Now Playing

No, Hackers Aren’t Going to Take Control of Your Muni Train

But the Muni hack is still a bad omen of mischief to come.


Friday’s attack on Muni’s computer system felt like a blessing and a curse. On one hand, free Muni! On the other: WTF just happened? The headlines over the last few days have sounded an ominous note. In Wired, a quote from the American Public Transportation Association dished out a blanket warning about cyberattacks that “can destroy a transit agency’s physical systems, render them inoperable, [or] hand over control of those systems to an outside entity.” Scary! The hacker himself, using the pseudonym Andy Saolis, crowed about security holes in an email excerpted by Gizmodo: “It’s Show to You and Proof of Concept, Company don’t pay Attention to Your Safety ! They give Your Money and everyday Rich more! But they don’t Pay for IT Security and using very old system’s !” So is this jerk right?

Well, he’s right about the old technology. Muni’s transit operations run on a platform called OS/2. “It’s older than Windows,” says a former Muni employee who is familiar with the agency’s IT. But that in itself doesn’t make Muni’s light-rail vehicles a hacker free-for-all. The transit operations system is closed off from every other part of Muni, making it exceedingly difficult for a hacker to remotely break in. To interfere with the operation of Muni vehicles, a hacker would have to physically go to the train operation command center and get inside, says the former Muni employee: “It’s a little dark, dank cave-looking place that manages all the light-rail vehicles. It’s very tightly run. Not a lot of people in the organization have access to that area.” 

And this “Saolis” dude doesn’t strike us as all that motivated. The ransomware attack, which was likely triggered by a Muni employee clicking on a nefarious pop-up or emailed link, affected about 900 computers and screwed with the agency’s email system, says spokesman Paul Rose. From the hacker’s communiqués, he sounds more like someone who laid out a con for anyone to stumble into than someone hell-bent on screwing up San Francisco’s transit network. “We Gain Access Completely Random and Our Virus Working Automatically ! We Don’t Have Targeted Attack to them ! It’s wonderful !” Saolis gloated. His demand: Pay about $70,000 in bitcoin or lose access to the encryption-locked machines. Muni didn’t pay, but instead pieced together its data from backups. “Our customer payment systems were not hacked,” Muni explained in a statement. “Also, despite media reports—no data was accessed from any of our servers.”

The fare machines and fare gates also weren’t compromised. When the agency opened the gates on Friday, it was purely a precaution: Officials didn’t want riders to risk using their cards and exposing their personal information while they figured out what was going on. But it turned out there was no such risk, and riders got free Muni out of it, at least until the agency gave the all clear on Sunday. “We made the call to turn [the fare equipment] back on once we understood those systems were not compromised during the attack,” says Rose. 

So should we thank Saolis for saving us a few bucks and move on? Not so fast, says the ex–Muni employee. Saolis may not have been so bright himself—the security questions on his own email were sufficiently guessable that he, in turn, was hacked—but his hack is a reminder of a vulnerability that’s impossible to entirely eliminate. Fighting malware and ransomware, which prey on the human desire to click, is a never-ending game of one-upsmanship. “There’s no full-blown, 100 percent prevention for those types of things,” says the former Muni worker. “You may catch 90 to 95 percent of stuff, but on occasion a few things are going to come in.”

The good news, according to Rose, is that Muni contained this attack quickly. But can Muni really stop people from clicking on weird stuff? “We’ll be exploring what other options we have to prevent this from happening,” says Rose, declining to go into specifics. “Along with reminding users not to click.” Unless it’s for a free iPad—because that’s got to be real, right?



Have feedback? Email us at
Email Lamar Anderson at
Follow us on Twitter @sanfranmag
Follow Lamar Anderson on Twitter @srslynow