
Hacking a parking ticket system - ronreiter
http://www.ronreiter.com/free-parking-for-life
======
gus_massa
> _I 'm sure there's a bit more elegant way to find the missing thousand
> component, but for me it would be just quicker to do a bit of brute-
> forcing:_

The calculation the author wants is

    
    
      LastThreeDigits(secret*23) = 642
    

that is equivalent to

    
    
      secret * 23 == 642 (mod 1000)
    

that is equivalent to

    
    
      secret * 23 + dummy * 1000 = 642
    

The standard method is to solve this first for 1 instead of 642

    
    
      other_secret * 23 + other_dummy * 1000 = 1
    

and this can be solved with the Extended Euclidean Algorithm:
[https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm](https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm)

(But in this case, and with a computer, it's easier the brute force solution.)

~~~
ronreiter
Thanks!

------
mabbo
A friend of mine in college did this, but it was even simpler- there was no
barcode, just a number that increased by one for each ticket sold. He went the
entire year just making his own to avoid paying $3 per day. Just take the last
three days tickets, increment by the average difference, print and display.

When they caught him (he parked in the wrong lot or something) he admitted
everything, paid $80, and offered to help them catch others doing the same
thing.

He told them to change the end-of-day expiry time to 1 minute earlier than
normal, tow everyone with a ticket that expires at the usual time.

~~~
superuser2
A much simpler "hack" occurred to me recently. Suppose you wanted to store
your car for a long time in a gated garage that also holds ZipCars.

Drive your car in and take a ticket as normal. When it's time to leave, book a
ZipCar for one hour. Grab its parking pass and use it to exit the garage with
your car. Park on the street nearby, walk the pass back to the ZipCar.

Are there typically countermeasures in place for this? Match the pass to the
license plate with ANPR? Don't allow an exit without a corresponding entrance?
Sucks for the next person to use the ZipCar. But how will they know it was
you? Are video archives good enough to find the plate associated with a
particular card swipe without a ton of manual effort?

(Assume you're trying to store a car for a month or more. At a fairly normal
Chicago visitor parking rate of $25 for 2 hours, that would cost $9,000.)

~~~
wbsgrepit
There are protections to this type of abuse in just about every comercial
parking system -- so much so it is not even listed in advantages/features for
most of their marketing materials. It is commonly refereed to Single Entrance
Gate or Stateful Egress; basically the card is tracked in a stateful database
and is either in use (it has been used to enter but not yet to exit) or not in
use (it has exited since its last entry). If you attempt to use the card for
entry when it is in the "in use" state it will deny and log the action.

Edited to add: For the next common "game" on this line "why dont you just walk
past and card swipe exit" you will note the cameras positioned at the card
terminals at all of these lots for this issue. Basically they will have a
record of: your license plates for the entry/exists (the sipes and video
systems have timecodes that can be matched) and of your person walking by on
foot to trigger the exit state.

~~~
jacobush
At our place there are also some kind of car detector, presumably magnetic
coils in the ground. You can't walk past.

------
stcredzero
One of the Dr. Dobbs editors made the following confession years ago in an
editorial, when Dr. Dobbs was still published on glossy magazine paper.
(According to the text, the statute of limitations had already run out.)

When faced with the situation of working on a mainframe at city hall, but not
being issued a city parking permit due to bureaucratic oversight, he came up
with a solution in code. It just so happened that the system he was working on
issued the parking tickets, so he just added conditional logic to detect his
name, then deleted the ticket! Problem solved, and no bureaucratic runaround
to solve it!

------
jo-han
The checksum algorithm they used will only produce 73 different checksums
(00000000-99999999: 0-72) - and all of them even. There is space for 9999
different values.

Tips to improve: f(x) = ( x * secret) mod 1000

\- mod 10000 instead of mod 1000 (as mentioned in the article)

\- make sure the 'x' varies between 0-9999 (e.g. by splitting the number in
half and adding the parts 03001909 > 0300+1909 = 2209)

\- make sure the 'secret' is larger than 10000 and non-divisible by factors of
10000 (2 and 5) (e.g.: 54321)

Pretty sure it wouldn't be so easy to hack then.

~~~
nocsaer1
It is probably just a barcode checksum/error code, otherwise they wouldn't
have to rely on the values of the first 8 digits. Instead they should generate
4 random digits and store them in the database along with other information,
then it basically works like a pin number (and xor it with a proper checksum).

Edit: If it is really a checksum, it is a crappy one.

