Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Passenger Hacks NYC Taxi Computer System



 By: Renee Boucher Ferguson
2007-12-28
Article Rating:starstarstarstarstar / 3


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The problem is more significant than GPS objections, according to the software engineer who hacked the system.

The New York City Taxi and Limousine Commission's technology enhancement plan that puts GPS systems, credit card scanners and monitors in the city's 13,000-plus taxis has come under fire again—this time from a passenger who hacked the computer monitor and gained access to its operating system.

On Dec. 1 software engineer Billy Chasen posted a walk-through on his personal blog '[An Error Occurred While Processing This Directive].com' of how he hacked into a computer screen mounted on the back seat of a cab he hailed on New York's Upper West Side. The story was initially reported Dec. 26 on WNBC.com, a local news station.

The screens, part of TLC's technology initiative to update taxis, are used to help passengers map their route in a cab and as an entertainment portal as well, with segments broadcasting news, weather and advertisements. Customers also use the screens, along with a credit card reader, to pay for their fares.

Resource Library:
Rather than catch a bit of Entertainment Tonight, Chasen found a different purpose for his monitor.

"When I got in a cab last night I was greeted with [an] error message," wrote Chasen. "I've seen error messages in airports, on billboards…however this was the first public error message that I could interact with."

Using his cell phone camera Chasen documented how he was able to open Internet Explorer using the touch-sensitive screen. He was then able to use a Sprint card listed on the monitor to get a dial-up connection giving him full administrative access to the monitor's operating system.

"It was not only a security flaw, but people also pay with the screen if they use a credit card," wrote Chasen. "That information could potentially be stored locally."

Chasen said his ability to access the operating system posed a much greater threat than the problem of being tracked by GPS. In September, the New York Taxi Workers Alliance, a group representing about 10,000 New York City taxi drivers, held a two-day strike to oppose TCS' mandated technology system implementation that includes GPS, the card reader and the touch screen. While the strike didn't stop the systems from being installed in New York taxis, security threats potentially could stop the systems from being used to pay cab fares.

"You're essentially giving strangers access to a computer that is shared with hundreds of customers," wrote Chasen on his blog. "I also could have installed any software I wanted, assuming I had it online."

Allan Fromberg, deputy commissioner for public affairs at TLC, said that the only thing Chasen (and the two WNBC reporters who also encountered an error message after reporting Chasen's story) could have accessed was a couple of media files. "So the only thing they could have done with this is replay a couple media spots," said Fromberg.

The reason Chasen was able to access the computer's backend system at all is because the computer in his cab was one of two prototype systems still on the road. The cabs—and the prototype system from Veriphone—were pulled off the road the next day, according to Fromberg.

"This guy got into the cab Nov. 30 and the cabs were off the road by Dec. 1," he said.

Fromberg also said that none of the credit card data input by customers to pay cab fares is stored in the system and that no one had access to it.

"There are extensive contract-required security protocols in place, which have exceeded government and credit card industry standards and have been stringently tested by internal and external security experts, which fully prevent access to anything other than media content residing in the taxicab itself," said Fromberg in an e-mail to eWEEK. "There is no potential for any malicious activity."

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.



  Reader Comments: Passenger Hacks NYC Taxi Computer System
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Renee Boucher Ferguson
 


