This particular incident comes after another rail-related "cyber" incident, affecting TfL who run services in London. The previous incident was perpetrated by a 17-year old, and TfL have still yet to re-enable the systems they turned off back at the end of August. This means customers can no longer check their contactless journey history or claim refunds online. My understanding is that staff were also shut off from being able to access internal systems. There is no ETA for restoration of service.
I think there's a growing problem with digital competency in some of these organisations. TfL in particular have not kept up with the times, and their once revolutionary ticketing infrastructure and software (I say "their", but it's really all just outsourced to Cubic, there's very little in-house expertise or day-to-day ownership when it comes to this stuff) feels quite dated now.
> I say "their", but it's really all just outsourced to Cubic, there's very little in-house expertise or day-to-day ownership when it comes to this stuff
The original Oyster system was outsourced to Cubic. But the newer contactless system was built in-house by TfL, and is licensed to Cubic for sale to other transport systems around the world, including cities like New York.
For various reasons, the contactless system sadly still lags behind Oyster, with basic functionality like NR discount entitlements missing and showing no signs of emerging anytime soon. The physical infrastructure, like the gatelines, are all still controlled by Cubic as well.
Even in terms of security, you have TfL deciding to adopt SMS for multi-factor authentication (no TOTP/HOTP/push-based MFA) for their contactless portal. Which they only started enforcing a year ago. I don't get how anybody can defend decisions like these. We've known SMS is unsuitable for this use-case for years.
Do you know if Cubic or Tfl continues the development for contactless system?
The problem is I found it very slow. Compared to most East Asia / Japan contactless system. Where in 95% of cases complete the whole transition in less than 100ms.
Not familiar with this particular system, but if the issue is that their whole webapp is pwnable spaghetti, then I doubt it's gonna come back online anytime soon. Those types of issues are usually endemic and no amount of whack-a-mole will fix it.
Really depends on the devs. I've seen it go both ways. But you are right, most retests I have done after the pentest issues were fixed is weird. They actively engineer around our suggested fixes instead of actually doing the work they are told to do
> I think there's a growing problem with digital competency in some of these organisations. TfL in particular have not kept up with the times, and their once revolutionary ticketing infrastructure and software (I say "their", but it's really all just outsourced to Cubic, there's very little in-house expertise or day-to-day ownership when it comes to this stuff) feels quite dated now.
I've noticed this too. Tend to visit the UK annually or so over the last 15 years and the general quality of the machine interfaces goes down over time. The good ones are almost no different from how they were in 2005.
The part they have improved on is the contactless integration with phones which does just work so dramatically reducing the need to use the rest.
"worse" doesn't ring true, they have really just stayed the same. IMO this is fine, as I've not needed to use a machine in a year or two. You buy rail tickets on your phone with QR code tickets and tap in and out of TFL with your choice of phone/watch/card/oyster. We don't need to revamp the buying a physical ticket machines, why? Who do they serve, only really tourists who don't know they just need to use thier card to tap in or use a website or app to buy either QR code or pick up train tickets.
There's a slight perverse incentive in that not having access to Contactless history makes it harder for the customer to see overcharging and to make claims for a refund.
The TfL contactless system doesn’t generally overcharge, as long as you properly tap-in and tap-out.
The system as a whole seems to be designed to prevent overcharging at all costs. In situations where is ambiguous what you should be charged (there’s a number of interesting edge-cases), the system always charges you the lowest possible amount. Even in the event of user error (such as forgetting to tap-out), the system does it best the guess what you did, such as looking at your history and assuming you meant to tapped out at a station you normally use, or looking for a station where the gates where left open (due to a major event, overcrowding concern, evacuation etc), and assuming you left the system there.
The contactless system is substantially more capable for handling these issues correctly, and generally better at charging less, than the older Oyster system.
I imagine big tech companies and startups in the UK pay better salaries, and are better at evaluating talent. That creates adverse selection in the remaining employee pool, which the public sector is fishing in. Same as in the US.
The theory is right but in practice none of this is really run by the public sector anything remotely difficult is just contracted out to the private sector and they go with basically the cheapest bid from a "big" company. In this case it's telent and they probably just brought a captive portal product (the cheapest, of course ;)) and it got hacked.
I'd agree with this. At some point in the past, a final-salary defined benefit pension and the job security may have gone some way to levelling the playing field a bit.
Even before that cyberattack I was never able to get TfL online services working properly.
Luckily it's not needed, you can just buy an Oyster from a corner shop and top it up at the machines in the station (all with cash if you're concerned about privacy, which is nice).
What happened is that some kid phoned up helpdesk and said they were x and they had lost their phone, can you please help me to reset my password and 2fa (because the phone was nicked, its standard operating procedure right?)
From there they managed to SSO into critical shit.
