Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security Databases Transportation IT

Hacker Shuts Down Copenhagen's Public City Bikes System (bleepingcomputer.com) 72

An anonymous reader writes: "An unidentified hacker has breached Bycyklen -- Copenhagen's city bikes network -- and deleted the organization's entire database, disabling the public's access to bicycles over the weekend," reports Bleeping Computer. "The hack took place on the night between Friday, May 4, and Saturday, May 5, the organization said on its website. Bycyklen described the hack as "rather primitive," alluding it may have been carried out "by a person with a great deal of knowledge of its IT infrastructure." Almost 2,000 bikes were affected, and the company's employees have been working for days, searching for bikes docked across the city and installing a manual update to restore functionality. The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.

Hacker Shuts Down Copenhagen's Public City Bikes System

Comments Filter:
  • This outfit has an Android tablet physically attached to each bicycle.

    I wonder how long one of those is expected to last outside in the wind, rain and diesel exhaust.

    • by ruddk ( 5153113 )

      Well, it's Denmark, so I if they weren't made to last in rain, they would have have a very short lifespan. Last year was nothing but rain. This year shows promise, crossing fingers.

    • by glitch! ( 57276 )

      This outfit has an Android tablet physically attached to each bicycle.

      That's a lot of money there. How about an ESP8266 module and two AA cells? For less than $3, it has CPU, memory, and wifi. Mount it under the seat or wherever convenient. (The ESP12 is small!)

      The device could wake up every so often and listen for an open hot spot. Associate with the hot spot and "phone home" with the MAC address of the hot spot. That might be close enough to locate the bike without GPS.

      Meanwhile, volunteers could go war-biking with similar devices WITH GPS to make a database linking the MAC

      • by Anonymous Coward

        You have some great ideas there, you should apply and help them bring it to the next level. I'm sure you will be able to find alternatives to the other features that the tablet provides, such as:
        - credit card processing
        - usage time tracking
        - motor assistance settings
        - navigation
        - locking/unlocking from charging/drop stations
        - locking for parking
        - reservation
        - and probably more

      • by q_e_t ( 5104099 )
        I doubt what you propose is legal in Denmark.
  • The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.

    I'm sorry if I don't know anything about Bycyklen, but how are the bikes "non-functional"? A bike is a bike, isn't it?

    • by Zocalo ( 252965 )
      There's generally some kind of lock that you need to remove in order to use the bike, not sure about Bycyklen specifically, but usually it's via some sort of bar through the spokes or pedals, or a clamp that achieves the same effect. Alternatively, bikes must be obtained from and returned to specific racks which lock them in place. Either way, unlocking a bike starts your registers your account for usage of a bike, and locking it again ends it. Since Byclyken uses GPS (and lost the GPS data when the DB w
    • But is a bike still a bike if it can't be ridden? I don't know about the specifics here but these schemes typically involve either a docking station that won't release the bike or rear-wheel bike look that won't release the bike.

      E.g. O-Bike uses some variant of these: https://allsharktankproducts.c... [allsharktankproducts.com]

  • by fahrbot-bot ( 874524 ) on Saturday May 12, 2018 @03:40PM (#56601410)

    Bycyklen described the hack as "rather primitive," ...

    Obligatory: xkcd [xkcd.com]

  • Perhaps, having a distributed system each with simple passwords/credentials are to blame? e.g. 'password=raspberrypi' You have to assume full on hacking will happen immediately, starting with port scans, followed by full dictionary attacks on standard usernames.
  • by shanen ( 462549 ) on Saturday May 12, 2018 @03:43PM (#56601420) Homepage Journal

    Mindless vandalism? I'm trying to imagine what could motivate such a crime. What sort of grievance could justify attacking a system that lets people borrow bikes?

    Just wants to annoy other people? Maybe he sells cars and he felt the bikes were hurting sales? Maybe he's just a mercenary working for the car salesman? Or maybe the prick did it simply because he could.

    There are legitimate uses for anonymity. This is NOT one of them.

    • What sort of grievance could justify attacking a system that lets people borrow bikes?

      Maybe he sells cars and he felt the bikes were hurting sales?

      Oh, those questions answers it all easily:

      Über did it.

    • by Anonymous Coward

      See, boredom is a result of not being challenged (Csikszentmihalyi) and anger. And misdirected talents.

      This whole "only boring people get bored" is total nonsense. Anyone who has had to master a musical instrument or sport or science will know that periods of boring monotony are required for mastering these subjects. But there is a GOAL at the end.

      Breaking things or breaking into them gives a rush that you can't get without drugs. When you have no goal at the end.

      I'm not just making excuses - just expla

    • "To summarize the summary of the summary: people are a problem." — Douglas Adams

    • by Anonymous Coward

      I'm trying to imagine what could motivate such a crime.

      Some people just want to watch the world burn.

    • by hey! ( 33014 )

      The right framework to understand this isn't psychology, it's statistics. The probability of an event occurring as the number of trials approaches infinity is either 0, or 1.

      That's the way to understand a lot of what happens in the world, like school shootings. If they can happen, given enough people who are capable of doing them, someone will.

      • by shanen ( 462549 )

        I'm afraid I don't understand what sort of point you are trying to make. Perhaps something like bad things happen, so we should give up?

        Do you have any sort of constructive solution to offer? (I do, but I've already presented it out on Slashdot and never detected any interest.)

        • by hey! ( 33014 )

          No, it's that trying to understand all the possible motivations people might have to do something like this is pointless.

