• Our new ticketing site is now live! Using either this or the original site (both powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!

Cyber attack at 19 major railway stations - WiFi hacked

duffield

Established Member
Joined
31 Jul 2013
Messages
1,804
Location
East Midlands
Can't find an existing thread for this, please move if there's a more appropriate place:

The BBC are reporting that the public WiFi has been breached at 19 stations (Edit: BBC news now saying 20 stations).

Quote:
Network Rail confirmed that the wi-fi systems at stations including London Euston, Manchester Piccadilly, Liverpool Lime Street, Birmingham New Street, Edinburgh Waverley and Glasgow Central were affected.

People reported logging on to the wi-fi at the stations on Wednesday and being met with a screen about terror attacks in Europe.

 
Last edited:
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

Adam Williams

Established Member
Joined
2 Jan 2018
Messages
2,230
Location
Warks
This is probably a "best case" in terms of assets for someone to attack at a railway station! I imagine must customers will be happy relying on mobile data.

Let's hope they don't do a TfL and leave the WiFi offline for 2 months afterwards, though.
 

duffield

Established Member
Joined
31 Jul 2013
Messages
1,804
Location
East Midlands
This is probably a "best case" in terms of assets for someone to attack at a railway station! I imagine must customers will be happy relying on mobile data.

Let's hope they don't do a TfL and leave the WiFi offline for 2 months afterwards, though.
Network Rail say (in the article above) that the system, provided by a third party, has been switched off.

Personally I've got a sufficient chunk of pay monthly data that I never need to use public WiFi, and this sort of thing is one reason why I stay away from it.
 

johntea

Established Member
Joined
29 Dec 2010
Messages
2,685
Pretty simple cyber attack really, just set the landing/login page for users connecting to the WiFi network to their custom one

(Let me guess the login for the admin portal was admin/admin or similar!)

I’m curious as to why it is BTP investigating though? It might be the Network Rail free WiFi but essentially it’s just a contract between them and a third party supplier to provide a public WiFi service
 

WestAnglian

Member
Joined
27 Aug 2021
Messages
70
Location
Bishop's Stortford
Pretty simple cyber attack really, just set the landing/login page for users connecting to the WiFi network to their custom one

(Let me guess the login for the admin portal was admin/admin or similar!)

I’m curious as to why it is BTP investigating though? It might be the Network Rail free WiFi but essentially it’s just a contract between them and a third party supplier to provide a public WiFi service
Hacking anything is an offence under the Computer Misuse Act, so when it's public infrastucture an attack should be taken seriously.
 

sprunt

Established Member
Joined
22 Jul 2017
Messages
1,333
Hacking anything is an offence under the Computer Misuse Act, so when it's public infrastucture an attack should be taken seriously.

I think the query was less why it's being investigated per se, than why it's BTP doing the investigtion. Apart from anything else, I wouldn't have thought they'd have the officers with the specific knowledge needed to investigate this.
 

sor

Member
Joined
15 Nov 2013
Messages
502
I think the query was less why it's being investigated per se, than why it's BTP doing the investigtion. Apart from anything else, I wouldn't have thought they'd have the officers with the specific knowledge needed to investigate this.
isn't it simply because it is railway infrastructure. I would assume they can call on the NCSC/GCHQ and other orgs just as the territorial police or NCA can.
 

dosxuk

Established Member
Joined
2 Jan 2011
Messages
1,997
Who else would Network Rail contact? Note it's not the BTP saying they're leading an investigation, it's Network Rail saying they're investigating.
 

transportphoto

Established Member
Associate Staff
Jobs & Careers
Quizmaster
Joined
21 Jan 2010
Messages
4,872
I think the query was less why it's being investigated per se, than why it's BTP doing the investigtion. Apart from anything else, I wouldn't have thought they'd have the officers with the specific knowledge needed to investigate this.
The investigation has got to start somewhere. I’m not sure any police force would have the specialism more than any other - what they do have though is the contacts (e.g. National Crime Agency) to make the investigation happen. The impact has been felt (and seemingly targeted upon) what would normally be seen as BTP jurisdiction.
 

BuhSnarf

Member
Joined
22 May 2010
Messages
181
The article on BBC News has a rather sensationalised headline - "Hack puts terror message on railway station boards" - it kind of implies that they were able to put the message up on the departure screens, this is further embedded by the fact that there is a shot of the large dot matrix screen at Man Picc.

