News: 1727346593

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Public Wi-Fi operator investigating cyberattack at UK's busiest train stations

(2024/09/26)


Updated A cybersecurity incident is being probed at Network Rail, the UK non-departmental public body responsible for repairing and developing train infrastructure, after unsavory messaging was displayed to those connecting to major stations' free Wi-Fi portals.

The message displayed to users via a compromised Wi-Fi landing page, seen by The Register , is Islamophobic in nature and references the 2017 Manchester Arena bombings.

All 20 stations managed by Network Rail across the UK are thought to be affected, with Wi-Fi services still unavailable this morning while investigations into the root cause continue.

[1]

The stations affected include 10 in London – all the major rail hubs in the city – and other key commuter stations such as Manchester Piccadilly, Birmingham New Street, Leeds, Reading, Glasgow Central, Bristol Temple Meads, and more.

[2]

[3]

Network Rail and the British Transport Police (BTP) are on the case, with the latter telling us: "We received reports at around 1703 yesterday [25 September] of a cyberattack displaying Islamophobic messaging on some Network Rail Wi-Fi services. We are working alongside Network Rail to investigate the incident at pace."

Network Rail's Wi-Fi is operated by Warwickshire-based communications company Telent, which said it's working alongside the two transport bodies to resolve the issues.

[4]

"We are aware of the cyber security incident affecting the public Wi-Fi at Network Rail's managed stations and are investigating with [5]Network Rail and other stakeholders," said a Telent spokesperson.

"We have been informed there is an ongoing investigation by the British Transport Police into this incident, so it would not be appropriate to comment further at this stage."

Telent also manages telecoms solutions across other rail networks such as HS1, Crossrail, Transport for Greater Manchester, Transport Scotland, and Mersey Travel, but a spokesperson said no other customers are thought to be affected.

[6]

Infosec experts weighed in on the news, saying the event is the latest to highlight how [7]critical national infrastructure (CNI) in the UK is a common target for cybercriminals looking to send a message.

Muhammad Yahya Patel, lead security engineer at Check Point Software, said: "Public Wi-Fi, often unencrypted and easily accessible, provides an ideal entry point for attackers. Unlike the security of home Wi-Fi, which is password-protected and encrypted, [8]public Wi-Fi leaves users' data exposed to anyone on the network. In this attack, passengers logging in were shown disturbing messages about terror attacks in Europe, underlining the ease with which attackers can manipulate public networks.

"The attack also raises critical questions about how well these networks are maintained," he added. "Outdated hardware and software create exploitable vulnerabilities, which is a growing concern for systems as vital as public transport. With Network Rail suspending Wi-Fi services and British Transport Police investigating the breach, this event highlights the pressing need to fortify public networks – especially as cybercriminals increasingly set their sights on critical national infrastructure."

[9]Chinese server-maker Inspur claims it's on track for better liquid cooling with 'railway sleeper' design

[10]Domo arigato, Mr Roboto: Japan's bullet trains to ditch drivers

[11]French internet cables cut in act of sabotage that caused outages across country

[12]San Francisco's light rail to upgrade from floppy disks

The root cause of the attack is still yet to be confirmed officially, but that hasn't stopped industry commentators from sharing the intel they've gleaned.

Kevin Beaumont, for example, claimed the issues is far from being contained and Telent has various endpoints exposed to the web.

"[Telent] have everything from Outlook Web App facing the internet to a Cisco AnyConnect box without [13]MFA to Juniper management interfaces to documentation servers etc," he [14]alleged . "Pour one out for the IR team." ®

Updated to add at 1106 UTC:

Telent has updated its [15]statement to note that Global Reach manages the landing pages, which were seemingly defaced after being compromised via an admin account.

It added that no personal data was affected, stating: "Through investigations with Global Reach, the provider of the Wi-Fi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police."

Get our [16]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvWFJesilpP9azlCbOeXIAAAAVE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvWFJesilpP9azlCbOeXIAAAAVE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvWFJesilpP9azlCbOeXIAAAAVE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvWFJesilpP9azlCbOeXIAAAAVE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2024/03/12/network_rail_pulls_geofencing_over/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvWFJesilpP9azlCbOeXIAAAAVE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/09/12/uk_datacenters_cni/

[8] https://www.theregister.com/2024/08/26/asia_tech_news_in_brief/

[9] https://www.theregister.com/2024/09/23/inspur_sleeper_liquid_cooling_design/

[10] https://www.theregister.com/2024/09/12/japan_automated_bullet_train/

[11] https://www.theregister.com/2024/07/29/french_fiber_cables_cut/

[12] https://www.theregister.com/2024/04/09/san_francisco_muni_floppy_disks/

[13] https://www.theregister.com/2024/05/23/microsoft_windows_updates_azure/

[14] https://cyberplace.social/@GossiTheDog/113202942953540819

[15] https://telent.com/news/public-wi-fi-outage-at-network-rails-managed-stations

[16] https://whitepapers.theregister.com/



Still offline?

Hans Neeson-Bumpsadese

Seeing as who the victim is, I thought they might have been able to arrange a replacement data bus service.

Re: Still offline?

elsergiovolador

I wonder how many likes were lost because of this incident...

Wi-Fi

elsergiovolador

There was a Wi-Fi?

