Trains on British rail networks have been running with default admin credentials for the onboard Wi-Fi, making it hypothetically possible for hackers to access vital critical systems.
Ken Munro and Pen Test Partners had been conducting this research on various rail networks for eight to 10 years and the operators are fixing the problems.
But alarmingly, Munro and his team were able to easily access customer credit card data as well as get near the critical systems - including even the train brakes.
It was as simple "as putting in an IP address, seeing what your gateway address is, and seeing if it was routable," Munro tells Techworld. "Oh god, yes it is... Surely the credentials can't be default? Oh my gosh, yes they are. Then you realise you can see lots of other networks."
"It's surprisingly very similar to security flaws you find on regular corporate networks," he says. "I guess we were hoping or expecting them to be a little bit better on trains that travel at speed."
As Munro notes in a blog post there was no segregation between the passenger, staff and train control networks, with default credentials making it simple for passengers to tamper with wireless ticketing as well as bore their way into payments data.
Ironically first class passengers tend to get free Wi-Fi access so the card data would be from those in standard carriages.
"I think what happened is somewhere along the line, the responsibility for the train Wi-Fi network has probably been outsourced to a specialist third party," Munro tells Techworld. "And somewhere on the line someone has forgotten to lock down those routers. I don't think anyone has necessarily been out there and deliberately weakening them, I think it's probably just been an oversight.
"The problem is oversights are often the sources of most security breaches."
According to Munro this is "absolutely standard across corporate networks" too.
"You shouldn't as a standard user be able to access the administration content," he says. "You shouldn't be able to access the admin webpage."
Most attacks that happen in the real world are financially motivated but there are unnerving hypothetical scenarios that could threaten real physical danger in the hands of a driven hacker.
"The bit that alarmed me was the fact we could see some of the train systems," Munro says. "Now that is worrying. There's potential for touching industrial control systems, operational technology on a train – that bothered me the most.
"It would take so little to lock that interface down, put in some strong credentials that are well managed, and then this just goes away – it's a non-issue."
Delving into those hypotheticals, a hacker could in theory gain access to the industrial control network, where a lot of messaging takes place between the various components of the vehicle. That could mean tampering with the power control or the brake control management.
When most trains are in transit at over 70 miles per hour, it's impossible to apply maximum braking force because this could lock the wheels, so there is usually a type of managed anti-lock braking on board the vehicles.
"That does have a degree of electronic supervision," Munro says. "So imagine you could override that and modify the behaviour of the braking systems... That's as bad as it gets I think. This is very hypothetical – I don't want to say all braking systems can be hacked – but if suitable controls hadn't been put in place these are all plausible."
Techworld has previously covered the cyber defence systems that are in place on planes and in the maritime industry. Consumer travel like passenger aircraft and cruise ships tend to have a high degree of cyber security controls, and make use of the latest network segmentation technologies to isolate any potential attackers.
Why are trains any different? The answer could lie in the everyday mundanities of rail travel.
"I don't think anyone's really thought about it, and that's like most security flaws," Munro explains. "Did anyone when Wi-Fi was being sourced remember to ask the question about security? So often a project comes to market and it's only after the event that anyone in a security team finds out...
"Had the question been asked early on, during project specifications, security teams could have gone: had you thought about this, this and this? And everything would have been fine."
Instead Munro says what happens in most projects, whether they're Wi-Fi installations, web applications, or on mobile, security is frequently left to the last minute – if at all.
The operators have responded and are also beefing up their physical security, for example locking routers away in cabinets that aren't able to be opened with a simple square or triangle key.
"I think rail companies are well on the case for this, and it's quite unlikely many vulnerable Wi-Fi networks will be found again, so hopefully we've seen the back of this," Munro says. "But I think the broader advice should be: ask questions, ask questions about security with your supplier, and ask them to demonstrate that the system is secure.
"And at the end of it all... just check. Just in case someone has made a mistake along the way, just check."