Comment

03.07.18

Wi-fi as a weapon

Source: RTM June/July 2018

Self-described ethical hacker Ken Munro, a security entrepreneur at Pen Test Partners, attracted a full house at this year’s Infrarail during his presentation on how customer communication networks can be used to take over trains and have catastrophic consequences for the rail industry – we’re talking easy access to passenger credit card information, CCTV footage, and even to the messages shared by crew across the network. Here, he shares a handy checklist of how to make sure your wi-fi infrastructure is safe.

After speaking about wi-fi security at Infrarail in May, it struck me that very insecure passenger networks are making their way onto trains.

So here’s a quick checklist for making sure your passenger wi-fi network is secure. Similar checks could be applied to your guest network in your office, wi-fi on planes, and even buses and cars.

Is passenger wi-fi security really that bad today? Here are two real-life examples from recent exercises; draw your own conclusions!

Example 1: Accessing the staff and train control network from the passenger wi-fi network

We found unencrypted wi-fi with no segregation between the passenger, staff and train control networks. The admin credentials were default too, so one of your passengers could potentially interfere with wireless ticketing devices and the train systems themselves, too.

Example 2: Accessing customer credit card data from the passenger wi-fi network

First Class passengers got free wi-fi, Standard Class access was paid-for. Whilst Standard Class customers could stand in the vestibules to cheekily get free First Class access, most would pay with a credit card.

Again, segregation of networks wasn’t present. We could bridge the wireless network to the wired network, then found a database server with default credentials on the connector. Just moments later, we had customer card data.

Wondering how to fix this? Here’s a checklist:

  1. Segregate passenger wi-fi

The most basic defence: ensure that your passengers can ONLY route traffic from their devices to the internet. They should NOT be able to access your staff, ticketing or train networks.

The wireless router admin interface should not be accessible to passengers either: an access control list should be in place to prevent this. Check that you can’t access the admin interface; it’s often available on the gateway IP address.

It’s more expensive, but consider completely isolated, physically separate hardware for passenger wi-fi. That’s how many businesses do wi-fi in their offices: a separate router and separate internet feed.

  1. Ensure strong admin credentials on your wi-fi routers

The router admin interfaces should have very strong credentials in place. In many cases, we find that they haven’t been changed from the default or are far too simple.

Weak or default credentials means that the hacker can change the routing, potentially allowing them access to more sensitive networks on your train.

  1. Update the software on the wireless routers

Security flaws are found all too often in networking hardware. These flaws can allow the hacker to bypass authentication and routing.

How often do you check for software/firmware updates for your wireless infrastructure, and how often do you apply the patches to fix security flaws?

  1. Make sure your routers are physically secure                                                                                                                                                                 

A motivated hacker will be prepared to open cabinets on the train. If your locks just use standard square keys, then that’s no protection at all.

Are your wireless routers behind easily accessible cabinets in the vestibules, or are they located in much more secure cabinets?

It takes moments to open a door and connect to one of the ethernet ports on your wireless router, after which access to more sensitive networks may be possible.

  1. Check that your satellite terminals for your passenger wi-fi aren’t on the public internet

Many train wi-fi networks offer satellite connectivity for cellular black spots.

From our work in maritime satellite communications, we’ve found the terminal providers and integrators in many cases haven’t secured the terminal.

Ask your satellite communications provider if the terminals are on the public internet (they should be on a private IP address space); how they keep the terminal software up to date; and whether the admin credentials are strong.

Don’t believe me? Go search www.shodan.io for the brand name of your satellite or wi-fi provider and you’ll find terminals all over the public internet!

  1. If you use trackside equipment to fill coverage blackspots, check their security too

Lineside cabinets can be trivial for a motivated hacker to access.

Are network ports easily accessible? If so, could you detect a malicious attacker connecting to the network and attacking your systems?

  1. Certify that your media servers are secured

To minimise bandwidth, many operators offer media streaming from local servers on the train. Don’t forget to include these in your security check, as they could create a stepping stone onto more critical systems.

There have been a litany of security issues in the past with streaming servers, so check that yours are locked down and kept up to date.

See it for yourself

All too often, I hear operators say that they’ve had a third party do all the provision and integration of passenger wi-fi. That’s a good plan, as specialists understand the technology.

However, those same wi-fi specialists don’t always understand security. All it takes are some simple oversights and your train control and ticketing networks can be exposed.

So don’t take their word for it – go ask for proof, and go through the above checks yourself or bring in a third party to allay your concerns.

 

Enjoying RTM? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!

Comments

There are no comments. Why not be the first?

Add your comment

 

rail technology magazine tv

more videos >

latest rail news

View all News

rail industry focus

Network Rail has yet to give an end date for Cardiff electrification

13/07/2018Network Rail has yet to give an end date for Cardiff electrification

Article by Callum Wood of Rail Technology Mag... more >
Tracking the contribution of logistics to sustainability

26/06/2018Tracking the contribution of logistics to sustainability

Andreas Johansson, vice president of the engi... more >

editor's comment

23/01/2018Out with the old...

Despite a few disappointing policy announcements, especially for the electrification aficionados amongst us, 2017 was, like Darren Caplan writes on page 20, a year generally marked by positive news for the rail industry. We polished off the iconic Ordsall Chord (p32), hit some solid milestones on Thameslink (p40), progressed on ambitious rolling stock orders (p16), and finally started moving forward on HS2 (p14) ‒ paving the way for a New Year with brand-new infrastructrure to... read more >

last word

Encouraging youngsters to be safe on the railway

Encouraging youngsters to be safe on the railway

This summer, Arriva Group's CrossCountry and the Scout Association joined to launch a new partnership to promote rail safety among young people. Chris Leech MBE, business community manager at the TOC, gives RTM an update on the innovative scheme. Recognising that young people are more likely to take a risk trespassing on railway tracks, C... more > more last word articles >

'the sleepers' daily blog

HS2: collaborate to innovate

17/07/2018HS2: collaborate to innovate

Dr Chris Goodier and Dr Steve Yeomans, of Loughborough University’s Centre for Innovative and Collaborative Construction Engineering (CICE), talk about four new HS2 research projects which are set to challenge how we design, build and monitor high-speed rail projects. No one doubts that HS2 must provide a platform for innovation, bu... more >
read more blog posts from 'the sleeper' >

interviews

Transforming travel in the north west

06/02/2018Transforming travel in the north west

RTM’s Josh Mines talks to Robin Davis, head of new trains at TransPennine Express (TPE), about the huge rolling stock change journey the co... more >
Thameslink: Nearing the end of the line

23/01/2018Thameslink: Nearing the end of the line

RTM’s Josh Mines catches up with Mark Somers, project director for Thameslink, on how the final stages of the programme are progressing and... more >
Modernising journeys in north east England

09/11/2017Modernising journeys in north east England

First Hull Trains is about to embark on the biggest fleet overhaul it has delivered since being set up in 2000. Managing director Will Dunnett te... more >
Ian Prosser: Safety by design

02/11/2017Ian Prosser: Safety by design

Ian Prosser, the ORR’s chief inspector of railways and director of railway safety, outlines to RTM’s Josh Mines the key challenges fa... more >