Hackers can jump from passenger Wi-Fi to train control networks

Setting up a Wi-Fi network for passengers to use is practically a must for railway companies these days. Unfortunately, that welcome add-on for travelers can become a means for attackers to gain access to other networks and systems.

To those skeptical about these possibility, Pen Test Partners researcher Ken Munro shared the results of his colleagues’ most recent pentesting efforts.

In both exercises, there was an exploitable lack of segregation between the passenger and the staff and train control networks, allowing them to interfere with the latter.

Default credentials are another problem: during one probing they leveraged them to access travelers’ personal and payment card data (second class passengers had to pay for Wi-Fi access).

Securing passenger Wi-Fi networks

“All too often I hear operators say that they’ve had a third party do all the provision and integration of passenger Wi-Fi. That’s a good plan, as specialists understand the technology,” says Munro.

“However, those same Wi-Fi specialists don’t always understand security. All it takes are some simple oversights and your train control and ticketing networks can be exposed.”

Munro did not name the railway service operators whose passenger network implementations they found wanting, but he did offer some good tips for those who are interested in securing them.

Network segregation tops the list, of course. “Ensure that your passengers can ONLY route traffic from their devices to the internet,” he advises. “The wireless router admin interface should not be accessible to passengers either: an access control list should be in place to prevent this.”

The best way to ensure this segregation is to use physically separate hardware for passenger Wi-Fi, he adds.

Keeping the software on wireless routers up-to-date and using strong (non-default) admin credentials on them should, by now, be a matter of routine.

Make sure to put routers and lineside cabinets holding networking equipment beyond the physical reach of would-be attackers, and secure your media servers.

“To minimise bandwidth, many operators offer media streaming from local servers on the train,” Munro explains. “Don’t forget to include these in your security check, as they could create a stepping stone on to more critical systems.”

Finally, check that your satellite terminals for your passenger Wi-Fi aren’t on the public internet, are regularly updated, and the admin credentials for them strong.

“Similar checks could be applied to your guest network in your office, Wi-Fi on planes and even buses and cars,” Munro concluded.