Hacking Electronic Message Centers (Autumn, 2002) ------------------------------------------------- By Mr. Glenn Frog One type of electronic sign that has been around for a while and is gaining popularity is the "electronic message center." These can be found damn near anywhere but are particularly common with schools and other government buildings. The type of message center that is the subject of this article is made by Electronic Display Systems (www.eds.chiefind.com) and is the most common, at least here in Detroit. The best way to find out whether or not they supply signs to your area is to check the list of resellers that they provide on their site. Resellers will also be more than happy to provide a list of their signs in operation to an interested customer, which should provide you with plenty of test subjects. The Setup Each of these signs is controlled by a V4 box. These are small beige boxes that hold the messages for the sign in RAM and send the appropriate messages to the sign when they are needed. The sign controllers are contacted by a computer for configuration through either a direct serial connection, radio modem, or dialup modem. The V4 box is generally either located inside the sign or in the same building as the PC used for configuration. There can also be any number of extender boxes located between the actual PC and sign controller. It's not at all uncommon to have communications routed through a mix of direct connect and radio modems. This setup is incredibly insecure as absolutely no authentication takes place within the sign controller. The only time any authentication is required is within the configuration software. This means that if you manage to get a copy of the software and get a connection to the sign, you're in. The Software The computers used to configure the sign run EDS's SystemOne software. This can be run on either MS-DOS or Windows and can easily be obtained by social engineering it out of EDS or one of their resellers. It's also likely that you can find it over the giFT or Kazaa p2p networks. The software comes with an installation CD and a configuration floppy. The software will run without the configuration floppy; however, it will be running in a demo mode that only allows for creating schedules and message files, not communicating with signs. The software requires a password to open and requires yet another password to establish communications with the sign. These are both set to "m2000" by default, which as far as I know stands for Message Center 2000. Once inside the software you can configure it to communicate with your type of sign, create messages, create schedules, and finally upload them to the sign controller. I won't go in depth with the process of creating message files and creating schedules as both of these should be fairly easy for the computer savvy individual to pick up on. Now let's go on to all the different ways to establish communication with the sign. Radio Modem The easiest signs to spot and communicate with are radio signs. These can all be identified by either small black curly omnidirectional antennas or the even more conspicuous directional antenna. All you need to communicate with these is a copy of the configuration software and your own radio modem. The radio modem distributed by EDS is a 2.4GHz Hopnet 500, though I don't doubt that any 2.4GHz radio modem would do just fine. Once you ve spotted your antenna, simply pick a spot with line of sight to the antenna (adjusting your position if the antenna is directional) and fire up your SystemOne software. From here select Software Configuration from the options menu. Select Radio Modem from the Sign Communication combo box and accept the default initialization string - wn0, wp0 - which means address 0, signal power normal. Feel free to set the power to wp1 if you want to be able to communicate with the sign from a longer distance, though in most cases wp0 should be just fine. Next, check to see that you have the correct COM port selected to communicate with your radio modem. At this point OK your configuration changes and select communications from the options menu. Don't worry if the first attempt to connect fails, these connections can sometimes be unstable and are prone to interference. If the first address fails, simply change the address string to wn1 and try again. Keep repeating this process up to wn8 and you should eventually establish a connection and have full control over the sign. When you finally establish communication you're most likely to get an error saying that your row and column settings are wrong and it will give you the correct information. Go back into the software configuration dialog and set these accordingly. Remote Modem (Dialup) These are harder to spot than radio modems and you'll actually have to get up close to the sign to spot it and you may or may not have to actually open up the sign. Signs that are likely to be run off of dialup are generally signs that are located very far away from the configuration PC, such as a sign owned by the city set in the middle of a park. If you suspect that a sign is being controlled remotely, inspect for any visible RJ-11 around the base of the sign. Failing this, you can actually remove the panel and light display and look for the sign controller box in the sign. The panels that house the sign controllers will usually be labeled for the convenience of the sign technicians. Upon finding any bare RJ-11 or finding the sign controller, simply patch yourself into the line and call your favorite ANI or ANAC. You'll then get the number of the sign controller. The easier and much less conspicuous way to go about this would be to simply war dial the owner's exchange until you find it. Once you have the sign's number, start your SystemOne software, open up the software configuration, and set the connection type to remote. Now open the Communications dialog and Connect. Direct Connect Sign controllers that are hooked directly to the user s PC are generally hard to touch. These are connected by serial cable to the sign controller and then fiber optic cable is run from the sign controller all the way out to the sign. The only practical way to connect to these is to have physical access to the sign controller or the computer which configures the sign controller. TCP/IP via COM Port Redirector This setup is becoming popular amongst organizations that own multiple message centers, especially local governments. A COM port redirector is essentially a small box that is placed on a network and connects directly to a sign controller or radio modem allowing an administrator to control the sign from any location on their WAN or LAN. With the poor authentication scheme unfortunately, this means anyone with the software and access to the network can control the sign. The redirector currently shipped and supported by EDS is the Lantronix MSS100. These boxes are configured via telnet, and come with the default administrator password "system." They also come with some utilities that need no password to access such as a ping and a traceroute. The best way to spot these boxes is to download a fast IP scanner (I prefer Angry IP Scanner http://ipscan.sourceforge.net) and scan the network for boxes listening on port 3001. If you've discovered any, the next step is to telnet to that box on port 3001. This is where we determine whether or not the redirector is connected to a radio modem, or if it is directly connected to the sign controller. If you telnet in and receive a standard readable ASCII banner, then chances are you have a radio modem. If you instead receive a bunch of garbled and unreadable ASCII, then the box is probably directly connected. Now that we know where our redirector box is, and what it's connected to, you need to get a copy of the Lantronix Redirector software. This is currently not available off of Lantronix's site due to legal issues involving competitors' software. It can however be easily requested from our friends at EDS and may be available over giFT or Kazaa. Once you've downloaded and installed the Lantronix software, you'll need to set it up to forward an unused COM port on your computer to the location of the MSS100 on port 3001. This software is pretty straightforward and easy to configure so I won't elaborate much here, except for the fact that it is absolutely necessary to have version 2.1.1 of the software for anything greater than Windows 98 and you need version 1.2.6 for Windows 95. Once you've set up the Lantronix software, open up SystemOne, configure it to use your newly emulated COM port, and set the communications for either radio or direct based on your earlier findings. You should now be able to communicate with this sign. Conclusion The last thing I should mention is that sometimes you may have to change the software configuration to work with a color sign instead of a black and white standard sign. This option is normally disabled in the configuration but it can be modified with a few keystrokes. First open up the EDS software and type F4, F4, F5. Then open up Software Configuration dialog, hold down Shift, and click on the SystemOne icon in the top left (not the window icon). If you did this right you'll get a window that enables you to change these super secret settings to whatever you need. Use common sense when modifying a sign. Please don't modify signs that are displaying important information. The system, being so lax on security, is of course made without any type of logging system. So overall, you can strike without fear. Just use your head and have fun announcing fake giveaways at businesses and displaying animated stick-figure porn at your school.