Comment

03.07.18

Wi-fi as a weapon

Source: RTM June/July 2018

Self-described ethical hacker Ken Munro, a security entrepreneur at Pen Test Partners, attracted a full house at this year’s Infrarail during his presentation on how customer communication networks can be used to take over trains and have catastrophic consequences for the rail industry – we’re talking easy access to passenger credit card information, CCTV footage, and even to the messages shared by crew across the network. Here, he shares a handy checklist of how to make sure your wi-fi infrastructure is safe.

After speaking about wi-fi security at Infrarail in May, it struck me that very insecure passenger networks are making their way onto trains.

So here’s a quick checklist for making sure your passenger wi-fi network is secure. Similar checks could be applied to your guest network in your office, wi-fi on planes, and even buses and cars.

Is passenger wi-fi security really that bad today? Here are two real-life examples from recent exercises; draw your own conclusions!

Example 1: Accessing the staff and train control network from the passenger wi-fi network

We found unencrypted wi-fi with no segregation between the passenger, staff and train control networks. The admin credentials were default too, so one of your passengers could potentially interfere with wireless ticketing devices and the train systems themselves, too.

Example 2: Accessing customer credit card data from the passenger wi-fi network

First Class passengers got free wi-fi, Standard Class access was paid-for. Whilst Standard Class customers could stand in the vestibules to cheekily get free First Class access, most would pay with a credit card.

Again, segregation of networks wasn’t present. We could bridge the wireless network to the wired network, then found a database server with default credentials on the connector. Just moments later, we had customer card data.

Wondering how to fix this? Here’s a checklist:

  1. Segregate passenger wi-fi

The most basic defence: ensure that your passengers can ONLY route traffic from their devices to the internet. They should NOT be able to access your staff, ticketing or train networks.

The wireless router admin interface should not be accessible to passengers either: an access control list should be in place to prevent this. Check that you can’t access the admin interface; it’s often available on the gateway IP address.

It’s more expensive, but consider completely isolated, physically separate hardware for passenger wi-fi. That’s how many businesses do wi-fi in their offices: a separate router and separate internet feed.

  1. Ensure strong admin credentials on your wi-fi routers

The router admin interfaces should have very strong credentials in place. In many cases, we find that they haven’t been changed from the default or are far too simple.

Weak or default credentials means that the hacker can change the routing, potentially allowing them access to more sensitive networks on your train.

  1. Update the software on the wireless routers

Security flaws are found all too often in networking hardware. These flaws can allow the hacker to bypass authentication and routing.

How often do you check for software/firmware updates for your wireless infrastructure, and how often do you apply the patches to fix security flaws?

  1. Make sure your routers are physically secure                                                                                                                                                                 

A motivated hacker will be prepared to open cabinets on the train. If your locks just use standard square keys, then that’s no protection at all.

Are your wireless routers behind easily accessible cabinets in the vestibules, or are they located in much more secure cabinets?

It takes moments to open a door and connect to one of the ethernet ports on your wireless router, after which access to more sensitive networks may be possible.

  1. Check that your satellite terminals for your passenger wi-fi aren’t on the public internet

Many train wi-fi networks offer satellite connectivity for cellular black spots.

From our work in maritime satellite communications, we’ve found the terminal providers and integrators in many cases haven’t secured the terminal.

Ask your satellite communications provider if the terminals are on the public internet (they should be on a private IP address space); how they keep the terminal software up to date; and whether the admin credentials are strong.

Don’t believe me? Go search www.shodan.io for the brand name of your satellite or wi-fi provider and you’ll find terminals all over the public internet!

  1. If you use trackside equipment to fill coverage blackspots, check their security too

Lineside cabinets can be trivial for a motivated hacker to access.

Are network ports easily accessible? If so, could you detect a malicious attacker connecting to the network and attacking your systems?

  1. Certify that your media servers are secured

To minimise bandwidth, many operators offer media streaming from local servers on the train. Don’t forget to include these in your security check, as they could create a stepping stone onto more critical systems.

There have been a litany of security issues in the past with streaming servers, so check that yours are locked down and kept up to date.

See it for yourself

All too often, I hear operators say that they’ve had a third party do all the provision and integration of passenger wi-fi. That’s a good plan, as specialists understand the technology.

However, those same wi-fi specialists don’t always understand security. All it takes are some simple oversights and your train control and ticketing networks can be exposed.

So don’t take their word for it – go ask for proof, and go through the above checks yourself or bring in a third party to allay your concerns.

 

Enjoying RTM? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!

Comments

There are no comments. Why not be the first?

Add your comment

 

rail technology magazine tv

more videos >

latest rail news

View all News

rail industry focus

Towards railway-specific, bearer-independent communication

17/09/2018Towards railway-specific, bearer-independent communication

Freelance transport journalist Lesley Brown&n... more >
The benefits of aluminium honeycomb to the rail industry

03/09/2018The benefits of aluminium honeycomb to the rail industry

Gillian Haverson, senior marketing executive ... more >

editor's comment

23/01/2018Out with the old...

Despite a few disappointing policy announcements, especially for the electrification aficionados amongst us, 2017 was, like Darren Caplan writes on page 20, a year generally marked by positive news for the rail industry. We polished off the iconic Ordsall Chord (p32), hit some solid milestones on Thameslink (p40), progressed on ambitious rolling stock orders (p16), and finally started moving forward on HS2 (p14) ‒ paving the way for a New Year with brand-new infrastructrure to... read more >

last word

Encouraging youngsters to be safe on the railway

Encouraging youngsters to be safe on the railway

This summer, Arriva Group's CrossCountry and the Scout Association joined to launch a new partnership to promote rail safety among young people. Chris Leech MBE, business community manager at the TOC, gives RTM an update on the innovative scheme. Recognising that young people are more likely to take a risk trespassing on railway tracks, C... more > more last word articles >

'the sleepers' daily blog

Crossrail and Crossrail 2: in the public eye

20/11/2018Crossrail and Crossrail 2: in the public eye

Since the shock announcement of the delay to Crossrail in September, taxpayers and decision-makers alike have been anxious to find out the latest updates to the two projects. RTM’s Jack Donnelly headed to Whitehall to report on what their bosses have to say about the schemes. Despite noting the “great frustration” of Lon... more >
read more blog posts from 'the sleeper' >

interviews

HS2 train race: making the case

20/11/2018HS2 train race: making the case

Bombardier and Hitachi’s commitment to providing the best HS2 rolling stock pitch to the government was signified with the launch of their ... more >
Finding positives in negative short-circuiting devices

09/11/2018Finding positives in negative short-circuiting devices

Sponsored interview  Anything that brings about safety and time-saving benefits is a valued improvement for the rail industry, which is w... more >
Taking to the skies

30/10/2018Taking to the skies

Network Rail’s commitment to driving innovation is best encapsulated by its latest scheme involving high-definition imagery drones, or UAVs... more >
Going global: an interview with Network Rail’s Leevan Finney

29/08/2018Going global: an interview with Network Rail’s Leevan Finney

RTM’s Jack Donnelly sat down with one of the leading minds behind Network Rail’s most advanced and innovative rail maintenance techno... more >