          Early in the days of the Internet I would have clients challenge the need for security. "Why would anyone want to hack me?"

          And I'd answer, "The people you have to worry about don't think like you. Their motivations wouldn't make any sense to you, even if you knew them, which you probably won't."

          • by shanen ( 462549 )

            Simple counterexample will suffice to prove motivations count.

            Where is all of your pump-and-dump stock scam spam? It's gone because they studied the motivations and cured the problem. After several academic papers were published proving that the scammers were effectively shaking money out of the tree, the authorities responded by changing the rules. The motive was profit, the profit was removed, and that specific problem was solved.

            I'm not denying that motivations are difficult to figure out. In this case,

          • Deaths caused by terrorist events are also extremely rare, so rare that many people have suggested that inferential statistics is almost useless for predicting them. According to your rationale, it would also make no sense trying to understand terrorist events. Or airline accidents. Or very rare diseases. Or earthquakes - and so forth, you get the point.

            However, the fact is that inferential statistics only works and makes sense if you are able to make at least some reasonable assumptions about an underlyi

    • They also suggested that there was internal knowledge of their network, which I take to mean 'current or former employee', in which case the motive was likely a grievance with the company rather than with bike sharing. Although some bikers are big enough assholes that they could certainly inspire some retribution if they were riding rental bikes. My personal favorites are the ones who yell at me to get out of the way so they can pass on the sidewalk (the law here allows them to ride on the sidewalk but at w
      • by q_e_t ( 5104099 )
        I cycle at times, but if there is a cyclist behind me when I'm walking on the pavement I make them wait. Many vulnerable people use the pavements.
    • by AmiMoJo ( 196126 )

      Probably just some 4chan kiddie not thinking through the consequences.

    • Getting cut off at an intersection.

    • It was a pro-Euro activist angry about the Kroner.

  • I am waiting for that proverbial "blame Russia" rant. Even with no [credible] evidence whatsoever.

    Here's the MO; if investigations end up likely to point else where, put out press releases with words like "we know", "likely" and so on. If that fails, simply discredit the investigation itself.

  • ZFS (Score:5, Insightful)

    by darkain ( 749283 ) on Saturday May 12, 2018 @03:54PM (#56601446) Homepage

    Now imagine if this database were to be stored on a ZFS volume with regular snapshots, and those snapshots were sent to other remote machines for backup... The entire database could have been recovered in minutes with just a few simple commands to re-mount the ZFS partition to a given snapshot, restart the database server software, and you're up and running again...

    Oh wait, that's right. I'm too old for tech nowadays. There are all these kids fresh out of college using newfangled technology that don't know two shits about information security or data integrity to even give this a thought in the first place. And thus the cycle continues where us old-hats are "over paid" and forced out of work in favor of these new younger generations of "tech wizards"!

    • Re:ZFS (Score:4, Interesting)

      by mccalli ( 323026 ) on Saturday May 12, 2018 @04:04PM (#56601468) Homepage
      Doesn't seem like they lost anything, the way you're describing it. Here's the initial announcement [bycyklen.dk], and here's the update [bycyklen.dk]. Doesn't;'t seem like they lost anything in their database.

      What seems to have happened is that the hack has managed to erase the client side. Either poison data/commands has erased the tablet they attach to the bike, or the tablet still has data but is now out of sync with their restored backup. That will be why they're talking about going round rebooting the tablets on the bikes - it's the client side that's wrong, ZFS-nothing - it simply wouldn't have helped.
    • What is with you kids and thinking you need to implement a new file system to do your backups?
      • A versioning file system is not the same as a backup mechanism.

        • A versioning file system is not the same as a backup mechanism.

          And yet the OP's ZFS "solution" listed as its great feature: "and those snapshots were sent to other remote machines for backup..."
          Please read entire threads before replying.

    • ZFS volume

      You are actually the worst kind of IT person out there and have basically just fallen into every trap that gives the field a bad reputation.
      - Assumed that this problem is caused by one specific issue.
      - Assumed they don't have this issue already taken care of.
      - Provided a detailed technical solution to a problem you don't know about.
      - Provided a detailed technical solution without considering any of the many alternatives that achieve the same thing your solution proposed to fix.

      You need one of these: https:/ [flickr.com]

  • Or was the IT department rather primitive as well. In the worst case, a rather primitive deployment like this should lose 15m-1h of data and perhaps another 1-4h of downtime. There are setups that are better with continuous logs and high tech breach detection which would either prevent this or have virtually no downtime.

    • In the worst case, a rather primitive deployment like this should lose 15m-1h of data

      Or maybe they lost no data at all and you are just jumping to conclusions about a problem you don't know anything about:
      https://bycyklen.dk/en/news/sa... [bycyklen.dk]

      Notice that the problem is fixed almost entirely on the client side?

  • Bycyklen described the hack as "rather primitive,"

    What does that say about your security, Bycyklen?

  • Do they have a recovery plan?
  • ... and could be hacked remotely such that they simply would not start anymore. But who would be silly enough to propose that cars should be online? ... oh... wait... preparations for that kind of desaster are already ongoing.

    They call it "autonomous cars" in their Newspeak, and it actually means "car that is completely dependent on network services".
    • Now image that smart phones are "always online" and could be hacked such they simply wouldn't start anymore. But who would be silly enough to propose that phones should be online?

  • WooHoo! These 1334 haxors are showing the man who is boss! Yeah, think of the damage they did to Man by shutting down this service! Information wants to be FREE!!!!!

    Stop being assholes, you fucking pieces of shit.

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.

Working...