The wardriving tram and ‘hacking’ Myki machines

As an eagle-eyed observer of Melbourne’s Myki ticketing system, I have stumbled across many different error messages displayed on the Tram Driver Consoles located inside the cab of each of Melbourne’s trams. But this message is a new one…

Playing around with WiFi SSID (network names) on a Tram Driver Console

If you really squint, one of the lines on the display reads ‘myki was p0wned’. So how did it get there?

Background

The story starts on my tram home from work, when I noticed the Tram Driver Console in the rear cab was stuck in a reboot loop. The first screen was a simple ‘Launching application’ message on the standard Windows CE desktop.

Myki tram driver console stuck in a reboot loop

Next was a Myki splash screen, and the message ‘Install Manager Loading. Please Wait’

Myki 'Melbourne Install Manager' starting up

After a moment the splash screen disappeared, leaving the console back at the Windows CE desktop, and a wireless network configuration dialog.

Tram Driver Console on a 'wardriving' mission, displaying the names of all nearby WiFi networks

And so the cycle repeated. As I continued on my trip home, I realised that the list of networks displayed onscreen changed, as the WiFi signals dropped in and out of range of the tram – it was on a wardriving mission!

A short distance down the tracks, and a new set of WiFi networks

I then realised I could have a little fun with Myki screen, setting up my phone as a wireless hotspot with a smart alec SSID (network name), and wait for the rebooting console to pick it up.

‘myki was p0wned’ was an obvious one.

Wireless network called 'myki was p0wned' displayed on a Tram Driver Console

Getting my name up there with ‘wongm was here’ was another.

Wireless network called 'wongm was here' displayed on a Tram Driver Console

And ‘Penis!’ appealed to the immature part of me.

Wireless network called 'penis!' displayed on a Tram Driver Console

I was the only one there to notice it, but it was a giggle while it lasted.

So how bad is this flaw?

For a start, the reboot loop I saw isn’t an everyday occurrence – this is the first time I’ve seen one just like it. The cause was hidden in an error message that flashed up when the ‘Melbourne Installation Manager’ program was starting up. After many attempts, I managed to snap a photo while it flashed up on screen for a fraction of a second.

The reason the Tram Driver Console was rebooting: an incorrect SD card was installed

If you can’t read it, the details are:

Configuring this device to the new SD card
An SD card from another device has been detected

The above suggests a few things:

  • The startup process for the Tram Driver Console goes: Boot screen > Windows CE desktop > Myki ‘Melbourne Installation Manager’ program
  • The device has a SD card slot so that software updates can be carried out to the console.
  • The Myki software has some form of security check when reading from the SD card, ensuring that only data from authorised media is loaded.

From that, it seems that at least some security has been baked into the update process: while the Tram Driver Console is locked up inside the cab, even if one gained physical access to the device in order to insert an external storage device, the software won’t update itself from anything you give it – some form of validation is occurring.

However, the device itself isn’t locked down enough to avoid showing the Windows CE desktop: once someone had physical access to the machine, it seems that loading and executing an arbitrary piece of software on the console might be possible before the ‘Melbourne Installation Manager’ program starts up. Tram driver playing solitaire anyone?

As for WiFi access being enabled – why is it even needed for it on a tram travelling the streets of Melbourne? The reason lies in the way Myki is architected: the card is the source of truth of all data, with the backend systems needing to kept in sync on a regular basis. In the case of railway stations the list of online topups and blocked cards can be updated in real time via a hardwired network connection, but for moving vehicles likes trams they need some other way.

Back in the early 2000s when Myki was being scoped, ubiquitous data connections through the 3G network were still new, so instead it was decided to install a WiFi connection covering each bus and tram depot, which the Myki devices automatically connect to when they head home each night. This intermittent connection also explains why Myki online topup doesn’t happen instantly – the request to topup your card needs to reach the reader on the tram before it can be applied.

Look out for hackers?

