Behind the Scenes of ITEC and the Milwaukee Bus System

by Eoban  (eoban@eoban.com)

First, a little background: All the municipal buses in Milwaukee have LCD video displays in them showing where one is in the city.  It also shows weather, news, sports, ads, and so on.

So one day while wardriving, a few friends and I discovered a rather interesting characteristic of all (as far as we can tell) municipal buses in the city of Milwaukee.  When a bus drove by, an AP with an SSID of route_mi appeared on our stumbler, slowly increasing in signal strength and then, as the bus passed us, decreasing and disappearing in a few more seconds.  We reached the conclusion that it was the bus itself and we sped after it.  After a few more seconds, we realized it was an ad-hoc connection and ran standard 128-bit WEP.

We didn't have a sniffer ready to go that day so we drove around and found another bus.  Same thing.  We figured we could crack it pretty easily as long as the bus actually used Wi-Fi for sending something - there had to be encrypted traffic being transmitted.

Trying to crack WEP with an Logical Link Control (LLC) packet every minute or two ain't gonna work so well.  We also figured that all the buses (to simplify things a bit) would all run the same key.  Even if the buses only used the Wi-Fi points for telemetry syncing while parked at the central station, we could just sit across the street from the station and log packets that way.

That night, a little Googling uncovered a Computerworld online article that mentioned, albeit briefly, that ITEC Entertainment had Wi-Fi networks for video on buses in Milwaukee, Birmingham, and Orlando.  There was also a recent Australian spin-off of ITEC that was running trials in Sydney.

So the Wi-Fi network did transmit something interesting.  But then things became a little more confusing when we discovered a company/system called Transit TV (www.transitv.com).

It turns out Transit TV is a subsidiary of ITEC, and their web site has absolutely no problem with giving away all the technical details behind their systems' operation.  All their Wi-Fi equipment is Cisco, and the media servers and onboard computers are just Intel PCs.  Have a look at their white paper at: www.transitv.com/network3/wht_papr/3000-CDI-002-003.pdf circa July 2001.

But this document, while intriguing, yielded little information as to when the buses actually updated their video files.  All we could get was that they were updated "overnight."

According to Milwaukee County Transit System's own schedules, the buses parked from around 2:30 am to 4:30 am.  The transfer would almost certainly have to be during this time period.  So that's when we'd have to grab their packets.  And even then, we might have to get inside a building somewhere.

But we haven't cracked jack shit yet, so I'm left to speculate.

For now, all I can say is that it is plainly idiotic to not cloak the SSID of something like this.  There is absolutely no reason why anyone else would need to know about route_mi but there it is in the open anyway.  I credit them for running WEP, of course, but it still is only WEP.

It is only a matter of time before it's compromised, and because the software itself appears to be relatively well-documented, it's simply a matter of changing your chipset's MAC address and SSID to impersonate the other end of the adhoc connection and upload your own video file.

For now, let me say that I don't plan to do this.  But I can't speak for anyone else who has knowledge of the Transit TV network's presence in their local bus system.

If you live in Milwaukee, Birmingham, Orlando, Sydney, or anywhere else that has a similar system, I'd like to hear about your experiences with the buses.  It's my understanding it may be implemented on trains as well.

All in all, as this kind of technology becomes more widespread, it's important for advertising firms, city governments, and the designers of the system itself to recognize the potential for abuse.

Run a network like ITEC Transit TV and you're simply asking for it.

Many thanks to AK_RAGE for the laptop and ultimate 200 mW wardriving card and Brian for lending us the ultimate wardriving machine, his Toyota Matrix.