Public Wi-Fi operator investigating cyberattack at UK's busiest train stations A cybersecurity incident is being probed at Network Rail, the UK non-departmental public body responsible for repairing and developing train infrastructure, after unsavory messaging was displayed to those connecting to major stations' free Wi-Fi portals. The message displayed to users via a compromised Wi-Fi landing page, seen …
Used it indirectly. (don't trust public Wi-Fi so would not use it directly)
I had GPS turned off and was at Derby station and my android phone seemed to think I was located at a different city station on the Midland network (my guess is both Wi-Fi points had same SSID and it was based on Google slurping SSID data and location and it had non Derby location given for the SSID*)
Flicking on GPS nullified the problem & Google Maps app on phone then showed correct location..
I had Wi-Fi off, but I know Google can sneakily check Wi-Fi data in geolocation if you neglect to nobble some setting hidden away beware of the leopard style.
* Best example was a mate of mine at a Google event in UK, his location showed as the States (SF IIRC) - I'm guessing that some of the Wi-Fi kit Google brought over had been deployed in USA previously (or they use same SSID in multiple locations - again it was an android phone making me think it's using Google database of SSID and location)
WiPS is typically based on both the SSID and the WAP MAC address because of the issue of very wide area SSID provisioning. The issue with WiPS at railway stations is usually down to on-board WAPS having been slurped at many different geographical locations. Nowadays the providers of such slurped positioning data assign a very low reliability score to WAP MACs that are seen in multiple places.
It used to be quite good fun in the old days of Ingress to visit e.g. King's Cross and set off an EMP burst in Inverness!
> Not sure why this got downvoted. Main line stations in London have abysmal connectivity.
(Indeed, and it's not just London - affected stations are as far north as Liverpool)
Metro's two-page article this morning concluded under a cartoon whose punchline was essentially "wait, people are able to get on Network Rail WiFi?" with a comparison of the incident to new BBC drama Nightsleeper, before stating "The National Cyber Security Council, the National Crime Agency and British Transport Police are all investigating".
It very much brightened my morning -->
Public Wi-Fi, often unencrypted and easily accessible, provides an ideal entry point for attackers.
To what? It's just to the internet, it's not to a corporate's private internal systems.
Unlike the security of home Wi-Fi, which is password-protected and encrypted, public Wi-Fi leaves users' data exposed to anyone on the network
And that's why IT people have been banging on about using TLS for aeons as you can never trust a network. See: China, Russia, etc.
Yet more scaremongering form someone who should know better.
Just for my own technical understanding:
I get that non-password-protected wifi can have its contents seen by anybody nearby; it's effectively sending everything in plaintext.
If the wifi is password-protected, with multiple machines on that network that have had the password entered, can they read each other's traffic, or just their own?
I think it depends on how the network itself is configured, rather than having anything to do with whether or not you need a password to get onto the network. From my own experience, using the very limited sample of one....I have a router which supports multiple wireless hotspots - all password protected to control who can access it. One network allows you to see other machines on who have joined the network using that hotspot. Others are designated as guest networks, and on there you can't see any other machines at all...not even others on the same guest network
(the previous AC)
I'm familiar with that setting, and use it myself at home. My question is, even if that is set so the machines can communicate with each other, can they read the traffic between the other machine and the wifi router?
Looking at it differently, is the encryption per-device (so they can't see each others' data), or per-router (all use the same keys so they can all see everything)?
Per Wikipedia, the shared key (the wifi password, as normal people would say) authenticates what a client is allowed to connect and then "a Pairwise Transient Key (PTK) is generated for secure data exchange" during the initial handshake and then "the established PTK is used for encrypting unicast traffic, and the Group Temporal Key (GTK) is used for broadcast traffic". So, one key per client for most traffic except for broadcast traffic which, by its nature, should be visible to all clients on the broadcast segment.
"I get that non-password-protected wifi can have its contents seen by anybody nearby; it's effectively sending everything in plaintext."
No it isn't, and some of the responses to your comment are a bit mad.
Wifi passwords are for authentication to the network itself and not some sort of encryption mechanism. No password requirement simply means that anyone may use the wifi. You don't have to enter a password (pay) to enter the M5, M4, M1, M25 etc but you do have to pay to use the M6 toll section. In both cases you get to use the road but you have to "authenticate" to the M6 toll (with dosh). The roads experience are largely the same.
Many public wifi setups will isolate each client from each other. To test that, try a broadcast ping or an nmap ping scan.
Now you have comms then it is up to you to secure what you do with it - not the provider: they might like to harvest an email address to spam and perhaps watch your DNS look ups etc. It's up to you to decide how much information to leak. You might not care. Your comms with most web sites are secured by TLS these days and that is end to end encryption. The provider will still see the traffic flows but not the content.
