Car parking mobile apps are vulnerable to hacking, say infosec folk Mobile parking apps are often insecure, according to an investigation by security researchers at NCC Group. Firms running paid-for parking schemes across the UK are introducing mobile applications as an alternative to paying with coins and/or card at the parking meter. Parking vendors generally cater for customers using Apple …
'So they can do what? Pay my parking for me?'
Well yes except they needn't pay the full fee, only enough of it to make you walk away from the meter, they keep the rest.
They could forward the receipt (for the underpaid amount) safe in the knowledge that nobody reads these things.
Later, when you get a parking ticket for overstaying the receipt will back the parking company up.
(the tinfoil hatted might suggest that parking company insiders are the MITM)
Since with the app I use you can only pay for a whole day, I cant see that happening, but even if its by the hour, for someone with the capability to run up a fake GSM base station, I think bigger opportunities than stealing £2.50 from parking receipts will be available.
So they can do what? Pay my parking for me?
Cough, cough! It's a man-in-the-middle attack, they can see whatever gets sent across the Internet, if that includes user id/password and/or bank card details then these can be re-used.
Depending upon circumstances being able to park somewhere on false number plates at someone else's expense might be useful.
There's a known development tool which today is putting a lot of emphasis on mobile development, which does implement exactly this "technique" in its remoting framework for generic TCP/IP connections... also it refuses to use well known cryptographic algorithms "due to US export rules". It also costs about $3000, plus the yearly "subscription" if you want bug fixes.
We're running courses about "secure programming" in our company, and it's unbelievable how many developers don't get it themselves, and how many rely on "broken" code supplied by their tools without ever questioning it.
Sadly as you point out it's almost any industry that's decided to get an app to save money...only those managing the apps don't seem to grasp basic security.
I've just logged in AND posted this comment to the register over http am I tired or is this correct el reg did I really just send my password to you over clear text?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
