Hacking train Wi-Fi: Where are the weak spots?
Ken Munro, Partner at Pen Test Partners, details the numerous aspects in train operators’ software systems that should be checked and secured to prevent hackers and malicious attacks, and protect passengers’ data…
Wi-Fi is fast becoming a common and expected train service, enabling passengers to browse the web and work productively during their journey and staff to use wireless ticketing systems. In May 2018, Transport Secretary, Chris Grayling, advocated his ‘Digital Railway Strategy’1 at Infrarail, which, during the digital transformation, will implement Wi-Fi connectivity of one Gbps along rail routes in the UK. This means, for example, that drivers will be provided with real-time information using wireless networks rather than relying on trackside signals.
Yet this communication network can pose as a threat to the integrity of the train operator. Insecure Wi-Fi can see personal data compromised, ticketing disrupted or abused and train control systems potentially hijacked. Increasing reliance upon these wireless networks could expose operators and their customers to these scenarios further.
During two recent investigations on behalf of rail operators, we found a number of issues with train Wi-Fi networks. Firstly, there was a lack of segregation between the passengers, staff and the train control network itself. Failing to isolate systems can potentially allow a passenger or attacker to move easily from one system to another. Segregation is a must and yet this basic security precaution had been overlooked.
The segregation issue was further exacerbated by the use of weak administrator security. Default passwords were in place, which can easily be found online and other passwords were extremely weak, making them easy to brute force and crack. This renders the network defenceless and allows an attacker to change the routing and gain access to more sensitive systems.
In a separate second investigation, we were able to access personal data belonging to passengers including their credit card details. Again, segregation wasn’t in place, enabling us to bridge the wireless network to the wired network and locate a database server with default credentials on the connector. After a brief foray, we came across the personal credit card records for the passengers in economy who had paid for Wi-Fi access. This gave us information from passenger names to email addresses and credit card details.
Stepping stone attacks
Train Wi-Fi networks provide an easy starting point from which to carry out a stepping stone attack. They provide the curious passenger or malevolent attacker with the means to potentially harvest passenger data, gain access to train ticketing and even take over train control systems – making Wi-Fi a real threat to the integrity of the operator. The way Wi-Fi networks are currently configured and secured needs to be addressed to limit the exposure of passenger data and train systems.
Passengers should only be able to route traffic from their devices to the internet. The wireless router admin interface should not be accessible to passengers either so an access control list should be in place to prevent this. Train operators should investigate whether passengers can access the admin interface as it’s often available on the gateway IP address.
Ideally, passenger Wi-Fi should be completely isolated and make use of separate hardware, physically. This is more expensive but it is the preferred option and how many businesses install Wi-Fi in office environments – with separate routers and internet feeds.
Bridging can be prevented by increasing the complexity of log-on credentials. In many cases, these haven’t been changed from the default or are far too simple. These are often left in place due to the complex process of reconfiguring routers, so it is worth finding out how easy it is to change log-on details and patch these systems before committing to install.
While these steps may have prevented the weak spots, we discovered that other security issues, associated with Wi-Fi infrastructure, remained.
Security flaws are a case in point. These are often found in networking hardware and allow the hacker to bypass authentication and routing on wireless routers. Operators should therefore check for software and firmware updates and verify how often patches are applied to fix security flaws over their wireless infrastructure.
Physical security is another concern, as routers are often accessible on the train itself. A motivated hacker will be prepared to open cabinets on the train and standard square keys are easily cloned or forced; offering little deterrent. Look to see if wireless routers are housed behind easily accessible cabinets in the vestibules, as opposed to more secure storage. It takes just moments to open a door and connect to one of the ethernet ports on a wireless router, after which access to more sensitive networks may be possible.
When it comes to coverage black spots, train operators will typically resort to either satellite connectivity or trackside equipment to provide connectivity.
Satellite terminal providers and integrators often take minimal steps to secure the terminal, so it’s worth noting if the terminals are on the public internet – they should be on a private IP address space – if they keep the terminal software up to date and if the admin credentials are strong. Unfortunately, it’s incredibly easy to find these terminals online. A quick perusal of the Shodan2 search engine using the brand name of a satellite/Wi-Fi provider and it’s possible to locate them and determine default credentials.
Trackside equipment is often presumed to be more inaccessible but in reality, the lineside location poses little difficulty to the determined hacker. Network ports within these may be left open and are easily tapped into, allowing the attacker to infiltrate the network and move on to bigger targets.
Finally, there’s the issue of media servers. Operators offer media streaming from local servers on the train to minimise bandwidth and improve service quality. There have been a litany of security issues in the past associated with streaming servers, so operators should check these are locked down and kept up to date.
Installation is no assurance
The train operators that I have spoken to have used third parties to provision and integrate their passenger Wi-Fi, which is commendable, however, those same Wi-Fi specialists don’t necessarily understand security. All it takes are some simple oversights and the train control and ticketing networks are exposed. Ask for proof, secure your systems using the steps outlined above or bring in a third party to allay your concerns and when embarking on significant Wi-Fi upgrades, do your due diligence.
Ken Munro is a successful entrepreneur and Founder and Partner in Pen Test Partners. He is on the executive steering board for the IoT Security Foundation which aims to promote security and improve standards in the market. Ken has been in the info security business for almost 20 years.