I usually spend quite a bit of time talking about security problems I’ve identified, and a little less time talking about solutions to those problems. I don’t often talk about quantifying risk or products that I’ve identified as being particularly secure. Today, this changes.
I walked into a local antique shop hoping to find some old locks laying around that I can use for picking / gutting practice. As I walked into the shop, the friendly lady at the counter tells me that anything sports related is 20% off, as well as anything made of metal (except coins).
Well that works perfect for somebody like me, looking for locks. I ended up leaving with this parking meter that she posits is from Lake Geneva, WI before they upgraded to their far superior multi-spot parking system. I asked if she had keys, she did not but assured me that they are a common key.
Well — I didn’t Google it, assuming that either she was right or I’d just pick my way in. I got it out to my vehicle and shoved a tension wrench and a pick in the front and immediately had my soul crushed — this is a slider keyway which I can’t pick and even LockPickingLawyer has struggled with in the past. So I turn to E-Bay, which has replacement keys and cylinders, but they’re ~$50-75 each. Even still, I’m stuck with a unit I probably can’t open before my “disinterest cutoff.”
So, the first thing I do is call a local locksmith and ask them if he can decode and cut slider keys. He said he can, but to save time, send him a photo of the keyway.
I seen the word “Restricted” on there, but I’m like “words man”
He replies that it is restricted, and he can’t cut the key. So, I hopped on Google to learn exactly what that means. Turns out the key blanks are restricted (meaning he would need to have the blanks, the authority to cut them, and the software to tell him the bitting). Since I found it unlikely that I would find those services for a good price, I decided to start looking for bypasses.
Bypass #1 — Roll Pin
The first thing I notice is this roll pin acting as a hinge at the top of the meter box. This would be way too easy!
I was right — it would be too easy. I did some research and it turns out that the roll pin is retained with a set screw, meaning it won’t slide out without destroying the meter:
So that bypass will not work.
Bypass #2 — Access to the hex nut
In the real world, meters are attached to a pole and this approach would absolutely not work since this access point would be blocked by it. But, mine has been removed, so maybe I can remove the nut that retains the lock:
This nut was so loose I could almost knock it off with a firm stream of water. But I back it off with a screw driver until…
It stopped moving. The distance between the cover and the tailpiece would not allow enough distance for me to get the nut completely off. So, Bypass two was out.
Bypass #3 — Hacking
I’m not proud of what comes next.
Since I was able to back the nut off enough, I was able to expose the face of the lock by almost 1/4″.
At this point, I thought I could potentially file the threads down and then slide the filed down area into the cover, allowing me to rotate the entire lock. I couldn’t find my file, it was midnight, and I needed success:
At this point, I had to use a hacksaw to get through this. Even with that old, coarse-toothed saw, I was able to get through the lock with just a few moments of work. I’m not proud at all that this was my solution, but I wanted to get in and learn more. Sadly, there are two locks on this unit — and this one just opens up the cash cup. The other lock opens up the mechanism. I’ll have to figure that one out some other time.
If you liked watching Dexter, this is like a locksmith’s blood spatter pattern. These parts are a testament to my lack of picking skills. The $1.75 next to it? That was still inside the meter. Guess I got a discount 🙂
Balancing Risk: A Security Practitioner’s Prerogative
Security isn’t about making things impenetrable, it is about making it secure enough that the value spent getting around it exceeds the potential value gained. That’s why you don’t have gun turrets outside your house, but the military does.
In my professional opinion — this device demonstrates the output of a successful risk analysis and defensive design.
This is how I know:
The small can you see near the top of the quarters is the cup that retains the coins that you put into the meter. I happen to have had $75 in quarters in those blue bags and a few rolls, so I decided I would see what your potential earnings would be for breaching one parking meter.
Above is $50 in quarters. Not quite there. It turns out that to fill this can up, it would take:
Exactly $75. Meaning that if you were to breach a meter, ignoring the obvious legal fees, you would only walk away with $75.
But wait, there’s more!
So, in this meter, one quarter represents 30-minutes of time. There are 300 quarters in $75, so therefore ((300×30)/60)/24 = 6.25 days of continuous 24-hour parking. This also means that the meters were never emptied in that period. If the city comes by and empties the meter, that value gets reset. To maximize your profit, you’d have to track the meter maid, and be one meter in front of them with a hack saw and spend at least 20 mins in broad daylight trying to breach the thing. Once you breach one, they will notice and you won’t be able to do it again in this area.
With this said, yes you can jackpot a parking meter. But it isn’t like Grand Theft Auto, where you run it over and pick up money. In this case, the risk far outweighs even the fully potential maximum return. Therefore, as of this blog, I consider these a secure device.
I will continue exploring the security of these devices when I can get the mechanism open. So this may change.
Thanks for reading.