~~~
jschwartzi
A lot of symbologies support some kind of modulo check digit. It's mostly
there to detect erasure and substitution errors, because those are relatively
common errors in decode. A modulo sum is better than nothing, considering that
each additional digit increases the length of the barcode. If you're length-
constrained, then adding more check-data is a difficult trade-off between
stronger protection and smaller module size, meaning that you could add so
much data that the barcode becomes too dense to print or read.

------
DrScump
I'm sure this will be a big hit with the legitimate purchasers of the tickets
to which those barcodes were assigned... who will find them mysteriously
invalid when presented.

~~~
ronreiter
Correct, unless you manage to hop out of the range of the assigned ranges.

------
samwillis
A really simple "hack" of a car park with an entry barrier that issues you a
ticket is that you can usually exit the car park with an unpaid ticket if it's
under 10 min old. So just get a new ticket from the entrance when you want to
leave.

They do this so you can get out if there are no spaces.

I haven't done this myself and don't condone it. You will probably get in
trouble and it's not nice.

~~~
jschulenklopper
> So just get a new ticket from the entrance

Getting a new ticket from the printer before the barrier will be hard if your
car is inside the car park. Often the ticket printer will only work if it
notices a large metal object (such as a car) in front of the barrier.

~~~
tbyehl
Many automated garages ban motorcycles because they're unable to trigger the
sensor.

~~~
bitdivision
Or they make the barriers slightly shorter so that motorcycles can park for
free.

~~~
PantaloonFlames
Which they do, recognizing the fact that if there are a few motorcycles parked
in your lot, it makes the whole lot look cooler.

------
gloves
I got about half way through this article before starting to feel inadequate
and just looked at the big numbers thinking this guy seems clever.

------
kej
This reminds me of the guy who was caught a few years ago for putting homemade
UPC stickers over the printed UPC symbol for expensive LEGO sets so that
they'd ring up as inexpensive LEGO sets.

After the felony fraud charges, he would have been better off just shoplifting
the sets instead.

~~~
DanBC
I can find some stories on the Internet about a wealthy person doing this:

[http://lego.gizmodo.com/high-profile-silicon-valley-exec-
gui...](http://lego.gizmodo.com/high-profile-silicon-valley-exec-guilty-of-
mass-lego-th-1084170411)

[http://gizmodo.com/5912141/multimillionaire-software-exec-
ar...](http://gizmodo.com/5912141/multimillionaire-software-exec-arrested-in-
lego-thieving-bar-code-scam)

[http://news.yahoo.com/blogs/technology-blog/incredibly-
wealt...](http://news.yahoo.com/blogs/technology-blog/incredibly-wealthy-
silicon-valley-exec-arrested-complicated-high-185525605.html)

[http://www.mercurynews.com/ci_20675946/silicon-valley-
tech-e...](http://www.mercurynews.com/ci_20675946/silicon-valley-tech-
executive-lego-theft-barcode-scheme-charged-sap-toys)

But there's this earlier story too:

[http://www.eurobricks.com/forum/index.php?showtopic=29272](http://www.eurobricks.com/forum/index.php?showtopic=29272)

~~~
soylentcola
Wasn't there a site years ago that hosted images of bar codes for just about
any common item sold at chain stores? I seem to remember the idea being that
you could just print out something with a lower price that's still believable
and stick it on the item before checking out. The idea was that if anyone
caught on, you would claim ignorance and apologize.

From what I remember this didn't work out well for anyone and was handled as
you might expect. I'm definitely not someone who would try to give himself a
$500 discount on an HDTV but it got me musing about the scam when it crossed
my radar. It always seemed to me that in order to be worth the risk and hassle
you'd have to do it on a scale that dramatically increased your chances of
getting busted. Like you couldn't give yourself a big discount (obvious at
checkout) or give yourself lots of little discounts (more chances to get
noticed) so aside from the "heehee I found a dirty trick" aspect, it seemed
like kind of a terrible scheme (not even counting the fact that you're
engaging in fraud).

~~~
wbsgrepit
Related, this is why manufacturer's coupons have changed in the last few
years. It was previously possible to create a manufacturers coupon barcode for
any UPC that would represent one of the standard discounts before GS1-128
including Buy 1 get 1. The new GS1 barcodes encode much more data that allows
better fraud protection.

------
DanBC
I'm surprised the scheme is so weak.

Wherever money is involved, even the small amounts for carparking[1], you're
going to have people attacking the system to get free stuff.

And car park machines[2] have extensive audit trails.

[1] an individual stay is quite cheap. Over a year it's a lot of cash.

