Hacking a NYC taxi screen
UPDATE:
I did an interview for NBC about the potential hacking. Watch the video here or read their article about it.
|
Taxis have started installing screens in the back seats of cabs that display a map of your cab ride, some basic TV, Zagat, and of course, advertisements.
There’s not much you can do with the screen besides that. They also caused a bit of controversy among the cab community, resulting in a few strikes because of the GPS tracking. |
|
When I got in a cab last night I was greeted with the error message to the left.
I’ve seen error messages in airports, on billboards and here is, the world’s largest error message. However, this was the first public error message that I could interact with. |
 
|
After going through a few windows prompts, I was able to get Internet Explorer open. There was no internet connection, so I started the connection wizard.
There was a Sprint card listed as a dial-up connection. I chose it and got a live internet connection on the cab screen. The only problem was no keyboard, but I was still able to navigate around a bit. Below is me on Adobe’s site. |
|
I also went to File -> Open, which is a good way to browse a locked computer. From there, I had full administrative access to everything on the PC. It was not only a security flaw, but people also pay with the screen if they use a credit card. That information could potentially be stored locally.
What I did was a much bigger problem than GPS tracking. You’re essentially giving strangers access to a computer that is shared with hundreds of customers. It also isn’t far-fetched for anyone to do what I did. It was pretty simple. You could even get around a keyboard by copying and pasting text. Both of those functions can be controlled through menus. I also could have installed any software I wanted, assuming I had it online. |
63 Comments, Comment or Ping
me
Couldn’t you have brought up the “onscreen” keyboard via the accessability options under accessories?
Dec 20th, 2007
Kari
Interesting play-by-play — interested in sharing your story with WNBC-TV? Call 212-664-5049.
Dec 21st, 2007
PK
Kari: You mean you want to produce yet another earth-shattering story of how money is wasted on an unsecure system that eventually can steal all your credit card numbers?
Dec 21st, 2007
John
“It also isn’t far-fetched for anyone to do what I did. It was pretty simple.”
Given that IE crash …
Dec 22nd, 2007
Gregg
So because the account logged into the machine has admin rights you were able to view all files/folders under the open menu. This to you is hacking? Really? You don’t do anything other than surf around a PC that pretty much gave the keys to you. You went through basic setups to establish a connection which most people know how to do (or should in this day in age).
Unsecured system and the cab company’s fault for not protecting it better? Certainly. Hacking? No, not even close.
Dec 26th, 2007
linuxishawt
Hacker - One who enjoys or is profecient at using a computer. A hacker may occasionaly curcumvent security measures out of curiosity, but becomes a cracker when he starts destroying data or causing trouble.
Dec 26th, 2007
dblock
Meh, interesting, but not really what I would consider hacking. If you knew how to reproduce the error, then I would be impressed, but you just got lucky and got into a cab that had the Windows UI exposed already. Your steps aren’t useful for anyone unless they end up in a cab with the error already there. Learn how to generate that error, and you’ll have something of value. Everything else is just using Windows. I normally just turn off the screen cuz I find them annoying, but maybe I’ll try to generate the error next time I’m in one of those cabs.
Dec 27th, 2007
jasmne
really nice tutorial dude….i think that’s better thanx for sharing it
jasmine
tech-chek.blogspot.com
Dec 27th, 2007
Pete Bartolik
VeriFone Transportation Systems has investigated the events shown here regarding security of our onboard computers .
The immediate investigation of the incident determined that the cab was equipped with an outdated modem that had not yet been brought in for replacement. The old modem could have allowed a passenger to access the Internet from the cab. That taxi has been called in and the modem has been replaced. Currently, all cabs in the City of New York equipped with the VTS Passenger Information Monitor and payment solution have been updated.
Unrelated error messages may occasionally appear on VTS taxi screens during periodic software updates. Some media files may be visible to patrons, but there is no user access to any editing tools.
No credit card data or any passenger’s personal information has been
compromised on any occasion. Such data has never been nor will be
accessible by any passenger manipulating the onboard computer. None of the units installed in taxis by VeriFone Transportation Systems allow for the storage of any un-encrypted data.