Now, they've had to reset _everyone's_ password and 2fa (after an ID check)
They also now need to go through _everything_ to make sure there aren't any backdoors, boobytraps or any unknown exfiltration events.
that shit is _hard_, even harder for a safety critical place like TFL. They have something like 40k employees, and a whole bunch of disparate systems.
> What happened is that some kid phoned up helpdesk and said they were x and they had lost their phone, can you please help me to reset my password and 2fa (because the phone was nicked, its standard operating procedure right?)
> What happened is that some kid phoned up helpdesk and said they were x and they had lost their phone, can you please help me to reset my password and 2fa (because the phone was nicked, its standard operating procedure right?)
Then the policies that they had in place for these eventualities were insufficient.
> From there they managed to SSO into critical shit.
We're all speculating here without many details of what actually happened, but the questions I'd be asking are:
- Was the person whose account was compromised somebody that needed to routinely have access to Oyster card refund information?
- Was the person whose account was compromised somebody that needed to routinely have access to Oyster card refund information for a handful of customers, as part of working in a support role?
- Was the person whose account was compromised somebody that needed to have access to Oyster card refund for five thousand distinct customers, accessed in a very short timeframe? Why didn't security controls exist that prevented exfiltration of those volumes of data?
- Why were TfL directly storing bank account details in the first place when there are better-equipped partners who have experience securing data that could have handled this?
- Why is TfL so awful at providing Oyster refunds in the first place? They could very easily make it so you could get refunds back onto a Debit/Credit card (without needing to store the PAN), but instead the only options they give you are bank account/sort code (which have to be given over the phone) or back onto the Oyster card - needing to be physically collected within 3 to 4 days or the refund gets "lost" - completely useless if you don't live in London.
> that shit is _hard_, even harder for a safety critical place like TFL. They have something like 40k employees, and a whole bunch of disparate systems.
I don't care, it's not good enough. Everybody in London has no choice but to share some amounts of data with TfL if they want to use the transport system. They've shown they're incompetent time and time again. They can't do the work they've committed to do on-time either, and we pay them shedloads of public funds for this level of service.
>London Euston, Manchester Piccadilly and Birmingham New Street among those targeted with terrorism message
Makes it sound like the message itself was 'terrorist'. Also abhor the fact that we're never trusted with being able to see the actual source content. We MUST be told what we should think about it by 3rd parties.
Indeed, the headline is… technically accurate but seems clearly designed to mislead. The article body is a bit more clear:
> The Manchester Evening News reported that passengers accessing the wifi at Piccadilly station were directed to a webpage titled “we love you, Europe”, which contained Islamophobic messages and details of several terrorist attacks that have taken place in the UK and in Europe.
I think "[Stations] among those targeted with Islamophobic message" would have been a more informative wording.
Major UK train stations have turned off their wifi?
Should result in slightly improved performance :-P
(Actually, to be fair, some of those stations have working and viable wifi. Only some have wifi where connection simply doesn't work - and by this I mean consistently over a couple of years.)
Extremely rare I use public wifi - there's a couple of places where phone signal doesn't work and I want/need some internet (underground, planes, actually on board the trains, some cafes etc), but at major stations? It's not like they offer wifi at stations where there's no phone signal (and if they did it would be better all round for the phone companies to offer 4g service instead)
What is the value proposition for wifi at stations?
I'd guess there are still a subset of people with very limited data plans, or who don't have plans at all and use tablets or laptops.
If you can offload an amount of those people from asking your staff questions about train times and connections and get them checking online instead, I would guess that could be a cost saving?
I suppose it is also something that helps make the train more appealing than other forms of transport. If I know I can turn up 30 mins early and get some work done (or just browse the web), then that help cement the train as a nicer way to travel compared to a bus, or even a car where you cannot work at all if you are the driver.
Tourism - and if you've run out of roaming data or are being charged per MB then it's actually very useful.
We need a better way of doing it though, this unauthenticated network with a captive portal running on some embedded device or some php on a cloud server somewhere is total junk.
There is wifi that is authed via your mobile provider on TFL (now mostly redundant as lines now have 4g/5g) but I think it's actually also piped back to your mobile provider and usage comes out of your allowance if you've got one. What if we were able to do the auth step via sim (so we know who is on the network if there's bad traffic) but terminated the traffic ourselves (i.e doesn't come out of your mobile allowance or get piped to them in the first place).
The issue with on train wifi is the companies see it as a pure cost centre and aren't incentivised to provide a quality product there. Some have even turned it off!
The on train hardware is usually half decent but they typically go with the cheapest tender for the operation of it.
This is the kind of BS you get when you have private companies run parts of your infrastructure. Imagine the productivity gain of millions of journeys where users can reliably access fast internet. In most cases stumping for a quality multi sim provider, maybe a 5G upgrade and decent bandwidth allowance and support would get you most the way to that. WCML for example already has really decent coverage on my phone doing tethering but somehow onboard wifi is unusable, despite the train having multi sim multi radio hardware and special external antennas.
