Your bus is pwned

A warning for bus wireless users: Bus Nerd suspects a hacker.

This morning I was on the 545 (coach 9549) that left Montlake around 9:30 (yes, thanks to the 48 I was running late). When I tried to connect my laptop to the coach’s wireless Internet connection, I saw an unsecured network, identified as “bus_pwnage,” in the wireless network list.

Translation of “pwn” from hacker-speak (leet-speak) is “own,” the concept of “owning” a victim’s laptop, web site, etc. by hacking it. The bus has likely been pwned by some hacker (h4x0r). [This means that] a connected user might try to visit, but the compromised bus could redirect her to a hacker site that hands control of the machine to the attacker.

Note that a suggestive network identifier is not definitive proof of breached security, but a hack is the simplest explanation for what I observed. Other supporting evidence: The signal strength for “bus_pwnage” was a constant 100% the entire ride, meaning the originator was travelling with the coach, consistent with the normal bus wireless scenario.

Bus Nerd’s visual aid

How could this happen? Presumably some bus rider with a laptop + skills + nothing better to do exploited a vulnerability in the access point that ST uses to provide wireless Internet access on the bus. The attacker gains control of the access point and, among many resulting powers, she could change the name of the network from something like “Sound Transit” to “bus_pwnage” to announce to the world (well, maybe just the passengers) her defeat of the oppressive regime of Sound Transit. Such a feat isn’t that hard since IT security professionals consider unsecure wireless networks (the kinds found in cafés and yes, public busses) to be as safe as Clay Bennett at Seattle Center. [You had to go there?]

If this was indeed a hack, is the vulnerability limited to just this vehicle? That’s better than a fleet of vulnerable coaches. I let the driver know what I saw, and he seemed hep to the danger and indicated he’d take some (unspecified) action.

As for the alleged bus hacker, will she / he be satisfied with coach 9549, or will she tag every bus ST wireless-enabled bus? Is this a vanity vandalism ploy, or a real threat to bus riders’ computer security? And think of the pandemonium that would ensue if hacked wireless were the jumping-off point to taking over a coach’s external route display – 43’s that advertised themselves as 48’s and other such tricks would be the bus apocalypse.

My guess is it’s just vandalism (for now). I like bus wireless, so I hope ST can demonstrate that my incident was actually benign or let us know they’ve taken steps to prevent intrusions. Until then, bus web-surfers must watch for sharks…

I don’t know, I’m kind of digging the idea of changing (and not just the numbers on the front) some of those ubiquitous 43s to 48s.

Good lookin’ out, Bus Nerd.