Bored Russian hacker breaks into railway company site in 20 min, steals all passengers’ info
To connect to the Wi-Fi, Sapsan passengers have to enter the number of their car and seat, as well as the last four digits of their passport.
A programmer, who was traveling by a Sapsan from Moscow to St. Petersburg, hacked into the network of the high-speed train and obtained the data of all the passengers. He told about it himself on the Habr website under the nickname keklick1337.
The hacker said that he had been at a St. Petersburg conference on information security and was returning to Moscow on the Sapsan. He was bored, so he thought he would try to break into the network of the train. It took him 20 minutes.
To connect to the Wi-Fi, Sapsan passengers have to enter the number of their car and seat, as well as the last four digits of their passport. So, the system stores all the passenger data.
To do the hacking, the programmer used NMAP for scanning the network and public exploits to look for vulnerabilities in the software.
It took the attacker 20 minutes to scan the network. He found several open ports. It turned out that they all worked on the same server with a single password. The programmer easily gained access to the database and found information about all the past departures.
The user called on Russian Railways to improve the system and promised to check back again soon.