A hacker from Costa Rica broke into the lighting control system at a tram terminus in Wrocław. Based on his experience at work, he entered the default PIN code – the first attempt gave him access and the ability to read and write. After publicizing the situation, MPK changed its slogans and approach to cybersecurity. – Now it is not possible to get to the login panel – informs the press office.
In March, Costa Rican hacker and cybersecurity specialist Bertin Jose broke into the system monitoring devices at the Klecina tram terminus in Wrocław, and then described his activities in detail on his blog, including screenshots. The man regularly conducts internet research on equipment that is potentially vulnerable or misconfigured.
Basic password in MPK Wrocław systems
While scanning the devices using a proprietary program, the researcher found a controller to which other devices were connected. One of them was a lighting controller located on the Klecina loop in Wrocław.
The system found was protected with a PIN and password, but these protections were quickly broken. “First attempt with 1111 provides full read/write access, 2222 also works,” wrote Bertin Jose in his blog. He added that the same situation applies to the NOX2 lighting system.
Although the hacker managed to gain access to the system, he refrained from further exploitation and tried to inform the appropriate authorities to solve the problem. The researcher's main goal was to fix this loophole, not exploit it for his own benefit. Until the beginning of September, the problem remained unresolved.
MPK's reaction to hacking into their controller
We contacted representatives of MPK to determine how serious the hack was and whether their systems were already properly secured.
– Nothing was hacked, in the sense that there was no way to affect our systems in any way. We're talking about a situation where one of our controllers was found online and you could see what it was measuring and that was the only thing you could do. There was no threat or influence on communication with the system, it only gave the person information about what the device could do – emphasizes Daniel Misiek from the MPK press office.
– The device monitored mobility on the Klecina loop, i.e. it sent a very simple signal when the tram entered or exited, but it did not process this information, and it was not possible to influence this information through this access – he explains.
At this point, it is no longer possible to identify this driver on the Internet.
– The ability to locate this driver has been removed and it can no longer be found on the network. Now this controller is controlled only locally, it cannot be influenced remotely, he explains.
We also asked if passwords had been changed. – Yes, but I cannot say more about the slogans – we heard from Daniel Miśek. – Moreover, now it is not possible to get to the login panel, no one will be able to enter any password today because this option has been removed.
Main photo source: TVN24