the meter that the meter then processes in some way and sends back and says, here's the password to you smart card and the smart card says yes, that's my password you can work with me now does that sound like a good idea it kind of sounds like a good idea to me if I'm not the one building these things we capture one set and we have it, we're fine but the way that the meter figures out the balance is it reads this value that I call balance two from the smart card and that's a fixed value based on the value of the card, so a $20 card is F0af and F127 for a $50 card when you deduct a single unit what happens is there's just this transaction that happens it doesn't affect the actual balance two which stays the same, it just does sort of a null transaction which increments this thing called the transaction counter and the transaction counter is the only thing that changes on the smart card during the entire process and that's what's used to count how many units have been deducted so that value of the maximum balance two minus 95 decimal is the maximum card value and then you would subtract the transaction counter to figure out how much money you have left Survey, who thinks this is a good idea I'm not just the ok part but the stored value where it's what would happen if you were to change those values though let's try to change the balance two to say it has more money than it does so once we capture the whole data the first thing we did was let's just do a standard replay attack we'll use a legitimate card that we bought let's use that I built up some circuitry with a microchip pick and we'll show you some pictures of the progress in a few slides but I use a microchip pick wrote the stuff in C there's a little bit of code on there but you go to the website and get the rest of it so once we knew the replay attack worked we said ok let's change the values let's change the balance let's see what happens, could it really have a cell of 4,000 unit card? yeah but let's try and then we also modified the code so the transaction counter would never increment so your value would always stay at the maximum so this is automatically refilling itself every time you take it out because it resets and then unbeknownst to me until when I was close to being done is that satellite TV hackers who have existed for a long time decades or at least over 10 years like using microchip pick devices so it just happened that the microchip pick device I used existed in a smart card form already so I could get blank smart cards program them with my code and it would work so the first one you see the shim you see the evolution, ok first one on the sketch if you think about like a threshold a sketch hold right you got a sketch hold of really sketch where you have Joe's actual last name logo for the board and then you go all the way to the right and you just have a normal smart card looks like everything else here's the results and for those that can't see for those that can't see the meter has just read the value of the smart card and thinks it has $999.99 we removed the card before it started deducting value the city of San Francisco if you're interested in projects like this and you live in San Francisco you should come down to the hack lab and we work on some stuff like this and we do need to mention that we intentionally did not contact the city before this research first of all because we didn't want to encounter the same problem that the MBTA guys did last year but also because we intentionally didn't release the information that could cause them harm but we're reaching out to them now and we're trying to give them all the information so here's some fixes that you could have really good luck with that it's very hard on standalone systems for graphic communications but you can look through these the slides are on the DEFCON CD so you can browse through them but it's a very hard problem to solve just to be real quick because we have basically one minute these meter companies have basically created an eCash system but they didn't do it right they didn't take into account the privacy implications and they didn't take into account the fraud issues Dr. David Chum actually solved basically all of these problems with eCash so really they should be thinking about Chum's work and they should be re-implementing that so these are our final thoughts you can read you can really ride a bicycle I guess to avoid this also before you go we'd really like to emphasize that people should join the EFF Jennifer Granik really helped us out and gave us advice that made us feel safe about giving this talk and if you're not a member you should join the extra room if you have questions Thanks guys