x}r6*(gL]H)ٖmؖҌwRJEĘ"$e[ٗl8x -2qO-`h F;?;;~$rhiɅc,Jv1;D;;}!ІP|oS/92t>;|9|@vD%j'A`NƮlN1ecsdp,mg5h{=D@~5;s6r!&>֥qɏ@|2ַ(>r@ߨV:ALéM}!*{OJJ%h!GQus͟|adw^x/40vK]K跀SѠ*v25vn/@Z#\DȁBni=3d9c';{$-XdUHeCc`Ww,ǃɩT* TkQ3#mjZ35k-3GؾQ̀A3E5L_C?)$fҀ8#/׌<{eAuӱaGGe_5#o83heynr^)AZԕRYr7mù-Ӟ=7;ӟoF/s R]vήr$Qwٷܖ״BP]w{ݓ>~nr  m$&W jDTV+b`$" P}bCG${/@B oVQz^,(BQArIja>E4b‰EU:a}?M-~k~>AF,sAV  CTYFHwNբsyܽ鑓59n{H _GtH  Wh: -Nկ7#?aj;dP[w8LwZ\H ?w_d[W;G$'MHgs`HlDiYܾ̑\yka(7F`XӀ7? iP2-L9X@.@ש#07oZy۬ Rƒ) 4K3;j\K}0[#RFp &JpJq䰉cYSl \捇 JiOd$e ,}($mQq:]V$y3DDȝ g/3/r.i"}h8yWҽTws [t28;OesJVd];3E֏FZRpx=n[Ocһ^N۠xXaZ`A). 8G]67 J=6} 5KUG'-dj`qaeBݠ#mfyw~ӁNӦI|J s6m 5N< YC!ʠڴb{\gf4!>F&-`;^h>[W xFvGשc ݜ6,'>!͵B3{BOL\naDP$W:ϧHږiȇroBo*څP!_.dI_fMblȌu>I!VB17OH wz@neHݤ|ree*{ +)djz#J͸^`3h{q#%Ag =e河xOtYKnuo?յ݋pz9(KӺJj'/H#oh m_EڠueLGy K-C IP֦(X+ezdxy62&C 7q(=  XjA.Rw˟@-tX\P Xj|-[Y`B^eܠQ3$X3Q[ ҆lxku9.`Cϱ s=#7-`ر; m0T#}0 ;qJkX$lZS{)u&\$2.|N +e@m\:|Ꚛ8/- {'uaWlIss4FuM8@m"}~`INR} ȴ^oZu?4wҵj1SQ_)+EUQ?O~2;2.eX k9g#OfY$ Ei.20Y(peLZjAB;>J?C4By^ ipw\pRk ܛy`dEN\Cx.+pD昜QM__#)ʅ:(Cyl*S,H-qRCY= w7RPU[K[3^V< OQ#lzCx &`QtEa:JiYT>RRjELRG ?cqe@Y@zSb_@7TZUʚu"X썿KCbRD i^{p cf;'w ,Ԟm$R*CĮ01^*==@7_ -cMӣe;4 cIۛgoj2-rfF釛L+s0j(Yk|[` rfVɍ66霎0 M<'\-ʉ`L4Ω,2 خCg^a+o>e6e'Ww}^FpA J}3W> ۠|m,Ln1ya%[Rx` fΔ|lh Q} 2!` ~o'U@΁MOT*E0=kB9~ HÞ1|M}Yy>u#i lmSU/(ϣ DʌY%/Q U-q'.҂^ߵKST1 Vv}b;?/$RQr+ր΀4OxZT+EZz,*5r "RrM5Y;4Ћ­7.vݏG>+*~%եGQu|b*ŪZV< +8r=.!n?mVVW`j-^2۹a n.E[ 4˷ʨK^͖K%4e3/ -9@X<y}bhaL%Q;o]Ah1semfaI3N9`{IO$# J3dVV *+ԤBVڳ$t`1۳<0%{q2LLi;JRP^;_ 1 0`!`0T=={H"P?lV(b vA *s>P|o =$('? aV*7~.RHC$ |B͸ D;}ZXa&# 9914/x{qiwozP)@/I6C.:;l~G]ItMOO}ҽK'};o"$rEs)}=^xsٖW's5BDH>KrBVë=Guxi)qm2YG42zqKiWPà@ c^9`B4B _k-?N3$n]?X;Z9ºUXHE`|](Wktz}E9{B*q]DG2sy6^SF(+bK)"$DY \egu_f~ bt4zUt":Po)J!