03.07.18
Wi-fi as a weapon
Source: RTM June/July 2018
Self-described ethical hacker Ken Munro, a security entrepreneur at Pen Test Partners, attracted a full house at this year’s Infrarail during his presentation on how customer communication networks can be used to take over trains and have catastrophic consequences for the rail industry – we’re talking easy access to passenger credit card information, CCTV footage, and even to the messages shared by crew across the network. Here, he shares a handy checklist of how to make sure your wi-fi infrastructure is safe.
After speaking about wi-fi security at Infrarail in May, it struck me that very insecure passenger networks are making their way onto trains.
So here’s a quick checklist for making sure your passenger wi-fi network is secure. Similar checks could be applied to your guest network in your office, wi-fi on planes, and even buses and cars.
Is passenger wi-fi security really that bad today? Here are two real-life examples from recent exercises; draw your own conclusions!
Example 1: Accessing the staff and train control network from the passenger wi-fi network
We found unencrypted wi-fi with no segregation between the passenger, staff and train control networks. The admin credentials were default too, so one of your passengers could potentially interfere with wireless ticketing devices and the train systems themselves, too.
Example 2: Accessing customer credit card data from the passenger wi-fi network
First Class passengers got free wi-fi, Standard Class access was paid-for. Whilst Standard Class customers could stand in the vestibules to cheekily get free First Class access, most would pay with a credit card.
Again, segregation of networks wasn’t present. We could bridge the wireless network to the wired network, then found a database server with default credentials on the connector. Just moments later, we had customer card data.
Wondering how to fix this? Here’s a checklist:
- Segregate passenger wi-fi
The most basic defence: ensure that your passengers can ONLY route traffic from their devices to the internet. They should NOT be able to access your staff, ticketing or train networks.
The wireless router admin interface should not be accessible to passengers either: an access control list should be in place to prevent this. Check that you can’t access the admin interface; it’s often available on the gateway IP address.
It’s more expensive, but consider completely isolated, physically separate hardware for passenger wi-fi. That’s how many businesses do wi-fi in their offices: a separate router and separate internet feed.
- Ensure strong admin credentials on your wi-fi routers
The router admin interfaces should have very strong credentials in place. In many cases, we find that they haven’t been changed from the default or are far too simple.
Weak or default credentials means that the hacker can change the routing, potentially allowing them access to more sensitive networks on your train.
- Update the software on the wireless routers
Security flaws are found all too often in networking hardware. These flaws can allow the hacker to bypass authentication and routing.
How often do you check for software/firmware updates for your wireless infrastructure, and how often do you apply the patches to fix security flaws?
- Make sure your routers are physically secure
A motivated hacker will be prepared to open cabinets on the train. If your locks just use standard square keys, then that’s no protection at all.
Are your wireless routers behind easily accessible cabinets in the vestibules, or are they located in much more secure cabinets?
It takes moments to open a door and connect to one of the ethernet ports on your wireless router, after which access to more sensitive networks may be possible.
- Check that your satellite terminals for your passenger wi-fi aren’t on the public internet
Many train wi-fi networks offer satellite connectivity for cellular black spots.
From our work in maritime satellite communications, we’ve found the terminal providers and integrators in many cases haven’t secured the terminal.
Ask your satellite communications provider if the terminals are on the public internet (they should be on a private IP address space); how they keep the terminal software up to date; and whether the admin credentials are strong.
Don’t believe me? Go search www.shodan.io for the brand name of your satellite or wi-fi provider and you’ll find terminals all over the public internet!
- If you use trackside equipment to fill coverage blackspots, check their security too
Lineside cabinets can be trivial for a motivated hacker to access.
Are network ports easily accessible? If so, could you detect a malicious attacker connecting to the network and attacking your systems?
- Certify that your media servers are secured
To minimise bandwidth, many operators offer media streaming from local servers on the train. Don’t forget to include these in your security check, as they could create a stepping stone onto more critical systems.
There have been a litany of security issues in the past with streaming servers, so check that yours are locked down and kept up to date.
See it for yourself
All too often, I hear operators say that they’ve had a third party do all the provision and integration of passenger wi-fi. That’s a good plan, as specialists understand the technology.
However, those same wi-fi specialists don’t always understand security. All it takes are some simple oversights and your train control and ticketing networks can be exposed.
So don’t take their word for it – go ask for proof, and go through the above checks yourself or bring in a third party to allay your concerns.
Enjoying RTM? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!