Bubblegum Denial of Service Attack on Clear Channel “Play Subway” Digital Signage

The Clear Channel digital signage network “Subway Play” is vulnerable to bubblegum. A malicious attacker could easily cause a denial of service and likely also damage internal hardware by applying gum or similar other substance to ventilation exhaust grilles.

Background

“Clear Channel lanserade den 8/9 2011 ett digitalt nätverk i Stockholms tunnelbana. Nätverket består av c:a 120 digitala ytor på 14 av tunnelbanans mest trafikerade stationer.”

In 2011, world-wide advertising conglomerate Clear Channel reached an agreement with the local transportation company Storstockholms Lokaltrafik (SL) for advertising on digital signs in the subway of Stockholm. Initially, the network consisted of approximately 120 digital screens, mounted in 14 stations.

System Specification

The “digital sign” platform consists of a plasma screen, an fan-less (EDIT: 17 December 2012: they have fans) air-cooled Intel-based computer which is remotely controlled via VNC over a 3G connection. The system is mounted in a rugged container, with vents providing air-flow for cooling located at the top and bottom of the box.

Proof-of-concept

Attack has not been performed for legal reasons, so no “proof-of-concept” will be provided.

It was however, observed that during the hot days (temperature above 20-25 degrees celsius) these system often crashed, showing signs of overheating. The video at the top of the post (also available on YouTube) was recorded by Vector Lab during a hot summer day in July 2012, showing a “Subway Play” sign suffering from spontaneous overheating (i.e. “Blue Screen of Death“). The video was recorded less than 4 months after the system was installed.

A malicious attacker blocking the air-vents would very effectively aggravate this already existing design flaw, causing a denial of service or even hardware damage from overheating. Many substances that are readily available in the subway (such as bubblegum) could be used to facilitate the attack.

IMG_2754

Anders Nicolaysen via Compfight

Vendor communication

Vendor has not been redundantly notified, as overheating has evidently happened many times before spontaneously and the service provider (SL) already knows about the design flaw. Screens that overheated were repeatedly restarted during the summer. This was done despite the fact that these screens may pose a potential fire hazard. It is possible that a comprehensive testing program of the digital signage has been performed already and that the signs are safer than their track record seems to indicate.

Testing is needed to determine if the screens in their current state pose a potential fire hazard.

Remediation

No real remediation for this issue is available as these signs suffer from an integral engineering flaw. From a safety perspective, the signs would either have to be replaced or removed from the subway to resolve the problem.

  1. Daily inspection and cleaning of vents and internal colling to remove dust and objects blocking air flow.
  2. Install active cooling in digital sign boxes (this might however increase the risk of particles getting sucked into and stuck in signs as well as introduce other issues with noise, respiritatory health etcetera).
  3. Remove digital signage from the subway.
  4. Reduce green-house gas emissions or otherwise lower ambient temperatures.

Final note

The information given in this advisory is intended for informational purposes only, and should not be seen as an endorsement to vandalize Clear Channel™ digital signage or other equipment. The purpose of this advisory is to warn members of the general public of an already known and potentially dangerous design flaw which should be addressed and handled by the proper authorities. Until then, consider yourself warned.

Vector Lab (http://vectorlab.se/) is an independent security researcher, and does not take any responsibility for misuse of this information which is given in good faith. Inquiries regarding the safety of the digital signage system should be directed to Clear Channel Sweden.

EDITED at 17 December 2012 to correct mistaken claim about the ad boxes being fan-less. They are not: cooling is active. There is fans. Also, vulnerability is now confirmed by technicians working for the company.

Comments
3 Responses to “Bubblegum Denial of Service Attack on Clear Channel “Play Subway” Digital Signage”
  1. nitro2k01 says:

    How big are the vents? If they did things right, the vent would be big/long enough that you’d have to chew a lot of gum to block them.

    I suspect that what generates the most heat is not necessarily the CPU unit, but the PSU and the display+backlight. It would be interesting to see how the sign is constructed inside, and in particular where the CPU board is situated. I suspect it’s situated near the top, with other heat producing components below it. I also suspect there’s just a wimpy-ass heatsink on the CPU.

    One can also wonder why there are no vents on the sides. They would be more difficult to obstruct (things would fall off eventually.)

    • Vector says:

      They did not make things right. The vents are quite small (about 10-15 cm long I think) and located on the top and bottom of the display unit. No vents on the side.

      You probably right about the CPU and PSU producing a lot of power, but let’s not forget that GPU running high-res flash video all day long.

      Not sure about the exact placement of the gear inside the box.

  2. It says:

    The CPU is actualy located at the center of the display.
    The vent system is designed with internal fans and ducts.

Leave A Comment