Hackers Breached San Francisco’s Transit System and Demanded a Ransom

The Great Train Robbery, cybercrime style.


The computer system that serves San Francisco’s Muni was hacked late last week, giving locals tens of thousands of free rides on the nation’s seventh-largest transit system. The ransom, according to correspondence between the San Francisco Examiner and the email address displayed on Muni employees’ hacked computer screens, was 100 Bitcoin, or about $74,000.

By Sunday, station ticket machines were up and running again, but the hackers indicated to Hoodline, a local news site, that they had compromised more than 2,000 computers in the Muni network in addition to agencywide functions like payroll, email, and real-time bus locations. To cope, the transit agency was assigning routes to bus drivers via handwritten notes on bulletin boards, the Examiner reported. It doesn’t appear to have paid the ransom, though $73,000 is a pittance relative to the potential damage.

The ransomware at work appears to be HDD Cryptor, also known as Mamba, which blocks access to compromised computers entirely. Its rapid takeover of Muni demonstrates—again—the extensive vulnerabilities of networked devices and “smart” infrastructure.

I emailed the address claiming responsibility for the hack and received in response the claim that if Muni does not “fix it correctly,” the hacker will publish databases and documents including contracts, employee data, and “LLD plans.”*

The breakdown in San Francisco began on Friday, when ticket machines began displaying “out of service” messages, and station agents found the message “You hacked” on their own computers.

A Muni spokesman confirmed the hack to a local TV station on Friday night. Stations were unable to read passengers’ payment cards, and the agency opened its fare gates late on Friday and Saturday to minimize customer impact, according to a spokesman. Service ran without serious interruption.

It’s not the first time a transit network has been hacked. In 2008, a teenager in Lodz, Poland, hacked the city’s tram system, derailing four vehicles. Also that year, three hackers drew up a document detailing how to sabotage and exploit the Massachusetts Bay Transit Authority, which runs buses and trains in the Boston area. Security consultants have previously demonstrated the weaknesses of Muni and PATH, the New York–New Jersey subway system.

Transit hacks have been mostly benign, so far. But smart infrastructure is expanding faster than its security. Traffic lights, for example, are considered a major weakness. In 2014, researchers from the University of Michigan manipulated more than 1,000 traffic lights with a laptop and a wireless radio. The head of security research at Sophos, a global IT firm, has shown how easy it is to hack internet-enabled surveillance cameras. Cars have been hacked; so have roads. Smart meters, which have also been hacked, have opened up thousands of points of access to the electrical grid.

There could be worse outcomes than a few thousand free tram rides.

*Update, Nov. 28, 2016, 3:30 p.m. EST: This post has been updated to reflect new information.