A little bit misleading if you ask me.
 
Joined
28 Jan 2024
Messages
52
Location
North Yorkshire
BBC doing what they do best…
The article on BBC News has a rather sensationalised headline - "Hack puts terror message on railway station boards" - it kind of implies that they were able to put the message up on the departure screens, this is further embedded by the fact that there is a shot of the large dot matrix screen at Man Picc.

A little bit misleading if you ask me.
 

duffield

Established Member
Joined
31 Jul 2013
Messages
1,804
Location
East Midlands
The article on BBC News has a rather sensationalised headline - "Hack puts terror message on railway station boards" - it kind of implies that they were able to put the message up on the departure screens, this is further embedded by the fact that there is a shot of the large dot matrix screen at Man Picc.

A little bit misleading if you ask me.
When it started this thread, the headline was, as per the thread title "Cyber attack at 19 major railway stations", which was more factual and less sensationalist. It's very disappointing that they've changed it to something positively misleading - a reference to "railway station boards" and the accompanying image.
 

dcsprior

Member
Joined
28 Aug 2012
Messages
818
Location
Edinburgh (Fri-Mon) & London (Tue-Thu)
This is probably a "best case" in terms of assets for someone to attack at a railway station! I imagine must customers will be happy relying on mobile data.

Personally I've got a sufficient chunk of pay monthly data that I never need to use public WiFi, and this sort of thing is one reason why I stay away from it.

If I use public wi-fi, it's because I have no mobile signal in that location (or this was previously the case, and I've not disconnected, or maybe even automatically reconnected after a previous visit) and nothing to do with not having sufficient data allowance. I'd guess I'm far from alone in this.
 

Dent

Established Member
Joined
4 Feb 2015
Messages
1,197
The article on BBC News has a rather sensationalised headline - "Hack puts terror message on railway station boards" - it kind of implies that they were able to put the message up on the departure screens, this is further embedded by the fact that there is a shot of the large dot matrix screen at Man Picc.

A little bit misleading if you ask me.
If there was nothing actually placed on station boards then it is not misleading, it is a false statement.

There is a difference between misleading - statement which is factually correct but presented in way which may lead to an erroneous conclusion, and a false statement - explicitly claiming something which is factually untrue.
 

Taunton

Established Member
Joined
1 Aug 2013
Messages
10,771
The article on BBC News has a rather sensationalised headline - "Hack puts terror message on railway station boards" - it kind of implies that they were able to put the message up on the departure screens, this is further embedded by the fact that there is a shot of the large dot matrix screen at Man Picc.
Clickbait is the only important measured metric nowadays. Accuracy and correct information have gone out of it - along with most of the editorial staff beyond the Intern grade.
 

Wilts Wanderer

Established Member
Joined
21 Nov 2016
Messages
2,783
The article now appears to have been updated to remove reference to station departure screens and simply states that the Wi-Fi was hacked.
 

Adam Williams

Established Member
Joined
2 Jan 2018
Messages
2,230
Location
Warks
I take that to mean we should expect TfL issues to continue for another month and a bit at least)
I have no privileged information here, but it doesn't look very promising from what is in the public domain. No commitment to any sort of date for service restoration
 

Couru

Member
Joined
28 Feb 2023
Messages
57
Location
Basingstoke
Sky reporting that it was an admin who defaced the landing page.Article

Telent, the company who manages the wifi system, said the attack came from someone working for the company running the wifi homepage and the matter is now being dealt with by the police.

"An unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police," said Telent in a statement.

Seems like a classic bit of hacktivism (aka "idiot ruins his life because he thinks he's saving the world"). Questions will be asked of Telent about why they didn't have a change control process in place to prevent exactly this.
 

LAX54

Established Member
Joined
15 Jan 2008
Messages
3,831
The article on BBC News has a rather sensationalised headline - "Hack puts terror message on railway station boards" - it kind of implies that they were able to put the message up on the departure screens, this is further embedded by the fact that there is a shot of the large dot matrix screen at Man Picc.

A little bit misleading if you ask me.
Probably trying to 'cash in' and promote their drama series Nightsleeper !
 

kez19

Established Member
Joined
15 May 2020
Messages
2,086
Location
Dundee
Might be unrelated but I had issues using Scotrail WiFi yesterday in Aberdeen train station and even on the train itself (irony the train I got off in Stonehaven was the return back later).

