UW Computer Security Research and Course Blog

Summary

Parking meters are a common access control system used by thousands of people every day. There are many types of meters but for this assignment I will conduct a security review on a specific one. The meters I will discuss are located in the U-District and make use of tickets that driver’s must place on their car window. The tickets display an expiration date and time in addition to a barcode that can be scanned to ensure validity. They also have some extra markings of which I assume are there to make counterfeiting more difficult.

The system is designed to control the amount of cars that can park in a given zone, usually densely populated areas. Each driver that parks in a designated spot must retrieve a ticket from a nearby electronic parking meter. At the meter the driver electronically enters the desired time he/she wishes to reside in the parking spot (usually with a maximum of two hours) and then pays using a combination of coins, bills, and credit/debit cards. Once payment is confirmed, the machine prints out a ticket which the driver then places on the inside of his car window.

Of course, all this is useless without means of enforcing proper use of the system. In order to do this, a specially designated police force, or meter maids, patrol parking meter zones and periodically check meter tickets for validity. If a car is found with an expired ticket, invalid ticket, or with no ticket at all, the meter maid takes down the make, model, and license plate number of the vehicle and issues the owner of the vehicle a fine.

Assets and Security Goals

·         The parking spaces themselves are assets. The entity who owns the spaces would like to ensure that no one is illegally utilizing their property.

·         Potential earnings from those parking in the spaces are another asset. The owner of the space would like to generate as much revenue as possible from the drivers using their service. This includes preventing freeloaders from taking spaces that potential paying customers would have otherwise taken.

Adversaries and Threats

·         Drivers who park in metered spaces are potential adversaries. If they find ways to cheat the system are not only utilizing the actual property for free, but they are robbing the owner of potential revenue.

·         Random vandals are also potential adversaries. Vandals might deface, damage, or destroy parking meters around the city.

Potential Weaknesses

·         Insufficient amount of law enforcement officers to enforce correct usage. If there are not enough cops, then people will abuse the system more often.

·         Possibility of counterfeiting meter tickets. It might be possible for clever individuals to counterfeit the meter tickets and get by without ever paying for parking.

Potential Defenses

·         The obvious way to curb the potential weakness of too little law enforcement is to simply task more law enforcement officers to the job. There are, however, other ways to enforce the parking zones. For instance, automated sensors placed around the parking area could tell how long a particular car has been parked there. Through wireless transmission, the sensors could report back to the main meter machine, which could photograph license plates of illegally parked vehicles.

·         In order to stop people from counterfeiting tickets, you simply need to make the tickets very difficult to replicate. This is currently done in two ways. One, the tickets have various designs that would be fairly difficult to copy, and two, there is a barcode on each ticket that somehow conveys to the meter maids whether or not the ticket is valid.

Risk Evaluation

Weighing the potential weaknesses against the potential defenses gives one the idea that parking meters are relatively insecure. It would not be incredibly difficult for an adversary to take free space from the parking spot owner, and in turn rob them from potential revenue.

It seems to me the biggest weakness is the fact that there simply aren’t enough law enforcement officers tasked to the meters to make the threat of a ticket very intimidating. Considering this fact, if one were to do a moderately good job of counterfeiting tickets, even if they had invalid barcodes, they would probably be able to at least break even in terms of money saved on parking vs. amount paid in parking tickets. Law enforcement officers would likely see the ticket and move on.

Conclusion

Even though it is fairly obvious that parking meters would be relatively easy to cheat, I wouldn’t recommend drastically changing the system any time soon. The truth is, the city makes more money from the parking tickets people receive trying to cheat the system lazily, than they would by actually having those individuals go ahead and pay for the parking in the first place. This is a clear cut situation where both sides can benefit from the perceived lack of security.