As an eagle-eyed observer of Melbourne’s Myki ticketing system, I have stumbled across many different error messages displayed on the Tram Driver Consoles located inside the cab of each of Melbourne’s trams. But this message is a new one…
If you really squint, one of the lines on the display reads ‘myki was p0wned’. So how did it get there?
The story starts on my tram home from work, when I noticed the Tram Driver Console in the rear cab was stuck in a reboot loop. The first screen was a simple ‘Launching application’ message on the standard Windows CE desktop.
Next was a Myki splash screen, and the message ‘Install Manager Loading. Please Wait’
After a moment the splash screen disappeared, leaving the console back at the Windows CE desktop, and a wireless network configuration dialog.
And so the cycle repeated. As I continued on my trip home, I realised that the list of networks displayed onscreen changed, as the WiFi signals dropped in and out of range of the tram – it was on a wardriving mission!
I then realised I could have a little fun with Myki screen, setting up my phone as a wireless hotspot with a smart alec SSID (network name), and wait for the rebooting console to pick it up.
‘myki was p0wned’ was an obvious one.
Getting my name up there with ‘wongm was here’ was another.
And ‘Penis!’ appealed to the immature part of me.
I was the only one there to notice it, but it was a giggle while it lasted.
So how bad is this flaw?
For a start, the reboot loop I saw isn’t an everyday occurrence – this is the first time I’ve seen one just like it. The cause was hidden in an error message that flashed up when the ‘Melbourne Installation Manager’ program was starting up. After many attempts, I managed to snap a photo while it flashed up on screen for a fraction of a second.
If you can’t read it, the details are:
Configuring this device to the new SD card
An SD card from another device has been detected
The above suggests a few things:
- The startup process for the Tram Driver Console goes: Boot screen > Windows CE desktop > Myki ‘Melbourne Installation Manager’ program
- The device has a SD card slot so that software updates can be carried out to the console.
- The Myki software has some form of security check when reading from the SD card, ensuring that only data from authorised media is loaded.
From that, it seems that at least some security has been baked into the update process: while the Tram Driver Console is locked up inside the cab, even if one gained physical access to the device in order to insert an external storage device, the software won’t update itself from anything you give it – some form of validation is occurring.
However, the device itself isn’t locked down enough to avoid showing the Windows CE desktop: once someone had physical access to the machine, it seems that loading and executing an arbitrary piece of software on the console might be possible before the ‘Melbourne Installation Manager’ program starts up. Tram driver playing solitaire anyone?
As for WiFi access being enabled – why is it even needed for it on a tram travelling the streets of Melbourne? The reason lies in the way Myki is architected: the card is the source of truth of all data, with the backend systems needing to kept in sync on a regular basis. In the case of railway stations the list of online topups and blocked cards can be updated in real time via a hardwired network connection, but for moving vehicles likes trams they need some other way.
Back in the early 2000s when Myki was being scoped, ubiquitous data connections through the 3G network were still new, so instead it was decided to install a WiFi connection covering each bus and tram depot, which the Myki devices automatically connect to when they head home each night. This intermittent connection also explains why Myki online topup doesn’t happen instantly – the request to topup your card needs to reach the reader on the tram before it can be applied.
Look out for hackers?
So is this a hack, or just a mere intellectual curiosity? Definitely the latter – every day millions of people turn on their WiFi enabled smartphones and laptops looking for wireless networks to connect to, and malicious wireless network names aren’t crashing their devices – using them to send passive-aggressive notes to neighbours seems to be as bad as it gets. If you did the same thing to a friend’s mobile phone you aren’t even a script kiddie, let along a hacker.
Also, I spent a moment investigating the significance of the ‘CW981′ title of the wireless network dialog box. The first relevant hit on Google was a forum thread where someone was trying to get a wireless network card working – where the ‘CW981′ is an internal code inside the Windows Registry. The device in question was a NETGEAR MA701 Wireless CF Card, which was designed for Windows CE devices. Possibly the Tram Driver Console uses one of these to access the wireless network?