Def Con: How to Hack All the Transport Networks of a Country
“I did not do it! I just downloaded a torrent I found when I was looking for porn,” stated 24-year-old Alberto García Illera at the beginning of his Def Con presentation called “How to hack all the transport networks of a country.” His talk mixed humor, knowledge, social engineering and hacking as he made it look amazingly easy to pwn all the transport networks. Illera referenced “Anatomy of a subway hack,” a talk from Def Con 16 which scared enough people in power that a judge barred the MIT students from giving the presentation.
The first target was a subway station in Spain that has lots of “try me” touch surface machines to search for the fastest route or for tourist information. While this machine started off being “stupid” and “harmless” as it would not allow users to download material from the Internet, Illera said that by trying to “print,” a Windows dialogue box opened that showed files, allowed for drag and drop to reach the command prompt and then connect to FTP. After taking control of this machine, they could see the router which was only secured by using the default password.
Eventually, Illera was able to replicate the cheapest monthly rate subway tickets with a magnetic strip and barcode. He showed a subway pass for a 65-year-old that happened to say HACKER. Being that young people don’t look much like the elderly, and a guard noticed and busted someone, they improved the ticket by cutting out a magnetic strip and pasting it in a regular ticket; no more jumping turnstiles. The ticket worked for subway, buses and some trains.
The transportation staff wears an RFID badge necklace to access trains and subways. Using social engineering to get close to staff under the guise of needing help, as well as a RFID tag reader disguised in a cigarette box, Illera was able to capture, hack, clone and then own an RFID keychain that meant all rides were now free.
Illera emphasized again that he did not do this; instead he maintained he found a nameless torrent and flashed images of the potential torrent people whose pictures looked a bit like Brad Pitt and Homer Simpson. Illera said that at any time during his presentation of hacking all transport networks “If I say ‘me,’ it’s because it’s so personal to me.” He was very funny.
The next target was the transportation network security camera system. After various steps on the wireless access points, things that included antennas, scanning, air-cracking, Wireshark, and MITM attacks, Illera got an invalid certificate, and then finally Siemens login. This means SCADA and critical infrastructure that can be instantly controlled and operated over the Internet.
Last but certainly not least, Illera found another public transportation touchscreen machine meant to print or to pay for train tickets. After several steps, that included crashing Internet Explorer on a Windows XP machine, it was time again “to look for juicy apps and files.” And indeed he found them in the form of credit card numbers stored without encryption. The big picture was that he could get all the credit card numbers of all the customers in the entire country who had ever paid for transportation . . . all stored in plain text files.
Illera made hacking all the transport networks of a country look amazingly easy and frighteningly insecure. He said he won't release the slides until all the issues are corrected.