The New York City Taxi and Limousine Commission’s technology enhancement plan that puts GPS systems, credit card scanners and monitors in the city’s 13,000-plus taxis has come under fire again—this time from a passenger who hacked the computer monitor and gained access to its operating system.
On Dec. 1 software engineer Billy Chasen posted a walk-through on his personal blog ‘[An Error Occurred While Processing This Directive].com’ of how he hacked into a computer screen mounted on the back seat of a cab he hailed on New York’s Upper West Side. The story was initially reported Dec. 26 on WNBC.com, a local news station.
The screens, part of TLC’s technology initiative to update taxis, are used to help passengers map their route in a cab and as an entertainment portal as well, with segments broadcasting news, weather and advertisements. Customers also use the screens, along with a credit card reader, to pay for their fares.
Rather than catch a bit of Entertainment Tonight, Chasen found a different purpose for his monitor.
“When I got in a cab last night I was greeted with [an] error message,” wrote Chasen. “I’ve seen error messages in airports, on billboards…however this was the first public error message that I could interact with.”
Using his cell phone camera Chasen documented how he was able to open Internet Explorer using the touch-sensitive screen. He was then able to use a Sprint card listed on the monitor to get a dial-up connection giving him full administrative access to the monitor’s operating system.
“It was not only a security flaw, but people also pay with the screen if they use a credit card,” wrote Chasen. “That information could potentially be stored locally.”
Chasen said his ability to access the operating system posed a much greater threat than the problem of being tracked by GPS. In September, the New York Taxi Workers Alliance, a group representing about 10,000 New York City taxi drivers, held a two-day strike to oppose TCS’ mandated technology system implementation that includes GPS, the card reader and the touch screen. While the strike didn’t stop the systems from being installed in New York taxis, security threats potentially could stop the systems from being used to pay cab fares.
“You’re essentially giving strangers access to a computer that is shared with hundreds of customers,” wrote Chasen on his blog. “I also could have installed any software I wanted, assuming I had it online.”
Allan Fromberg, deputy commissioner for public affairs at TLC, said that the only thing Chasen (and the two WNBC reporters who also encountered an error message after reporting Chasen’s story) could have accessed was a couple of media files. “So the only thing they could have done with this is replay a couple media spots,” said Fromberg.
The reason Chasen was able to access the computer’s backend system at all is because the computer in his cab was one of two prototype systems still on the road. The cabs—and the prototype system from Veriphone—were pulled off the road the next day, according to Fromberg.
“This guy got into the cab Nov. 30 and the cabs were off the road by Dec. 1,” he said.
Fromberg also said that none of the credit card data input by customers to pay cab fares is stored in the system and that no one had access to it.
“There are extensive contract-required security protocols in place, which have exceeded government and credit card industry standards and have been stringently tested by internal and external security experts, which fully prevent access to anything other than media content residing in the taxicab itself,” said Fromberg in an e-mail to eWEEK. “There is no potential for any malicious activity.”
Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.