For me it was loading but nothing to go too but didn’t connect.
 

jayah

On Moderation
Joined
18 Apr 2011
Messages
2,008
Network Rail say (in the article above) that the system, provided by a third party, has been switched off.
How many other systems are provided by third parties over which there seems to be insufficient scutiny / oversight?
 

Baxenden Bank

Established Member
Joined
23 Oct 2013
Messages
4,186
An update on the BBC News site here.

Man arrested over rail terror message hack​

Nineteen railway stations were affected by a cyber-attack, Network Rail said
Gemma Sherlock & Sean Dilley
BBC News

    • Published
      2 hours ago
A man has been arrested on suspicion of computer misuse offences after railway stations across the UK suffered a cyber attack.
Public wi-fi services were suspended at 19 railway stations managed by Network Rail on Wednesday after messages about past terrorism attacks appeared on people's devices.
British Transport Police (BTP) said the man held is an employee of Global Reach Technologies, which provides internet access to some Network Rail stations.
The force said the man has been arrested on suspicion of computer misuse act offences and malicious communications.
The network is run by a third party, Telent, with the actual internet service provided by Global Reach.
Commuters noticed unusual activity after connecting to the service at stations around the UK.
The BBC has seen screenshots posted to social media after some passengers reported being directed to content listing terrorist attacks in Europe.
It is understood that no other rail systems or data have been breached.
Network Rail said it acted quickly to suspend public wi-fi services while the suspicious content was being investigated.
The station operator and and its suppliers said they were confident that w-fi services would be restored by the weekend.
Chris Dyson, 53, from Leeds, saw an unusual message on Wednesday afternoon when he connected his device to the wi-fi at Birmingham New Street.
It gave details of Islamist-related terror attacks in the UK and Europe, alongside pictures taken from news reports about the incidents.
"The screen lit up with bizarre security alerts and dodgy pop-ups," he told the BBC.
"I started to panic slightly—what if this was a sign of something more sinister?"
The affected stations included:
  • In London, London Cannon Street, London Bridge, Charing Cross, Clapham Junction, Euston, King’s Cross, Liverpool Street, Paddington, Victoria and Waterloo
  • In the South East, Reading and Guildford
  • In the North West, Manchester Piccadilly and Liverpool Lime Street
  • In the West Midlands, Birmingham New Street
  • In West Yorkshire, Leeds
  • In the West and South West, Bristol Temple Meads
  • In Scotland, Edinburgh Waverley and Glasgow Central
Network Rail said it believed other organisations, not just railway stations, had been affected.
"This service is provided via a third party and has been suspended while an investigation is under way," the spokesperson said.
 

infobleep

Veteran Member
Joined
27 Feb 2011
Messages
13,115
Might be unrelated but I had issues using Scotrail WiFi yesterday in Aberdeen train station and even on the train itself (irony the train I got off in Stonehaven was the return back later).

For me it was loading but nothing to go too but didn’t connect.
That will be unrelated. A similar thing happens 99% of the time on Great Western Railway but it isn't cyber related just some other issue that for wwhateverreason hasn't been fixed.
 

Egg Centric

Established Member
Joined
6 Oct 2018
Messages
1,238
Location
Land of the Prince Bishops
I may be wrong but since we're all speculating ;) - the content of the message (basically conspiratorial great replacement right wing loony stuff) wasn't really something I'd think yer typical IT guy would either be stupid enough to do or indeed hold such views.

Base on that, I suspect more likely his or her credentials were breached. Still as I said I may be wrong about that!
 
Last edited:

Bill57p9

Member
Joined
1 Dec 2019
Messages
589
Location
Ayrshire
Sky reporting that it was an admin who defaced the landing page.Article



Seems like a classic bit of hacktivism (aka "idiot ruins his life because he thinks he's saving the world"). Questions will be asked of Telent about why they didn't have a change control process in place to prevent exactly this.
By definition an admin account will have the permissions to change stuff.

There are various ways of controlling updates, such as independent code reviews which can be set as rules in any decent configuration/content management system, however those rules are set by an Admin account: they necessarily have to exist.

Which leads to the question of how the admin account credentials came to be used maliciously: either a disgruntled (possibly former) employee or they have been compromised. And whether any second factor authentication (2FA) was in use: the sort of thing that sends you an email to confirm your identity. (Often the root admin account doesn't have 2FA as it may be needed to fix the 2FA!)

Will be interesting where this one goes. IMHO, more interesting than if it was a straight up hack.
 

Top