As an eagle-eyed observer of Melbourne’s Myki ticketing system, I have stumbled across many different error messages displayed on the Tram Driver Consoles located inside the cab of each of Melbourne’s trams. But this message is a new one…
If you really squint, one of the lines on the display reads ‘myki was p0wned’. So how did it get there?
Background
The story starts on my tram home from work, when I noticed the Tram Driver Console in the rear cab was stuck in a reboot loop. The first screen was a simple ‘Launching application’ message on the standard Windows CE desktop.
Next was a Myki splash screen, and the message ‘Install Manager Loading. Please Wait’
After a moment the splash screen disappeared, leaving the console back at the Windows CE desktop, and a wireless network configuration dialog.
And so the cycle repeated. As I continued on my trip home, I realised that the list of networks displayed onscreen changed, as the WiFi signals dropped in and out of range of the tram – it was on a wardriving mission!
I then realised I could have a little fun with Myki screen, setting up my phone as a wireless hotspot with a smart alec SSID (network name), and wait for the rebooting console to pick it up.
‘myki was p0wned’ was an obvious one.
Getting my name up there with ‘wongm was here’ was another.
And ‘Penis!’ appealed to the immature part of me.
I was the only one there to notice it, but it was a giggle while it lasted.
So how bad is this flaw?
For a start, the reboot loop I saw isn’t an everyday occurrence – this is the first time I’ve seen one just like it. The cause was hidden in an error message that flashed up when the ‘Melbourne Installation Manager’ program was starting up. After many attempts, I managed to snap a photo while it flashed up on screen for a fraction of a second.
If you can’t read it, the details are:
Configuring this device to the new SD card
An SD card from another device has been detected
The above suggests a few things:
- The startup process for the Tram Driver Console goes: Boot screen > Windows CE desktop > Myki ‘Melbourne Installation Manager’ program
- The device has a SD card slot so that software updates can be carried out to the console.
- The Myki software has some form of security check when reading from the SD card, ensuring that only data from authorised media is loaded.
From that, it seems that at least some security has been baked into the update process: while the Tram Driver Console is locked up inside the cab, even if one gained physical access to the device in order to insert an external storage device, the software won’t update itself from anything you give it – some form of validation is occurring.
However, the device itself isn’t locked down enough to avoid showing the Windows CE desktop: once someone had physical access to the machine, it seems that loading and executing an arbitrary piece of software on the console might be possible before the ‘Melbourne Installation Manager’ program starts up. Tram driver playing solitaire anyone?
As for WiFi access being enabled – why is it even needed for it on a tram travelling the streets of Melbourne? The reason lies in the way Myki is architected: the card is the source of truth of all data, with the backend systems needing to kept in sync on a regular basis. In the case of railway stations the list of online topups and blocked cards can be updated in real time via a hardwired network connection, but for moving vehicles likes trams they need some other way.
Back in the early 2000s when Myki was being scoped, ubiquitous data connections through the 3G network were still new, so instead it was decided to install a WiFi connection covering each bus and tram depot, which the Myki devices automatically connect to when they head home each night. This intermittent connection also explains why Myki online topup doesn’t happen instantly – the request to topup your card needs to reach the reader on the tram before it can be applied.
Look out for hackers?
So is this a hack, or just a mere intellectual curiosity? Definitely the latter – every day millions of people turn on their WiFi enabled smartphones and laptops looking for wireless networks to connect to, and malicious wireless network names aren’t crashing their devices – using them to send passive-aggressive notes to neighbours seems to be as bad as it gets. If you did the same thing to a friend’s mobile phone you aren’t even a script kiddie, let along a hacker.
Footnote
A search of the Common Vulnerabilities and Exposures database shows that broadcasting a maliciously named SSID over the air isn’t a common attack vector, with Microsoft TechNet also draws a blank.
Also, I spent a moment investigating the significance of the ‘CW981’ title of the wireless network dialog box. The first relevant hit on Google was a forum thread where someone was trying to get a wireless network card working – where the ‘CW981’ is an internal code inside the Windows Registry. The device in question was a NETGEAR MA701 Wireless CF Card, which was designed for Windows CE devices. Possibly the Tram Driver Console uses one of these to access the wireless network?
I wonder if it’d be possible to hack the depot wireless network and do anything useful / interesting by imitating it. =)
Even if you decided to “sniff” the air for floating packets you would not get enough data to retrieve the key for access. If you were able to obtain enough packets then the possibility of a psk or static password would be rare
Just so you understand, there’s four standards of encryption used for wireless networks at the moment:
1. None – trivial to crack as no hacking is needed.
2. WEP – historic, I’ve cracked networks with “enough” traffic in _minutes_, and it can be hacked in seconds. If I were to sit near to a depot and sniff traffic all day, it’s likely I’d have enough data within an hour. Particularly at a busy depot like, say, Malvern.
3. WPAv1 PSK – significantly more secure than WEP, however I believe there’s a weakness if you are lucky enough to sniff the initial connection between the device (MyKi systems on the tram) and access point (depot systems) – something which would happen every time a tram came in. If I had my theoretical day of sniffing, I _may_ get enough data to potentially crack it, but I can’t say for certain.
4. WPAv2 PSK – even more secure, even more difficult to crack, however it’s fairly new so I’d be surprised if they are using it.
The only other wrinkle is that they may be using the “enterprise” encryption and key management standards in WPAv1 or WPAv2 which are harder again to crack.
I’m not saying it’s going to be as easy as sitting on a tram for a few minutes sniffing the connection attempts of a boot-looping MyKi system, but _if_ their encryption is bad enough and _if_ one can find somewhere close enough to set up and _if_ it’s possible to imitate the access point, it _may_ be a potential attack vector against the in-tram MyKi equipment. And _if_ an attack is found, a suitably configured mobile phone would be all that’s needed to hack every tram on the network.
Also, if any PTV / Yarra Trams / bus company / MyKi employees are reading this, go configure your routers so their antenna placement and power levels are such that they cannot be accessed outside the depots. No level of obfuscation or encryption is completely secure.
Another thing to keep in mind is encryption at higher levels of the network stack – I’m guessing even if you gained access to the wireless network, the communication between the depot computers and the tram driver consoles would also be encrypted.
True, but sometimes knowing what it’s looking for is all you need.
Why werent you paid $1.5 billion for this outstanding work ?
Amazingly clever fun. You must have been quick. Are they really tram driver consoles? On Combino trams they are locked away in a metal box. Maybe because Combino trams have gps and the older trams don’t? Regardless, I have not seen one working normally for a long time. Their performance seem to have no affect on the Myki readers.
Yes, the consoles are intended to be used by tram drivers. The problem was that in the Myki rollout, there was already a console for the Metcard system, so the new gear was put into a ‘headless’ mode where the driver doesn’t need to touch it, and hopefully the fare zones get worked out correctly:
http://www.danielbowen.com/2011/12/20/mykis-headless-mode-pic/
Could possibly sit at the depot on the off chance of being able to sniff packets howeveer a setup this grand would possibly be using WLC and auto generated certs. If by chance you can get the key you can then replicate thw SSID and password and inject your own data
[…] The wardriving tram and