Here's a Map of Hackable Smart Parking Garages

A hacker could easily get free parking forever, spy on customers, and steal their money, a researcher claims.

May 29 2015, 12:00pm

Image: Sharon & Nikki McCutcheon/Flickr

Dozens of "smart" internet-connected parking garage all over Europe, and Australia, are trivially easy to hack, allowing a malicious hacker to practically take full control of them, according to a security researcher who's been studying a particular parking system provider for years.

These parking systems are insecure "by default," according to a report by Jose Guasch, a security researcher from Madrid. After hacking into them, Guasch said, a hacker could steal customers' credit card information, get a free parking spot for an unlimited amount of time, and even monitor and spy customers and workers through the parking garage's camera system.

"Anybody can hack into this," Guasch told Motherboard in an interview before his presentation at the at the Amsterdam hacking conference Hack In The Box.

"Anybody can hack into this."

Guasch's report highlights once again that internet-connected devices and systems that are sometimes described as "smart," are highly vulnerable, given that their makers don't take security into account when building or deploying them.

If you know the name of the company making these systems and the name of the product, these parking systems are easy to find using Shodan, essentially the Google of "smart" connected devices, Guasch told Motherboard.

That's how Guasch put together a map of all the company's easily hackable parking garages.

Guasch, however, is not disclosing the name of the company because he doesn't want anyone to abuse the vulnerabilities that he is highlighting, since he hasn't been able—despite repeated attempts—to alert the company of the issues. For the same reason, Guasch is only showing screenshots of the map, and not releasing the actual tool he created to map the vulnerable systems.

After several attempts to contact the vendor, all in vain, Guasch says he has alerted the Spanish police "Guardia Civil."

"Once inside, a hacker has full control of every device in the system."

"I just want people from other parking systems to pay attention," Guasch said, referring to other parking systems that might be connected to the internet, without their owners knowing about it. "I suspect many people don't realize this is connected to the internet."

Guasch found several vulnerabilities in these systems. Perhaps the most glaring one, is a publicly accessible folder that contains a backup of all the system's files, including the parking workers usernames and passwords. This allows anyone to get inside the system and "act like any other worker in the parking management system," Guasch said.

Once inside, a hacker has full control of every device in the system, from the parking's barriers, to the payment stations, cashier computers and even the cameras.

With access to the payment system, Guasch said, a hacker could plant malware inside every cashier computer and steal customers' credit cards—on top of the credit cards the hacker could access from the system's database.

The hacker could also change the messages blared out by the intercom system, or open and close the barriers whenever he pleases, Guasch explained in his white paper, which will be published here after his talk.

Other researchers, such as IOActive's Cesar Cerrudo, have exposed similar vulnerabilities in other parts of so-called "smart cities," such as traffic control systems. That's why Cerrudo, along with other security firms and researchers, has launched a global initiative to make smart cities more secure by identifying and patching their bugs and vulnerabilities.

"Right now I'm not sure the benefits surpass the problems that you have by using these vulnerable technologies," Cerrudo told Motherboard. "Something must be done because we all live in cities."

In the case of the parking garages analyzed by Guasch, simple measures like a firewall, or better passwords, or simply not connecting certain parts of the network to the internet, could do the trick.