~_!c&o8~ PhLVb:ntL{dNlp lwz`ycrfF4-K/pǻ"Ts(fLLàvD)fTDxi'y0:Fs8쀒N)ӻ7lOڢ-]kցS9X)L iux2Ƞ3%dBfye5)a5C@YeI~(i'1ۡX#ҡԛ].7G8 (OLkrisy/Psquyx42i(5~u*AB|$Hyn1ÔJg+BRZ-Vyʏhq9z])LU'gy/wuϏzUbݩm3D91uv;2x;zZ1 ݞpne9?jw`{tO4dkwX /gNyVwN{},dk.}?H+I턟is!OKvdLc!I ɫj!_VP**s攤˞vȔWN Hƣb`@Ɍ7COҁ{&-3(l#{zi-9_3{KwK}U<㛟5o2ne~WJ]݅icE)]s"ǵ"vދK*qɧyuZГGm֗Bݽ]޿vVȿ5LĬhgdO1\j[ci2/> ZACVrl8Grs&cx2HB%6÷Fp7*gcc3/F#%g&yȱm @|Րp/h1i`jcZ/p8|#؈f/'Ɏ?7e{cA|3 egcR_So_Lo,)Bsдg=.00yS/7rK[⹋^]l؍o%n!өi*2-]N_#Oh\WGͧsM5.nED?GI-`)qT?s %mp;|Ŋ$}3I_o拂!w.GTU&W)zYn} ,a"E"`_:r,`]>6?yeJ1~xdew;!_y I4{3]ǀcD'[^͗"XlN=<3 e~Kh XV~M`k,_Vo ˳A'tF_#{*#GA_m7ɺke]݃E5br ^{ j\W&br0`jr'fISOxƐ)݄_$'۞R kM,; zj`O !6)YM&A޵qFbye"jHDS('PkxeDG "aayGI 0O Ŷ(GOxǃ_VcU̻w`W%&j2s,}sSJ,P1EΠM xB@Y27psÊOҦS|Ur$q`,a2-u1 ͢/GB(c:g,vi؉Ih>'P`uS ,#K/+ rR޲`Cm˘uMˣz jo: $}>%8?]6V`v7zXo޿{cZ+@a{/拀ِJ_'XX:rQ{y\`4F3Kuy$ ވ]-adS$Gx[P h➀_ݐ_ImJViL@jEvhqb S6q!"A$1DrO#랆z{xyC{1TI=.-5B%{[ quOc'>cJOWhg"b6+kzGǩ MH7#a y6!F%uxy (iQ77!%d8U886}^v.M{bfoN!L܋(Ao^^Q n{CR{yױ^KN)4h X<3?!gϤ/S^hvAB$OD\mB{14-Pٓ1|&uh3ZV팎ZBSs}B}Ib{_r)&9V=(~TSvs?#HVڮh"-s1SEpvկ&3NgXC7ZjP~D1FmzIoN^[!A|moԲt}{d0h+ꠑ 4 rOEэjGG0'3ꏔ="){s7vUt|LYڰRjf҅vK J:tP8PB Pfh0шon ^taI,`okT7dE׍"%3yHtc?~?p8„_=溒[a3=Cǁq/9t3x#C70fx#HX τ35w6my |;=`ک e'Ga@H+(cWWk2.7:fYȕfo KxW ȿ2U8rO|k gvKDLӽ6W3B(uAmc+$;6L$Ij~(lB![o?6oaa(Jֈ_4ׅ dU .d#{tѥyJY.9V~!%&w>Ӓ7-؃[y{©Yj|ubM6$4F87 \)c2Jf7Lh` n6;1/'KǠ{ tػ;4)P'l>k~*~^_g~poqv0|WeY?Ȁ{>8=0͠%6Y~gjw OQ4.[G!,T=prGl7u4.NdãEF}O+tހ7 ӦgZP%\k66m/8HC gMAc+up 06$,S#=b)G)5E[Ls4qSu&n[y D#? KD)`G%C~0x,^w›OA&r副=i" ;rG@M!vt&!xwwqwē{.~GDzEZ3ʑmOѵwxTU#B7oR.qHj|51 ;>d7 8QY=ˢ;5]DNtQ"vnPVôL`',&Jjid7}$FjtyϹgDh Gꨶfa&^ 0ka *"B}@ O^a)qc) +px ΃L,TVn$?؎7լy96ǜMEfQiT9^[*uu5b?=G/ttAj-biA.c2·u5WpkLxAtP:qU3HuPnEkUP*$h޹HQ5:4kN󼦘hC~?Vz^3XZk]X;Xif{yBE ~K-y홆P"ͪND`hi*_| >>.Ht])p?DvtkiL٦ƗRµ3Iʥ rQ D#'&E"#Mjj~ EV*7tCy^ iwqݗǎ JP+`{Tds[9{̑;5r] x4sNĜI\ Ou$ζy)BXF(hAl9 sX Xo7Zzehҵτx%}X{{n/1~݈۫k6G&˸>0)9Sf;6drj3>ѽ0OyX^O\1Ȕ2븀Wlfm>ڲVm4Jz (ӘALM@99l6=a?DsnjxG,%K,9RG6ވb(tM5ut1XjMh%Mfik8ٺ4xLyLY23N+PSC7,6M$AeЃ5T?0Bм' )V 5eAb+ZAkb^}=ҁc+qܖ.4b-{By}  ')<{]СJuO-ߓ5q48<}|m@1"6r?"I|>_zI}`nOKZClx Dx9Sۈ( 3[3_N[T#+?,P Y G3wȣ4ϓ,19fG=*cD-t]\P"@H>S|??