So is this a hack, or just a mere intellectual curiosity? Definitely the latter – every day millions of people turn on their WiFi enabled smartphones and laptops looking for wireless networks to connect to, and malicious wireless network names aren’t crashing their devices – using them to send passive-aggressive notes to neighbours seems to be as bad as it gets. If you did the same thing to a friend’s mobile phone you aren’t even a script kiddie, let along a hacker.

Footnote

A search of the Common Vulnerabilities and Exposures database shows that broadcasting a maliciously named SSID over the air isn’t a common attack vector, with Microsoft TechNet also draws a blank.

Also, I spent a moment investigating the significance of the ‘CW981′ title of the wireless network dialog box. The first relevant hit on Google was a forum thread where someone was trying to get a wireless network card working – where the ‘CW981′ is an internal code inside the Windows Registry. The device in question was a NETGEAR MA701 Wireless CF Card, which was designed for Windows CE devices. Possibly the Tram Driver Console uses one of these to access the wireless network?

You can leave a response, or trackback from your own site.

10 Responses to “The wardriving tram and ‘hacking’ Myki machines”

  1. Julian Calaby says:

    I wonder if it’d be possible to hack the depot wireless network and do anything useful / interesting by imitating it. =)

    • Anon says:

      Even if you decided to “sniff” the air for floating packets you would not get enough data to retrieve the key for access. If you were able to obtain enough packets then the possibility of a psk or static password would be rare

      • Julian Calaby says:

        Just so you understand, there’s four standards of encryption used for wireless networks at the moment:
        1. None – trivial to crack as no hacking is needed.

        2. WEP – historic, I’ve cracked networks with “enough” traffic in _minutes_, and it can be hacked in seconds. If I were to sit near to a depot and sniff traffic all day, it’s likely I’d have enough data within an hour. Particularly at a busy depot like, say, Malvern.

        3. WPAv1 PSK – significantly more secure than WEP, however I believe there’s a weakness if you are lucky enough to sniff the initial connection between the device (MyKi systems on the tram) and access point (depot systems) – something which would happen every time a tram came in. If I had my theoretical day of sniffing, I _may_ get enough data to potentially crack it, but I can’t say for certain.

        4. WPAv2 PSK – even more secure, even more difficult to crack, however it’s fairly new so I’d be surprised if they are using it.

        The only other wrinkle is that they may be using the “enterprise” encryption and key management standards in WPAv1 or WPAv2 which are harder again to crack.

        I’m not saying it’s going to be as easy as sitting on a tram for a few minutes sniffing the connection attempts of a boot-looping MyKi system, but _if_ their encryption is bad enough and _if_ one can find somewhere close enough to set up and _if_ it’s possible to imitate the access point, it _may_ be a potential attack vector against the in-tram MyKi equipment. And _if_ an attack is found, a suitably configured mobile phone would be all that’s needed to hack every tram on the network.

        Also, if any PTV / Yarra Trams / bus company / MyKi employees are reading this, go configure your routers so their antenna placement and power levels are such that they cannot be accessed outside the depots. No level of obfuscation or encryption is completely secure.

        • Marcus Wong says:

          Another thing to keep in mind is encryption at higher levels of the network stack – I’m guessing even if you gained access to the wireless network, the communication between the depot computers and the tram driver consoles would also be encrypted.

  2. enno says:

    Why werent you paid $1.5 billion for this outstanding work ?

  3. Andrew says:

    Amazingly clever fun. You must have been quick. Are they really tram driver consoles? On Combino trams they are locked away in a metal box. Maybe because Combino trams have gps and the older trams don’t? Regardless, I have not seen one working normally for a long time. Their performance seem to have no affect on the Myki readers.

  4. Anon says:

    Could possibly sit at the depot on the off chance of being able to sniff packets howeveer a setup this grand would possibly be using WLC and auto generated certs. If by chance you can get the key you can then replicate thw SSID and password and inject your own data

Leave a Reply