If you really want to go dark then you will need a VPN back to a trusted place. That means back home. You will need to host your own VPN solution - OpenVPN/IPSEC/Wireguard. Now you are only leaking information to your ISP ...
Cheers
Jon
Probably the most dangerous thing about public WiFi is that someone can set up a fake access point with the same SSID as the real one and you won't know that you have connected to it.
Even if your browser is connecting to web sites using TLS, they can use DNS spoofing to get you to log into fake web sites and reveal your passwords for other services. This is the best reason I know to use a VPN.
"This is the best reason I know to use a VPN."
(I also keep a local DNS server or two handy, just in case I can't use a VPN. Mind you its pretty easy to fiddle with proxies over unlikely protocols to get out of a hole.)
I think you are absolutely correct - obviate the risk by tunneling out. However, your tunnel should go to a safe place. That safe place for me is home and not an external provider. That may not be the case for others.
Internet "safety" is quite a complex issue. I think you are following current good practice. Crack on 8)
Cheers
Jon
Re "Public Wi-Fi, often unencrypted and easily accessible, provides an ideal entry point for attackers.
To what? It's just to the internet, it's not to a corporate's private internal systems."
You are, of course, assuming the public Wifi is set up properly, and not ust provided by a Wifi Access point and associated router just connected to a company's internal network.
The BBC published it verbatim since it was so anodyne. It has since been pulled nationally and an image circulated instead with dramatic blurring of ~all of it, in order to support a preferred story.
Just do a search on Twitter for "rail wifi"(latest tab). 2 secs later: Here's a BBC screenshot.
...are completely irrelevant as they pertain to the security of the WiFi session itself.
Muppets.
The question is how did the hackers get into the administration application, and it seems as if they got in through an legitimate account, which means they had the password (assuming they didn't bruteforce it).
I'm betting no 2FA configured.
Apart from the potential for data gathering, the primary purpose of landing pages seems to be to get people to agree to terms and conditions. I'm sure that's a huge obstacle to those who wish to flout them. Presumably it's a liability thing, but I can't see they serve a genuinely useful purpose.
Apart from the potential for data gathering, the primary purpose of landing pages seems to be to get people to agree to terms and conditions
Which (by and large [1] ) absolves the provider from the actions of the end-user. They exist not to prevent people from doing Bad Stuff(TM) but to do as far as possible, CYA for the provider.
[1] Along with suitable web filtering et. al.
I avoid public WiFi but at at work my phone will connect. The landing page - which is supposed to harvest an email address - totally fails to load if you make a direct https connection. For example, if I go to http://theregister.com/ it will show the landing page, but if I go to https://theregister.com/ it will show El Reg. I've never "authenticated" to this WiFi. The email client on my phone gets through this network without problems too.
No doubt weak security and/or default security settings as the A/C poster said.
This is hardly the hack of the century, think some of the comedy messages after the highways agency roadside information posts were hacked!
For shits and giggles I would love to know what happened to allow this system to be compromised, but I suspect there will be some sysadmin somewhere busily deflecting the cock up elsewhere!
So company X runs WIFI for WBRCT (Whatever-British-Rail-Is-Called-Today)
But a separate company Y supplies the landing page
And they outsourced management of the landing page server to company Z
But changes to the landing page have to be made by media company SQUIGGLE_NOT_AVAILABLE_IN_UNICODE
And this is cheaper and more secure ?
Imagine if the track, maintenance, signals, locomotives, trains and tickets were all operated by separate companies - it would be total chaos
Have you seen 'Nightsleeper'
No - because from the little I saw in the preview, I'd spend most of the time shouting at the screen about the ridiculousness of their portail of the technology. Which would annoy my wife (who wants to see it so will iPlayer it on her iPad while she's 'working' in the study upstairs..) and annoying her is *never* a good policy (as I've learnt in 36 years of marriage)
Imagine if the track, maintenance, signals, locomotives, trains and tickets were all operated by separate companies - it would be total chaosYou *do* realise that this is partially the case, right? Track + signals = Network Rail, Maintenance = various companies, contracted by Network Rail or the Train Operating Companies, Locos + Trains = Train Operating Companies, Tickets = Rail Delivery Group.
Anything else? And right now, that herd of cats is being orchestrated by the Department for Transport (who have zero experience in herding cats, but who think they do), again contracted by the Treasury to do so (because the Treasury holds the purse strings for everything).
It's owned by a consortium of its customers = the airlines.
So if more investment would make it more efficient then that's a decision for its customers/owners to make. Without the cost being a political decision affecting GDP and the treasury
I assume this frightens politiciant
Despite the far-more-complex-&-vulnerable-to-error-than-it-appears-even-on-second-and-third-thoughts nature of air traffic control, NATS is actually working quite well.