&~e KHb9u~[gVK) &X`k,2E<ezY<6uwe~rt:5KqnldaQ({b:+M 5|%nNKM ᑊR$!%H$bcx=9`6B2_7=}mp?݉2{xbRSJ9|5"weX &zi}kwy |WfE#{8~BOr%-rEuV0`A#'rdhhz߃;G| LBz،Pfr5[WW_IuMz{Gם~{I<)m[8Z?V99^}9\;\#yj5dd,7/ vg(P\.NQʩ`Q{̥,% yw"nzllŵ6N#g5^L%G!u>Ԣz p@QxmЇFQc Óba>oIk&5+:r<(3_2ʯz}Q (QޅnF9Rz}1ฝQ~GO?'9fZ_~5:;ǹf8g:NF?r͏/Pe}9?πڮy1?0_,ߋ ^~.2sE}^}^d'e/?C3(?(-/2ʿ?s w1]7]? ͐/W@Wq_e sA?=/c=/c}~X_ S}}Y0 (*ɠh& K:ICP.Np3˹a+ /ޯ?e$@yJ͠ ,c2\) Kܿ2~62A\u aqʍz=Lk[M2}ח c|U(X2M*9>#(^>&c˼$=)>w懤Ixո]@&JR7[O'ikr(s<2g!h{dc3,D5 QUޜb>赏>]w_kҾlZmОMEACeGӠS7US !Pi7Ejn2h s!螁  7\xќ8wƎ3 P3ebIP ZjZVr%׈d$#"2tfD-Ȫ"+5W9 طPQR`"! *s>P`24UJ` (91C=b{hǬ[ɖb(wp E#Уco𶍆}˘z͛YȌ*ݢȗᄽNگJ!ā` }pTB Psgq =q YIzoLߟQ1x }@Æ^Ėٵv"n,4wz:e:@4ǭaƹr2@8[h xq)gL=[Lot_=F.475 \=rp*WYŲn#Ã6C6Df-Nؒ1"$Q#bU[l;$}S F(s>tax~p[t䅕4w[~oD"0~.6%Ťe @ NS{-LHZ~vܸt[f\ "!Y9]Y՘Oi3 &`T8;>/޺}hd1Gk+CɘPx*8]v5$$}9= zLᝲZoTù($tPYzt<&рZx DN焽HaCm+F2}jQwh}v:WX3ܪND«E/=׆"cX =#1P YY/5ptѷkd9HR=I*4UMf΢ِ;j9.K`RJz+L9(ن[v 'R,`+/2^;' Q+π 8H2Gd!᳤c"=("Ntx9=|>n[zQؗE@1agG;4RV K7 /X)un'|oW|F,[KS\6LDR}B0~N:mjV0)tvwbNkOe]ƔaYxu~=)O?'[nG\k<>ciESL/c<9z@n0$ /-iË%:Ɛ9-)0p,\ftO6A|eKoz7k;(NAERb0yMvSFc ?dtE#bSp!@>PE62R8WD Q)۱YBAł?Vg;q)jE 8BU(];#66s/>^|˼+AўYn0w6L/w5ov/-9JRX}P/(:OOgsZ %F_Hʶ›*q}X^c 0,*08utvKѪ v7"!a^n1n%/ـ&@s=V*.v利6r!*l XCڢZ-Qa[8~nb=xh]g¶,1rKȁnaTxq;s[__38V0|6,lp/>cwϏp`2uozO6pA&}+\ȏ,,L[Z']Z!hXrE"ҁ )Q~9'mfK#fY1[Rj8gn~ӧ4pRaL $b[иr,SsϢy9r93E~ZWB:U9s, j׺W6xozc|>[zwD,5bb:(G-zk|XKc&&ı`=br8Lte4QS|oe1}p1LX+0_kAsDeU|tCGYEL`&;]+N%t&vж?fTH0H6c?tf @ýō]^c"a7<#/ah(`ybSSQ2JѬd;j _yfϸȅ^`\YG7^y{b~g!'˾tҺ!3 *`g/>!2D!6xv{޽[^z:xzty,-9EKB^ D>Vu|ܹN~늘P%On6%c\ɜKBS+$X/WiQm*' Cfʱ wm<lx61͝\,