This weekend has been very busy for shoppers. (Black Friday, it was in all the papers). And it was particularly busy in downtown San Francisco, home to the famous Union Square and many other high-end retailers. San Francisco Municipal Railway, or Muni as it is known locally, was apparently hacked Saturday. As a result, San Francisco station fare gates were open all day.
SFGate reports everything has since returned to normal, and Muni rep Paul Rose said “At this point there are not any indications of any impacts to customers. We’re doing a full investigation to find out exactly what we are dealing with.” Muni had to end up taping “out of service” notes to ticket machines.
Muni is essential to the day to day functioning of San Francisco, running through the heart of the city and other outlying stops, and a crippling strike taking down the system down would be a disaster. CBS SF Bay Area notes that “Inside sources say the system has been hacked for days.” SFGate reports that fare gates and ticket machines are now working normally after the hacking message appeared in agent computer screens and ticket machines were knocked out.
Train service itself was not affected during the incident. CBS quoted one rider as saying “I think it is terrifying. I really do think if they can start doing this here, we’re not safe anywhere.” Another straphanger wondered if the free fares were just a Black Friday promotional deal. There are other repercussions as well: transit agency workers aren’t sure if they will be paid this week, and Muni internal email was also impacted.
Motherboard states that “It’s also unclear whether charity was hacker’s true goal in breaching the San Francisco Municipal Transit Authority systems, or if the system was shut down in response to a more malicious attack.” It was also noted that this isn’t the first transit system hack. In 2008, a judge prevented a pair of MIT students from giving a presentation at the Def Con hackers conference that showed how to add value to the RFID-based cards used on the Boston T subway.
The Verge included this email from the hacker: “we don’t attention to interview and propagate news ! our software working completely automatically and we don’t have targeted attack to anywhere ! SFMTA network was Very Open and 2000 Server/PC infected by software ! so we are waiting for contact any responsible person in SFMTA but i think they don’t want deal ! so we close this email tomorrow!”
The message that flashed on Muni terminals and machines Saturday said, “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.” So this appears to be a case of ransomware.