My point was NOT "omg!", but, rather, poking a pointed needle into the absolutely-standard meme that "micromanagement by a special (govt) ELITE is the only SANE way to DO things!". (OP's post suggested to me at the time he was firmly in that syndrome (hence "frighten yourself": they love an excuse to get hysterical) ; on re-reading now, I'm not so sure. Might have intended simply to point the "incompetence!" (or, better: "irresponsibility!") finger in all directions.)
If ANYTHING would prove that _actual_ professionals shouldn't be allowed to consider the real needs of the job because it would all go horribly horribly wrong without their kindly masters correcting & managing their underclass foolishnesses, air traffic control is kinda a biggy.
NATS demonstrates that that meme is false at core.
Of course, all Govt Depts should have their own specialised police
British Transport Police investigate wifi hacks on stations, British Education Police investigate wifi hacks in schools and British Work and Pensions police investigate why your nan's sky box doesn't work
The railway police have some kind of expertise in investigating public WiFi operated by arms-length contractors?
BTS is the 2nd-tier of policing (as explained by a sergeant in TVP..)
Tier one is regular police.
Tier two is for people that can't manage T1 policing and is some of the smaller forces plus BTP.
Tier three is for people without the skills and ability for T1 or T2 and is the Military Police..
He was somewhat cynical about his profession.
How do they know for sure? There could have been any of a number of malicious scripts or downloads dropped on to peoples devices from the hacked landing page. You only have to consider how many people use and "trust" public WiFi with no idea or concept of the risks they are putting themselves and their data at. The biggest security issue of all is trying to protect the masses from the "bad" by trying to secure the OS while not making it so obtrusive that they turn off the enforced security options in the name of convenience. (and not forgetting that the data slurpers don't want to be impacted by helping users to secure their devices)
Man who works for WiFi company arrested after train passengers receive Islamophobic messages
Survey:
Will he get jail time or a slap-on-the-wrist?
a) Jail time? Da fuq are you talkin' `bout?
b) Slap on the backside
c) Inside tour of a Guantanamo cell
d) You got the wrong guy, guv. It ain't me!
1) Someone watched Nightsleeper, a UK drama about a hack on the UK train network including taking over billboards.
2) Except this time, the person doing it actually had a clue about how computers work, as opposed to literally every character in Nightsleeper - including those who are supposed to work in all the cybercrime agencies and be the "leet hackers" sorting everything out.
Honestly, that programme made me scream at the screen more than I have done in years.
If you turn off your brain, its enjoyable crap along the lines of a budget 24.
Spoilers?
However, I was annoyed at the train stopping on Ribbleshead viaduct (Carlisle-Leeds line), reversing back to Carlisle, then heading south on the WCML with the next stop being Leeds. Who exactly moved Lancaster, Preston (+Blackburn, Halifax & Bradford) and Manchester (+Huddersfield) and why go to the trouble of stopping, reversing and then switching tracks to end up at the place where the train was going to in the first place?
I was far more annoyed that they kept instructing a member of the public to plug in a satellite phone directly into a boobytrapped RPi (you can try and hide it, but it was an RPi with a LCD hat that was for some reason scrolling random binary data with useful messages interspersed between control characters at random) that was apparently controlling the train and was suspected to be potentially explosive for the first few episodes, without any thought of potential consequences or compromise.
And that said satellite phone a) allowed this with no visible ports to do so (and never seen actually connected), b) the data plan on the satellite phone was enough to do that c) that it got a static IP doing that, with all ports open, and immediately forwarded them all to the connected device, no firewall, and the cybersecurity people could literally then just fully access and port-scan the connected device just by knowing the IP of the satellite phone alone, and that d) an oil rig worker would naturally have such a plan enabled at all times and that e) (spoiler!) two such satellite phones were just wandering around on a train journey with an oil rig worker and journalist as part of the normal kit they just wander around with in their personal lives. (Working in IT, I've never even seen anyone use a satellite phone in the last 2 decades)
Or that when they actually stopped the train (for half an episode), they didn't just smash the damn thing to smithereens.
Or that....
I could honestly go on for DAYS.
I only watched the first episode and it was obviously so badly written in many ways that I bailed rather than endure the agony of attempting the rest of the story. I just don't have the time to waste on such rubbish. Now we know that the UK can produce top quality TV - you only have to see Slow Horses to realise that - but the terrestrial channels seem to be run by idiots. To be fair, there's been a steady downward slide since Thatcher started meddling in the late eighties, booting out Alisdair Milne as BBC DG and implementing the 1990 Broadcasting Act (RIP Thames TV).
People use the station WiFi? Probably the single most pointless thing that Network Rail invest in. Slow and unreliable public WiFi in major stations, which are in places that have above average mobile data coverage.
I can just about see the point in public WiFi in underground stations, but not Glasgow Central High Level.
Anon because I work for our beloved rail infrastructure owner, thankfully not in the IT dept.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
