It's been a rough year for cards. There was a great deal of publicity about hacks on RFID cards (like this story about Chris Paget remotely sniffing data in U.S. passport cards), and now San Francisco is learning that its "smart" card-operated parking meters have already been hacked.
The hack of the card-operated meters was revealed at Black Hat security conference held in Las Vegas, Nevada. The hack targets the data on the smart card, which are used almost like debit cards to pay for parking in the city (drivers can pay with the card instead of having to dig up a handful of change).
"He [hacker/security researcher Joe Grand] discovered the cards aren't digitally signed, and the only authentication between the meter and card is a password sent from the former to the latter. The card doesn't have to know the password, however, it just has to respond that the password is correct. The cards sold in San Francisco are designed to be thrown out when the customer has exhausted them. But the researchers found that the meters perform no upper-bounds check, so hackers could easily boost the transaction limit on a card beyond what could legitimately purchased. They could also program a card to simply never deduct from the transaction count."
The cards in use by San Francisco were Gemplus cards (now Gemalto after the merger of Gemplus and Axalto), however, I think it should be fair to say that this isn't a hack that exposes all smart cards, but it does expose one fairly simple (and clearly flawed) implementation of smart cards. What it teaches us is that if you're going to use technology, you have to consider how someone might try to defeat that technology. And while getting free parking at a parking meter may sound fairly unimportant, once you consider that the smart meters project cost San Francisco around $35 million and was originally designed to catch $3 million in annual thefts from meters (some thefts were from thieves breaking open meters, others were by meter attendants skimming the cash), you start to realize that this is a pretty big security breach worth millions of dollars. Maybe for that kind of money San Francisco could have hired a security expert to evaluate the technology before they adopted it -- after all, you'll never hear about this kind of weaknesses from the salesperson.
So what happens next, does San Francisco ignore the problem? Do they redo the technology in all the meters? Do they issue a gag order on the security researchers involved? If we can look at a similar case where MIT students hacked the Massachusetts Bay Transportation Authority's Mifare-based card system to get free rides, the response was a gag order. The MBTA tried to silence the hackers (it didn't work; the details ended up on the Internet).
That might be effective enough for San Franscisco. So what if some really tech-savvy folks with the time on their hands actually do take the time to build the electronic devices necessary to reprogram parking meter cards? Are you going to lose less money to those few folks swiping free parking than you would if you yanked the parking meter system and reprogrammed the whole kit and kaboodle? All of a sudden the old coin-operated meters don't sound so bad.