Security Testing in Parking Automation Systems

In recent years, the world has seen a growing concern over the security of applications, especially those based on the web. This attention is justified by the increasing sophistication of cyber-attacks and the critical importance of online data and services. However, an area often overlooked in this security landscape is that of systems integrated with automation, such as parking access control systems. It was this gap that sparked my curiosity and led me to embark on a research journey that spanned Brazil, Argentina, and the United States, focusing on the security of parking automation systems.

After testing more than 25 systems over the years, I selected four successful cases to share. Each discovery was promptly reported to the responsible companies. These experiences reinforce the need to apply the same rigor to the security of integrated automation systems that we already apply to web and mobile applications. The danger lies in the false sense of security that these systems may convey, overlooking the increasingly sophisticated threats we face.

This article is intended to serve as a call to action for developers, security engineers, and those responsible for implementing access control systems. Security must be a priority from the design through to the implementation and maintenance of these systems. By sharing my findings, I hope to inspire a more holistic and diligent approach to security across all technology areas, ensuring that both our physical and digital spaces remain safe.

2010: Vulnerability in Sequential Barcodes

The journey began when I noticed that a shopping mall parking system issued sequential access codes. I developed an app that applied brute force to generate barcodes, exploiting this predictability. The software calculated a range of valid codes based on the average flow of vehicles, allowing for unpaid exits.

2017: SQL Injection in Barcodes

With the evolution of systems to generate random alphanumeric codes, SQL injection through barcodes became the next vector of attack. I modified my app to include SQL Injection payloads, such as ' OR '1'='1, achieving surprising success and demonstrating the lack of proper input sanitization.

2021: The Transition to QR Codes

The adoption of QR Codes introduced new complexities and possibilities for exploitation. Analyzing the content of a QR Code, I discovered a URL that led to a payment system, opening the possibility to explore vulnerabilities. Attempts to redirect requests to a controlled server failed, indicating some form of security validation. However, injecting SQL into the ticket parameter revealed a critical vulnerability in input validation.

• Access to the Payment System: Opening the URL contained in the QR Code directed me to a system that allowed ticket payment. The presence of this interface opened the possibility to explore potential security flaws. The central question was: are there adequate security measures to validate and process requests made through this URL?
• Request Redirection to an External Server: As part of the tests, I generated an alternative QR Code pointing to a server under my control, in hopes of intercepting the requests and analyzing the data sent by the parking system. Surprisingly, this attempt did not succeed (fail), indicating the existence of security measures that validated the request's origin or the URL's structure more rigorously than anticipated.
• Successful SQL Injection (SQLi): The exploration continued with an attempt to inject SQL (SQLi) through the ticket parameter in the URL. By modifying the QR Code to include SQLi payloads, I gained unauthorized access, demonstrating a critical vulnerability in the system's input validation. This success pointed to the absence of essential security measures, such as input sanitization, that could prevent such attacks.

2022: Authentication via JWT in QR Codes

The implementation of JWT for authentication in parking systems presented an interesting challenge. The robustness of JWT limited the ability to create alternative payloads or conduct brute force attacks. However, by modifying a QR Code to redirect validation to a server under my control, I was able to simulate a positive authentication response, exploiting a significant flaw in the validation system.

• Initial JWT Exploration: Analyzing the JWT revealed that direct manipulation of the token's payload was unfeasible due to the digital signature, which ensures the token's integrity. This eliminated the possibility of brute force attacks or creating alternative payloads, increasing confidence in the system's security.
• Authentication and Server Response: Curiosity led me to directly access the URL embedded in the QR Code, resulting in a 401 Unauthorized error, an interesting response. The following day, after paying the ticket and accessing the URL contained in the valid QR Code, I received a 200 OK response, indicating success.
• Redirection to a Controlled Server: The exploration culminated in the creation of a modified QR Code, where the original URL's domain was replaced with one pointing to a server under my control. This server was configured to respond with a 200 OK to any request, simulating a positive validation. This approach resulted in the parking barrier opening without the need for a valid token, exploiting a flaw in the system that did not adequately verify the URL's authenticity.

Conclusion

The scenarios described underline the need for rigorous security practices in automated systems, especially those intended for access control. The successful exploitation of vulnerabilities, from predictable sequences to authentication failures, highlights the importance of continuous security assessments and the development of robust systems against sophisticated attacks. It's imperative that the tech community treats the security of these systems with the same level of seriousness dedicated to web and mobile applications, ensuring the comprehensive protection of our environments.