This weekend, San Francisco’s public transit riders got what seemed like a Black Friday surprise: The system wouldn’t take their money. Not that Muni’s bosses didn’t want to, or suddenly forgot about their agency’s budget shortfalls.
Nope—someone had attacked and locked the computer system through which riders pay their fares. Payment machines told riders, “You Hacked. ALL data encrypted,” and the culprit allegedly demanded a 100 Bitcoin ransom (about $73,000).
The agency acknowledged the attack, which also disrupted its email system, and a representative said the agency refused to pay off the attacker. Unable to collect fares, Muni opened the gates and kept trains running, so people could at least get where they were going. By Monday morning, everything was back to normal.
The city and its residents got off lightly, even if Muni did lose a few days of revenue. Attacks like this could happen anywhere and wreak far more havoc. And they almost certainly will, because the American public transit systems that make daily life possible for millions are an easy target. Many are aging and underfunded, with barely enough money to keep the trains running, let alone invest in IT security upgrades.
“Cyberattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data,” the American Public Transportation Association has warned.
The person who (apparently) messed with Muni says much the same. In a disjointed email to WIRED, sent under the name Andy Saolis (likely a pseudonym), he or she wrote: “San Francisco People ride for free two days ! welcome ! But if ugly hacker’s attack to Operational Railways System’s , whats’ happen to You ? Anyone See Something like that in Hollywood Movies But it’s Completely Possible in Real World ! It’s Show to You and Proof of Concept , Company don’t pay Attention to Your Safety ! They give Your Money and everyday Rich more ! But they don’t Pay for IT Security and using very old system’s !”
So…yeah. We don’t know, either. But this “proof of concept” makes clear at least one major transit system is just as susceptible as the hospitals and Hollywood studios that have suffered high profile hacks. “In a very sophisticated attack, you not only impact control systems, but also impede the ability to restore them,” says Michael Assante, director of industrial control systems security at the Sans Institute, which specializes in cybersecurity training.
Last December, cunning hackers physically controlled breakers to kill electricity distribution in Ukraine, then overwrote the control software, damaging it permanently. A similar move could cripple a subway system like New York’s—which moves 4.3 million people a day—for weeks.
The people who plan and run transportation systems know the risks. The American Public Transportation Association wrote a whole paper on the issue back in 2014: “Cybersecurity Considerations for Public Transit.” The authors argued that because transit control and management systems increasingly rely on “complex and interconnected series of components, subcomponents, and services,” they’re particularly at risk.
Criminals could jam the infrared, laser, and WiFi setups some systems use to detect trains. And don’t think your city’s Methuselah-age infrastructure might provide some protection against high-tech tampering: If someone sneaks into the tunnels and starts slashing cables, you’re wrecked.
Protecting these vulnerable, vital undersides, the APTA paper argues, requires a few moves. Agencies must design hardware and software with multilayered network security, using firewalls, email scanning, software updates, and other tools. Separate the business-side networks that manage schedules and costs from those that control the trains. They should create procedures for a cyber attack, then communicate, review, and update them on a regular basis. Agencies should keep their facilities physically secure, and train their employees to spot or respond to cyber attacks.
All of which takes money—something American transit agencies chronically lack. Losing a weekend’s worth of fares won’t help.
With additional reporting by Andy Greenberg.