Wi-fi as a weapon

Source: RTM June/July 2018

Self-described ethical hacker Ken Munro, a security entrepreneur at Pen Test Partners, attracted a full house at this year’s Infrarail during his presentation on how customer communication networks can be used to take over trains and have catastrophic consequences for the rail industry – we’re talking easy access to passenger credit card information, CCTV footage, and even to the messages shared by crew across the network. Here, he shares a handy checklist of how to make sure your wi-fi infrastructure is safe.

After speaking about wi-fi security at Infrarail in May, it struck me that very insecure passenger networks are making their way onto trains.

So here’s a quick checklist for making sure your passenger wi-fi network is secure. Similar checks could be applied to your guest network in your office, wi-fi on planes, and even buses and cars.

Is passenger wi-fi security really that bad today? Here are two real-life examples from recent exercises; draw your own conclusions!

Example 1: Accessing the staff and train control network from the passenger wi-fi network

We found unencrypted wi-fi with no segregation between the passenger, staff and train control networks. The admin credentials were default too, so one of your passengers could potentially interfere with wireless ticketing devices and the train systems themselves, too.

Example 2: Accessing customer credit card data from the passenger wi-fi network

First Class passengers got free wi-fi, Standard Class access was paid-for. Whilst Standard Class customers could stand in the vestibules to cheekily get free First Class access, most would pay with a credit card.

Again, segregation of networks wasn’t present. We could bridge the wireless network to the wired network, then found a database server with default credentials on the connector. Just moments later, we had customer card data.

Wondering how to fix this? Here’s a checklist:

  1. Segregate passenger wi-fi

The most basic defence: ensure that your passengers can ONLY route traffic from their devices to the internet. They should NOT be able to access your staff, ticketing or train networks.

The wireless router admin interface should not be accessible to passengers either: an access control list should be in place to prevent this. Check that you can’t access the admin interface; it’s often available on the gateway IP address.

It’s more expensive, but consider completely isolated, physically separate hardware for passenger wi-fi. That’s how many businesses do wi-fi in their offices: a separate router and separate internet feed.

  1. Ensure strong admin credentials on your wi-fi routers

The router admin interfaces should have very strong credentials in place. In many cases, we find that they haven’t been changed from the default or are far too simple.

Weak or default credentials means that the hacker can change the routing, potentially allowing them access to more sensitive networks on your train.

  1. Update the software on the wireless routers

Security flaws are found all too often in networking hardware. These flaws can allow the hacker to bypass authentication and routing.

How often do you check for software/firmware updates for your wireless infrastructure, and how often do you apply the patches to fix security flaws?

  1. Make sure your routers are physically secure                                                                                                                                                                 

A motivated hacker will be prepared to open cabinets on the train. If your locks just use standard square keys, then that’s no protection at all.

Are your wireless routers behind easily accessible cabinets in the vestibules, or are they located in much more secure cabinets?

It takes moments to open a door and connect to one of the ethernet ports on your wireless router, after which access to more sensitive networks may be possible.

  1. Check that your satellite terminals for your passenger wi-fi aren’t on the public internet

Many train wi-fi networks offer satellite connectivity for cellular black spots.

From our work in maritime satellite communications, we’ve found the terminal providers and integrators in many cases haven’t secured the terminal.

Ask your satellite communications provider if the terminals are on the public internet (they should be on a private IP address space); how they keep the terminal software up to date; and whether the admin credentials are strong.

Don’t believe me? Go search for the brand name of your satellite or wi-fi provider and you’ll find terminals all over the public internet!

  1. If you use trackside equipment to fill coverage blackspots, check their security too

Lineside cabinets can be trivial for a motivated hacker to access.

Are network ports easily accessible? If so, could you detect a malicious attacker connecting to the network and attacking your systems?

  1. Certify that your media servers are secured

To minimise bandwidth, many operators offer media streaming from local servers on the train. Don’t forget to include these in your security check, as they could create a stepping stone onto more critical systems.

There have been a litany of security issues in the past with streaming servers, so check that yours are locked down and kept up to date.

See it for yourself

All too often, I hear operators say that they’ve had a third party do all the provision and integration of passenger wi-fi. That’s a good plan, as specialists understand the technology.

However, those same wi-fi specialists don’t always understand security. All it takes are some simple oversights and your train control and ticketing networks can be exposed.

So don’t take their word for it – go ask for proof, and go through the above checks yourself or bring in a third party to allay your concerns.


Enjoying RTM? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!


There are no comments. Why not be the first?

Add your comment

rail technology magazine tv

more videos >

latest rail news

View all News

rail industry focus

Versatile coating system enhances Indestructible Paint rail industry role

12/08/2020Versatile coating system enhances Indestructible Paint rail industry role

A highly versatile and robust epoxy coating s... more >
Network Rail partners with Cycling UK for new initiative

03/08/2020Network Rail partners with Cycling UK for new initiative

Network Rail and Cycling UK have launched a p... more >

editor's comment

23/01/2018Out with the old...

Despite a few disappointing policy announcements, especially for the electrification aficionados amongst us, 2017 was, like Darren Caplan writes on page 20, a year generally marked by positive news for the rail industry. We polished off the iconic Ordsall Chord (p32), hit some solid milestones on Thameslink (p40), progressed on ambitious rolling stock orders (p16), and finally started moving forward on HS2 (p14) ‒ paving the way for a New Year with brand-new infrastructrure to... read more >

last word

Encouraging youngsters to be safe on the railway

Encouraging youngsters to be safe on the railway

This summer, Arriva Group's CrossCountry and the Scout Association joined to launch a new partnership to promote rail safety among young people. Chris Leech MBE, business community manager at the TOC, gives RTM an update on the innovative scheme. Recognising that young people are more likely to take a risk trespassing on railway tracks, C... more > more last word articles >

'the sleepers' daily blog

On the right track, Sulzer is awarded RISAS accreditation for Nottingham Service Centre

29/06/2020On the right track, Sulzer is awarded RISAS accreditation for Nottingham Service Centre

Following an independent audit, Sulzer’s Nottingham Service Centre has been accepted as part of the rail industry supplier approval scheme (RISAS). The accreditation reinforces the high-quality standards that are maintained by Sulzer’s network of independent repair facilities across the UK and further afield in its global network. ... more >
read more blog posts from 'the sleeper' >


Andrew Haines, CE of Network Rail, tells BBC News his organisation could issue future rail franchises

24/06/2019Andrew Haines, CE of Network Rail, tells BBC News his organisation could issue future rail franchises

Andrew Haines, the Chief Executive of Network Rail, has told the Today programme on Radio 4's BBC’s flagship news programme that he wo... more >
Advancing the rail industry with management degree apprenticeships

08/05/2019Advancing the rail industry with management degree apprenticeships

In answering the pressing questions of how current and future generations of managers can provide solutions to high-profile infrastructure projec... more >
Women in rail - is the industry on the right track?

12/03/2019Women in rail - is the industry on the right track?

RTM sits down with Samantha Smith, sole female member of the TransPennine Route Upgrade Alliance Leadership Team, to find out more about encourag... more >
TfN Strategic Transport Plan: not just for transport's sake

22/01/2019TfN Strategic Transport Plan: not just for transport's sake

Peter Molyneux, Transport for the North’s (TfN’s) strategic roads director, has been leading on the development of the seven economic... more >