[2] At least, the Almex Control Systems machines did. As did the TIMTronic and
System B and System C and Delta bus ticket machines.

~~~
Drdrdrq
They don't need it to be strong, you are leaving your car and license plate as
collateral.

------
geekamongus
Reminds me of something you'd find in a copy of 2600.

------
dsfyu404ed
Over a summer I lived in "intern housing" at a university in the DC area. They
wanted $150 for parking for 2mo, yeah, nope. A little bit of research told me
that the parking services were a separate entity from the school and that the
school would put a hold on my student account and transcripts if there were
unpaid charges. I also found that they supposedly boot you after 3 tickets.
Tickets are $100 minimum and go up by $50 for every unpaid 30 days. As someone
who never took and classes from them they didn't have much leverage over me. I
just pulled my front plate, got a few spare plates from the junkyard and
slapped one over my real plate when I got home for the night making sure no
one plate had more than three tickets. For ~$3 day it was well worth the
hassle. They're still sending me notices every two months about my unpaid fine
for the one time they ticketed me with my real plate.

Seriously, the easiest way to abuse (private) parking systems is usually to
make them write the ticket to a plate that doesn't come back to you.

Another "hack" was that the parking gates at most public garages in the DC
area had a rubber sweep on the bottom and were tall enough that most 90s
compacts could squeeze under if you retract the antenna, saves about $6 per
usage.

~~~
rconti
That's risky because they may be able to look up your car by VIN. You'd
probably need to randomize it by parking in different locations every day,
hoping that you get different meter maids who wouldn't recognize your car.
Your car would also have to be so generic in appearance (not just model/color
but also condition) that it didn't stand out.

~~~
dsfyu404ed
My truck was anything but generic. I got tailed by the campus pigs (I'll call
them that because that was my experience with them) and stopped several times
for no reason (and let off with a "warning" because whatever I had done wasn't
something one normally gets cited for, they basically wanted to check my
papers and see who I was) because my truck was a decade too old and and
several tax brackets too low to be common in that area. They always seemed to
see me like I was some tweaker who might steal and scrap their aluminum hand
rails to get my next fix.

I figured out that parking way out back significantly reduced my chance of
being ticketed. More than once I saw the parking services truck drive up and
down the rows making sure everyone had something in each windshield, not
actually scanning them. This was during the summer so there was always parking
available and 90% of the enforcement I saw was during the first two weeks when
everyone moved in.

The permits were a paper with a bar-code displayed in the center of your dash
(students got ones that hang from mirrors). I thought of just putting a piece
of paper there but I figured any attempt fake would piss them off. The policy
was worded such that it made it sound like you only got booted after three
UNPAID violations so I think what was happening was that when they put each
new plate (all three I used were from the same state) into the system it
didn't tell them to boot it because no plate had more than three citations on
it. I got six tickets over the course of the summer. Two, two and one on
junkyard plates and one on my real plate.

Parking in the same place with a ticket under your wiper would probably work
for awhile too.

When I looked on their online parking pass system I don't recall a way to
input a VIN so I assume they didn't record it, just a photo that includes the
plate and a description.

Like I said, I wouldn't do this somewhere that the municipality does the
parking enforcement.

------
wbsgrepit
I think he is forgetting that the barcode is generated and exits not in a silo
but with knowledge of a controller. I would be amazed if the system did not
both track the barcode creation and exit events and trigger protocols on any
outside system event.

Print out your card at home, park at lot, scan to checkout, your barcode is in
one of three states: 1: Not valid because it has not been issued by the
controller, 2: Valid and first use (you left before the other car on the lot
with the duplicated barcode has exited), 3: Invalid because it has already
been used on exit (the duplicate barcode has already left the lot).

In what scenario given an active controller that is not braindead would this
give you any kind of advantage? You are more likely than not going to be in a
situation where you trigger an alarm on exit.

------
nocsaer1
Nice.

You have a typo here:

f(21) = (23 * 854) % 1000 = 17934 % 1000 = 934.

I wouldn't be surprised if the last four digits are some form of built-in
barcode error checking, and are not used anywhere else.

------
marnett
Over my summer interning in NYC I found even weaker vulnerabilities with the
the NY Waterway ferry's e-ticketing system. Trivially cost can go from greater
than $296/month (for some routes) --> $0. Fortunate for those who
instinctually think of weaknesses in systems.

------
esseti
now the question is: why did they choose 854?

~~~
protomyth
That's what I was wondering.

    
    
      ~$ factors 854
      854: 2 x 7 x 61
    

Factoring 854 doesn't seem to help unless those meant something to the person
who came up with it (old high school locker combo?).

------
troels
Nice reasoning. How long did it take you to figure it out?

~~~
ronreiter
About 10 minutes :)

------
interdrift
That was too easy.