Dec 27th, 2007
Sorry
Sorry dude, this is not a “hack”. The article title is “hacking a NY taxi screen.” Anyone who can read a screen could do this “hack.” This is more like “interacting with a GUI”
Dec 29th, 2007
chukru pandy
entharade ethu…. ithanoda hacking…manadan
Dec 30th, 2007
chukru pandy
enthinadey ente comment kalanjathu?
Dec 30th, 2007
Blake
Its all subject any way, whoever is doing this ” hacking” doesn’t even know where the credit card information is actually stored… “could potentially be stored locally.”
“I had full administrative access to everything on the PC” - just because you can browse a local file system does not imply that you have “full administrator access”, If you did have full admin access you could change the permissions on the pc. You can do this last time i checked.
People think the hacker term is cool so they apply it to anything. I wouldn’t call browsing a semi-locked computer “Hacking”
Dec 30th, 2007
jim
very cool. can’t wait to try it next time i’m in a cab. thanks for posting.
Jan 3rd, 2008
azimut
C00l! hellofromrussiamotherwithl0ve!
— russian hackers
Jan 7th, 2008
qwe
суровые пиндоские “хакеры”……
Jan 8th, 2008
qwerty
Превед пендосеги!
Jan 8th, 2008
Ben Simo
“There are extensive contract-required security protocols in place, which have exceeded government and credit card industry standards and have been stringently tested by our internal and external security experts, which fully prevent access to anything other than media content files residing in the taxicab itself. There is no potential for any malicious activity,” the TLC said in a statement.
Fully prevent access? No potential for any malicious activity? Those seem to be rather arrogant statements. I suspect many people will take such arrogant statements as a challenge to prove TLC wrong. Software is built and tested by imperfect people. I, for one, would be hesitant to make such statements — even if I thought I had fully tested the security of such a system.
Didn’t an official from the White Star company state “even God himself can’t sink her” just before the subject of their pride sank?
Didn’t officials from the Colorado Rockies state that their online World Series ticket ordering system could handle the load just before ticket buyers overloaded their systems — killing worker productivity throughout Colorado for two days?
To paraphrase the Biblical Proverb: Arrogance goes before a fall.
Jan 13th, 2008
JackO
Computer geeks stole the term “hacking” from earlier technologies. What hacking really means is using something in a way it was never intended or designed. Mounting a little 2 cycle engine on your bicycle as a kid to make a motor bike is a hack. Using the gap between the door and the door jamb to open a beer is a hack. Unbending a paper clip to open your CD drive, that’s a hack! So all you so called whiz kids shut up! When you break into a computer system using an exploit that someone has already developed, you are a copy cat, not a hacker. The man found an in-taxi computer system that originally was not sopposed to allow what he did with it. That’s a hack! The greater question is, why was he able to do that? Poor SA maintenence of the system in the taxi, or did someone before him actually figure out a new process based on research into these systems, or was it one of you copy cats using some elses work to make you look better! Purposely breaking in to somthing secure in not a hack, it’s just a crime!
Feb 8th, 2008
Carl
I was looking to see if Verifone is the only Taxi Kiosk supplier out there, and I stumbled upon this kiosk: http://www.taxi-kiosks.com/proddetail.php?prod=BNZTAXI
Looks great as far as hardware is concerned. They also seem to use Linux, which is more secure than Windows OS. Maybe this is an improved version of current taxi cab kiosks?
Mar 4th, 2008
Webmaster
nice hack dude,
sad in our country we don´t have those screens in taxis
Apr 13th, 2008
iltar
It’s not hard since it’s windows… Everyone with some experience could do this, yet it’s still funny. I had it too once, in Walibi World (netherlands), one of the funny machines gave an error that it’s virtual memory was too low. Didn’t want to pay to get access, but if I had, I could have “hacked” it.
Jun 30th, 2008
r3ck0rd
Poor thing Indonesian cabs doesn’t have one
Ever tried this on a Bank’s Kiosk Komputer?
Jul 7th, 2008
Reply to “Hacking a NYC taxi screen”