Increasingly in the modern world, everything is being connected to a network. Even parking meters that were once just purely mechanical devices are now connected.
For IT security researchers, anything that is connected to a network is a potential target for research – even the lowly parking meter. Security researcher Joe Grand has taken a particular interest in the new generation of smart parking meters. He sees various angles where the parking meters could potentially be at risk from security issues and he wants to help make the system better for everyone.
Grand has not yet divulged the full details of how parking meters might be at risk, but he plans on delivering a session at the upcoming Black Hat security conference this summer.
In a live preview Webcast, Grand provided an overview why parking meters are interesting from a security point of view and why we should all care.
“Why parking meters? It’s a combination of everything, software, hardware, network connectivity and it’s a physical real application used all over the world,” Grand said. “They’re taken for granted. It’s just a big metal box in the ground where you shove your money into it, get your parking and you walk away.”
Grand added that most parking meter users don’t think about the financial risks and the social implications of the parking meters if there was to be security breach against them.
In 2003, San Francisco replaced 23,000 mechanical meters with new smart parking meters at a cost of $35 million. Grand noted that other major cities in the US and around the world have also adopted a new generation of smart parking meters. These meters provide smart card capabilities, can take credit cards in some cases, have display screens and are usually networked.
From a security point of view, there are multiple angles to examine on a parking meter. With smart card meters where there are cards that are loaded with dollar values, those cards could potentially be reset or reloaded. Some meters also take credit cards and that information might be stored on the meter where an attacker could potentially grab the information.
In some cities, the meters are connected by wireless networks while in other cases they can be accessed by way of an infrared wireless device. Grand noted that meters could potentially be reset to give free parking – or on the other side to expire parking for a valid spot.
Smart meters also often have LCD screens which Grand commented could hypothetically be used by a hacker to transmit messages.
Black Hat presentations have been the subject of vendor scrutiny in the past, with multiple incidents over the years where presentation were blocked before the researcher could deliver the presentation. In 2008, at the Defcon conference which immediately follows Black Hat, researchers were blocked from presenting their research into issues with the Boston subway/ Massachusetts Bay Transportation Authority (MBTA) system fare system. In 2005, Cisco tried to get a presentation pulled that exposed flaws in its equipment.
“Even if you don’t care about parking meters at all, we go through the standard hardware hacking process and you kinda learn the mentality of breaking hardware and that’s what I want people to really take away from the presentation,” Grand said.
Grand noted that the purpose of his presentation is not to show people how to get free parking or break the law.
“The whole educational aspect is our goal,” Grand said. “We’re trying to do everything we can in a way where we can educate people and not harm companies. We need to educate designers and implementers of these systems and let them know about problems. If I’m giving a public presentation at Black Hat, I can guarantee to you that there are already people out there that that already know about the problems and are taking advantage of them.”