With SXSW looming, Austin may need to clean up its zombie problem.
I’m in a local news mood for some reason, maybe because I rewatched Anchorman last night and just ran through the video from KXAN’s coverage of a roadside sign hack from last week. Here’s the video:
This made the local news here last week, and it brought my wife and me to tears of laughter. I immediately thought of Topper and his project, “Finally getting sports scores to appear on my 42″x8″ dot matrix LED display (think train station sign)” which he shared in comments recently. It also reminded me of that washing machine hack, that blinks a message on an LED sign when the load finished.
As with most pranks, there are unhappy parties, namely the City of Austin and Imago (h/t to Michael Krigsman for digging up the company’s name). According to the news report, the ‘tubes has sites with instructions on how to hack one of these signs (gasp!). Shockingly, the ‘tubes are sometimes used for mischief. The instructions sounded pretty basic; get access to the control panel, type in the password (which is rarely changed from the manufacturer’s default), and enter your message of choice.
The hackers apparently had to use bolt cutters or some such to cut off a lock on the panel. But beyond that comes the intersesting piece for me.
Immediately, you think, “why wouldn’t you change the default password?” You’d change (or remove) scott/tiger on a db install. This is sysadmin basics 101.
But these signs are out on road sides, and road crews need to get into them and program the correct messages. This becomes a logistical nightmare if you follow strong passwords with frequent changes.
So, there’s a balance required here that includes both physical and software security, spread across many users of different skill levels. Interesting stuff, at least to me.
Also funny/interesting, KXAN provides resources on zombies or “Your Guide to the Undead” on the story’s page. That’s either a hilarious algorithm fail (like Google Ad fails) or it’s someone at that station with a great sense of humor.
I’ve noticed lately that local news can be awesome. KGW, our local NBC affiliate is heavily involved with Twitter, and not just for broadcasting. They actively engage people over Twitter and the Live at 7 (@TheSquare) crew includes tweets collected during the show. I even got one of mine up there once, and yes, my parents were so very proud.
The great thing here is local news using the social web to draw in their viewers. News is news, but local news affects local people. If you find more ways to draw local people into your news coverage, you win.
I feel a full post coming on, so I’ll leave it at this for now.
I saw the original Make or Lifehacker post on this and thought how ridiculous that the company designed them this way. 90% of the municipalities don't have locks on the boxes that are attached and think the password will be enough. These are the same orgs that don't change it from the default 'DOTS' password. If thats not enough there is a simple three key reset option in case you forgot what the password is.
Now if only I could figure out how to tweet messages to one of those signs. That would make it fun. Have you seen the articles on how to replicate RFID passports / credit cards with $250 in hardware? Thats the one that should scare everyone.
I was thinking that too oddly. Great minds . . . do mischief alike?
You'd need to add wireless to the sign somehow, but after that, it *seems* pretty easy. Unconfirmed reports say those signs run a “proprietary”, but who else thinks that's a Linux variant?
This type of attack is only going to get more common. I predict traffic cameras will be compromised next. They do inspire hatred, which is a great way to set off a hacker.
I'm pretty sure its a microprocessor that doesn't really need an OS to run it, but either way easily hackable.
What scares me is the huge overhead signs you see going down the highway that are permanently fixed. Most of those have a cell or hard wire modem in them. I would bet that 90% of them are using default passwords as well.
I remember the days of running through phone numbers to try and find open BBSes and fax machines. You can bet the numbers are in the same range as the employees of your local DOT 😉
<tinfoil hat>
I'm just waiting for someone to hack onstar to activate the limp mode (aka we slow your car down to 20 mph for you on the highway) functionality from afar. Imagine doing that to all the GM vehicles with onstar activated on them nice a big metropolitan area during rush hour.
</tinfoil hat>
Guarantee that microprocessor runs an O/S of some kind, bet on a Linux kernel.
Remember LA Story? This was like a scary, 28 Days Later version of that.
Anyway, you're on a frightening road. I have a similar feeling that car viruses are going to plague people in the not-so-distant future. With so much software controlling the car, it's only a matter of time before someone figures out how to disable it or worse.
Think EMP weapon stuff.
Then again, I watch *a lot* of TV and movies.