Tapping Data From Radio-Controlled Bus Stop Displays

jones_supa writes "A couple of weeks ago hacker Oona Räisänen told about finding a 16 kbps data stream on FM broadcast frequencies, and her suspicion was that it's being used by the public transit display system in Helsinki, Finland. Now it's time to find out the truth. She had the opportunity to observe a display stuck in the middle of its bootup sequence, displaying a version string. This revealed that the system is called IBus and it's made by the Swedish company Axentia. Sure enough, their website talks about DARC and how it requires no return channel, making it possible to use battery-powered displays in remote areas. Other than that, there are no public specs for the proprietary protocol. So she implemented the five-layer DARC protocol stack in Perl and was left with a stream of fully error-corrected packets on top of Layer 5, separated into hundreds of subchannels. Some of these contained human-readable strings with names of terminal stations. They seemed like an easy starting point for reverse engineering..."

wow, thanks Timothy

An interesting article on Slashdot... that's amazing... it's like ARM chips running windows... well, ok... we thought that was going to be amazing... :P

The roots of hacking

This, my friends, is true hacking. While this sort of stuff has become less common over the years, it is people such as this that provide real value to the community in terms of improving security for the masses. I wish that I had more time (and equipment...and hand't forgotten so many of my skills) as there are a few projects like this that I'd like to dig into. For instance, I have a home security/automation system out at my farm. I am fully cognizant that the security provided by it is a joke, as any insider at the alarm company could turn off my alarm without my known, but that's beside the point. What I'm really interested in is the link between the alarm company and my system. I log into their super secure website (tongue in cheek here) and issue a command either from my computer or phone. The alarm company sends that command to my system via the local GSM network (2g or 3g). There's no documentation on this portion of the system. Is it secure? Encrypted? Could it be readily spoofed? Even if it is encrypted, is there sufficient proof of authority on the system issuing commands? Anyway, love this stuff!

Re:The roots of hacking

[diamondmagic]

You're blurring the definition of security and obscurity, which is already well defined. Obscurity refers to the logic of the system. Your system must be secure even if an attacker knows everything about how it works, because there is a separate part, the secret key, that is completely arbitrary and assumed to be kept secure. A key is only secret, arbitrary data; a cipher is only well-known logic; security though obscurity by definition means mixing your secret data with your public logic, a bad idea.

The biggest purpose of cryptography is to take big secrets (plaintext) and make them small secrets (private or secret keys). How it goes about doing that shouldn't be obscure.

A home invader shouldn't be able to break into my house even if they know everything about my lock and door, what matters is that they don't have the key (which has no mechanical components - it's not part of the system until I want to unlock the door).

See, this is kinda what I meant

[50000BTU_barbecue]

when I said you don't need an oscilloscope anymore. Probably a SDR receiver that goes to a PC. What possible interest is there in looking at the raw RF at the antenna, which you won't see with an oscilloscope anyways (because I don't know any scopes with nV/cm settings yet), or the countless undocumented signals inside the receiver, which you won't access anyways because it's all on one chip?

You're better off just finding what's already done and buy it. I myself have looked at the FM band on my old analog spectrum analyzer to look for SCA signals. http://en.wikipedia.org/wiki/Subsidiary_Communications_Authority

It's all wonderful fun, but when you can do the same with a 15$ USB receiver and some software, it all starts to look rather silly, no?

Re:See, this is kinda what I meant

[Desler]

when I said you don't need an oscilloscope anymore. Probably a SDR receiver that goes to a PC.

At what stage in this project would an oscilloscope have been needed anyway? Yes, she used an SDR for scanning radio frequencies.

What possible interest is there in looking at the raw RF at the antenna, which you won't see with an oscilloscope anyways (because I don't know any scopes with nV/cm settings yet), or the countless undocumented signals inside the receiver, which you won't access anyways because it's all on one chip?

What is all on one chip? How is this rambling statement even applicable to this article?

It's all wonderful fun, but when you can do the same with a 15$ USB receiver and some software, it all starts to look rather silly, no?

You can decode these IBus messages with a $15 USB receiver? Link please?

Re:See, this is kinda what I meant

[ArchieBunker]

Its the RTL-SDR project. A Linux developer discovered that a digital TV receiver chip made by Realtek (used in $15 dongles) had the ability to receive the raw sampled RF data. The bandwidth is nearly 3Mhz so that means you can view a HUGE chunk of the RF spectrum at once and decode the signals via software. AM/FM/USB/LSB you name it. Dongles based on the R820T tuner receiver from 22Mhz to 1600Mhz! Pipe the output into some digital speech decoder programs and you have a police scanner that would normal cost hundreds of dollars.

Encryption

[sunderland56]

Pity she couldn't break the text encryption - then she could have displayed the station names in English, instead of nonsense strings.

Re:Encryption

[Desler]

For anyone who is not an aspie they would have recognized that the GP's post is this new thing called a "joke". Maybe your side of the world hasn't yet been informed of their invention?

Developer community and open data

[tuukkah]

Cool reverse engineering indeed! For those who want it easier, the Helsinki Region Transport Authority HSL offers the arrival time predictions through a service called "Omat lähdöt", which has an open API too. However, the textual messages are not available so that's new. As the post mentions, the predictions are based on the GPS locations sent by the busses, which are not available to third parties (unlike the locations of the metro, trams and trains). For more information about the HSL Developer Community and open data at HSL, see dev.hsl.fi.

Re:While reading ...

[PPH]

Now, Oona is cute, a hacker and is into Kung Fu.

[Sigh] And all US culture can produce is the Kardashians.

Recieve only, do not transmit.

[VortexCortex]

That which can be received unsecured, can be broadcast as such. Only a matter of time now before the displays feature zombie attack warnings.