http://www.informationweek.com/windows/showArticle.jhtml?articleID=205203807 By K.C. Jones InformationWeek December 27, 2007 A New York City software engineer managed to gain access to the operating system for a touch-screen display available in the back seat of many Manhattan taxicabs and also used it to connect to the Internet. But no sensitive information or critical systems were compromised, according to the display systems vendor. The display is used to present short videos and ads to taxi riders, and can be used to pay the taxi fare with a credit card. A VeriFone Transportation Systems spokesman told InformationWeek Thursday that passengers' credit card data is encrypted and isn't stored locally, so it wasn't compromised. He also said the cab had an outdated modem, used while the city tested the display systems. Billy Chasen posted photos on his blog earlier this month showing that he accessed a New York City cab's video display system files after seeing an error message on the screen. The artist and software engineer explained in the blog that he managed to open Internet Explorer, launched the Connection Wizard, selected aSprint (NYSE: S) card for a dial-up connection, and accessed Adobe (NSDQ: ADBE)'s Web site. Chasen said he opened files and "had full administrative access to everything on the PC." "It was not only a security flaw, but people also pay with the screen if they use a credit card," he said, adding the information could be stored locally. "What I did was a much bigger problem than GPS tracking," he said. "You're essentially giving strangers access to a computer that is shared with hundreds of customers." Chasen went on to say that he could have installed software from the Internet. The VeriFone spokesman, however, said Chasen had merely accessed media files, and passengers could not gain control of sensitive information. "It's a Windows-based system, so I could never say never," he said. "But there is no credit card information stored in the system." The spokesman said the meter is integrated into the display system but not reliant upon it, so errors and unauthorized access would not affect meter functioning. He also pointed out that the New York City Taxi and Limousine Commission strictly regulates fares and meters. "If the meters weren't functioning right, the TLC would be all over it," he said. He also responded on Chasen's blog, saying VeriFone investigated the incident, the old modem was replaced, and users cannot access editing tools on the system. The new taxi technology systems, which are required for all New York cabs, generated controversy earlier this year and prompted some cab drivers to protest because they feared they would be monitored and tracked by GPS technology. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Fri Dec 28 2007 - 01:40:45 PST