Has anyone ever managed to use it?

Re: Wi-Fi

tiggity

Used it indirectly. (don't trust public Wi-Fi so would not use it directly)

I had GPS turned off and was at Derby station and my android phone seemed to think I was located at a different city station on the Midland network (my guess is both Wi-Fi points had same SSID and it was based on Google slurping SSID data and location and it had non Derby location given for the SSID*)

Flicking on GPS nullified the problem & Google Maps app on phone then showed correct location..

I had Wi-Fi off, but I know Google can sneakily check Wi-Fi data in geolocation if you neglect to nobble some setting hidden away beware of the leopard style.

* Best example was a mate of mine at a Google event in UK, his location showed as the States (SF IIRC) - I'm guessing that some of the Wi-Fi kit Google brought over had been deployed in USA previously (or they use same SSID in multiple locations - again it was an android phone making me think it's using Google database of SSID and location)

Re: Wi-Fi

TRT

WiPS is typically based on both the SSID and the WAP MAC address because of the issue of very wide area SSID provisioning. The issue with WiPS at railway stations is usually down to on-board WAPS having been slurped at many different geographical locations. Nowadays the providers of such slurped positioning data assign a very low reliability score to WAP MACs that are seen in multiple places.

It used to be quite good fun in the old days of Ingress to visit e.g. King's Cross and set off an EMP burst in Inverness!

A Non e-mouse

Public Wi-Fi, often unencrypted and easily accessible, provides an ideal entry point for attackers.

To what? It's just to the internet, it's not to a corporate's private internal systems.

Unlike the security of home Wi-Fi, which is password-protected and encrypted, public Wi-Fi leaves users' data exposed to anyone on the network

And that's why IT people have been banging on about using TLS for aeons as you can never trust a network. See: China, Russia, etc.

Yet more scaremongering form someone who should know better.

Anonymous Coward

Just for my own technical understanding:

I get that non-password-protected wifi can have its contents seen by anybody nearby; it's effectively sending everything in plaintext.

If the wifi is password-protected, with multiple machines on that network that have had the password entered, can they read each other's traffic, or just their own?

Hans Neeson-Bumpsadese

I think it depends on how the network itself is configured, rather than having anything to do with whether or not you need a password to get onto the network. From my own experience, using the very limited sample of one....I have a router which supports multiple wireless hotspots - all password protected to control who can access it. One network allows you to see other machines on who have joined the network using that hotspot. Others are designated as guest networks, and on there you can't see any other machines at all...not even others on the same guest network

FirstTangoInParis

So there’s usually a setting on WiFi APs that either allow or disable access to other stations (handsets, printers etc) from any other station. It’s probably in the 802.11 standards somewhere.

Anonymous Coward

(the previous AC)

I'm familiar with that setting, and use it myself at home. My question is, even if that is set so the machines can communicate with each other, can they read the traffic between the other machine and the wifi router?

Looking at it differently, is the encryption per-device (so they can't see each others' data), or per-router (all use the same keys so they can all see everything)?

cracked and broken

Probably the most dangerous thing about public WiFi is that someone can set up a fake access point with the same SSID as the real one and you won't know that you have connected to it.

Even if your browser is connecting to web sites using TLS, they can use DNS spoofing to get you to log into fake web sites and reveal your passwords for other services. This is the best reason I know to use a VPN.

Censored Message contents

andy gibson

Not sure why but I had to go to Twitter to find out what the message actually said

Re: Censored Message contents

Furious Reg reader John

Most of the message is a copy of the Wikipedia article about the Manchester Arena bombing. It's a shame El Reg feels the need to censor details of Islamist acts of terror, but I guess this is in line with the UK's current two tier approach to civil unrest.

CheckPoint's remarks

Anonymous Coward

...are completely irrelevant as they pertain to the security of the WiFi session itself.

Muppets.

The question is how did the hackers get into the administration application, and it seems as if they got in through an legitimate account, which means they had the password (assuming they didn't bruteforce it).

I'm betting no 2FA configured.

Re: CheckPoint's remarks

Anonymous Coward

The question is how did the hackers get into the administration application

Indeed, so many unanswered questions. Was the wifi router's 'admin' account left with a default password of 'admin' or 'password'?

Re: CheckPoint's remarks

katrinab

Or "Netgear"

abend0c4

Apart from the potential for data gathering, the primary purpose of landing pages seems to be to get people to agree to terms and conditions. I'm sure that's a huge obstacle to those who wish to flout them. Presumably it's a liability thing, but I can't see they serve a genuinely useful purpose.

Bendacious

I agree that landing pages are generally useless but I like them. If I see one then I know I have accidentally connected to a public network and immediately disconnect - or in rare circumstances it reminds me to only do the one search I need to do and not login anywhere or make purchases.

Guy de Loimbard

No doubt weak security and/or default security settings as the A/C poster said.

This is hardly the hack of the century, think some of the comedy messages after the highways agency roadside information posts were hacked!

For shits and giggles I would love to know what happened to allow this system to be compromised, but I suspect there will be some sysadmin somewhere busily deflecting the cock up elsewhere!

Leaves on the track.

TimMaher

Always the excuse.

Mine’s the one with a Bradshaw in the pocket.

Never eat more than you can lift.
-- Miss Piggy