Where are these teens learning these easy hacks from? I say easy because the police seem to have no problem tracking them down after the incident, hinting at a degree of slopiness in covering their tracks.
You can buy/sell copy/paste loads of different scripts and stuff from loads of different places.
It could be as simple as they found a single way in dropped a randosomware and left. Never covered their tracks, used a VPN and so the IP address went straight to their address.
Teenagers are inherently reckless, but arguably can have lots of technical experience/knowledge by the time they're 17. If you've been messing with computers as a hobby and a passion since you were 11, you already have ~6 years of self directed experience, and a bunch of free time outside of school (and if you're a smart kid, inside of school too, winging classes and skipping homework).
Where teens fall down is their own overconfidence / arrogance / hubris / doing things impulsively, or generally just not considering (or possibly even comprehending) the full impact or risk of stuff they are doing. Like, understanding the technical side really well, but with a severely impaired frontal lobe.
So I feel it's a bit of a disservice to say it's "kids doing easy hacks". Without extra context we don't know what exploits they used or what they discovered. Could've been something easy and well known, could've discovered something novel.
I think the 17yo in question was indeed arrogant and I don't agree with their politics and I think it's unfortunate they've been indoctrinated by the right wing, but I would argue that they're probably pretty technically competent and motivated and I hope later on in life it serves them well and they make a whitehat career out of it.
Doctoring web requests with Burp and the like in order to circumvent arbitrary input restrictions on the client side is an absolute godsend when dealing with crappy web forms, legacy software, etc.
These days they can use ChatGPT and whatnot to track down all the pesky errors and omissions you encounter when trying to use those guides on anything but the exact setting the person making the guide is showcasing in their example.
But yeah, script kiddies learn their skills online, same as it's always been.
There seems to me to be a lot of misplaced trust involved in connecting to Wifi networks. It's easy to set up your own public AP and why not call it "Netork Rail Free Wifi" or something?
Readit News
I think there's a growing problem with digital competency in some of these organisations. TfL in particular have not kept up with the times, and their once revolutionary ticketing infrastructure and software (I say "their", but it's really all just outsourced to Cubic, there's very little in-house expertise or day-to-day ownership when it comes to this stuff) feels quite dated now.
The original Oyster system was outsourced to Cubic. But the newer contactless system was built in-house by TfL, and is licensed to Cubic for sale to other transport systems around the world, including cities like New York.
https://en.wikipedia.org/wiki/Oyster_card#Contactless_paymen...
Even in terms of security, you have TfL deciding to adopt SMS for multi-factor authentication (no TOTP/HOTP/push-based MFA) for their contactless portal. Which they only started enforcing a year ago. I don't get how anybody can defend decisions like these. We've known SMS is unsuitable for this use-case for years.
The problem is I found it very slow. Compared to most East Asia / Japan contactless system. Where in 95% of cases complete the whole transition in less than 100ms.
Deleted Comment
I've noticed this too. Tend to visit the UK annually or so over the last 15 years and the general quality of the machine interfaces goes down over time. The good ones are almost no different from how they were in 2005.
The part they have improved on is the contactless integration with phones which does just work so dramatically reducing the need to use the rest.
The system as a whole seems to be designed to prevent overcharging at all costs. In situations where is ambiguous what you should be charged (there’s a number of interesting edge-cases), the system always charges you the lowest possible amount. Even in the event of user error (such as forgetting to tap-out), the system does it best the guess what you did, such as looking at your history and assuming you meant to tapped out at a station you normally use, or looking for a station where the gates where left open (due to a major event, overcrowding concern, evacuation etc), and assuming you left the system there.
The contactless system is substantially more capable for handling these issues correctly, and generally better at charging less, than the older Oyster system.
What puzzles me is how Estonia managed to avoid this problem. https://www.youtube.com/watch?v=I5krZBe0Dck
Luckily it's not needed, you can just buy an Oyster from a corner shop and top it up at the machines in the station (all with cash if you're concerned about privacy, which is nice).
What happened is that some kid phoned up helpdesk and said they were x and they had lost their phone, can you please help me to reset my password and 2fa (because the phone was nicked, its standard operating procedure right?)
From there they managed to SSO into critical shit.
Now, they've had to reset _everyone's_ password and 2fa (after an ID check)
They also now need to go through _everything_ to make sure there aren't any backdoors, boobytraps or any unknown exfiltration events.
that shit is _hard_, even harder for a safety critical place like TFL. They have something like 40k employees, and a whole bunch of disparate systems.
Do you have a source for this?
Then the policies that they had in place for these eventualities were insufficient.
> From there they managed to SSO into critical shit.
We're all speculating here without many details of what actually happened, but the questions I'd be asking are:
- Was the person whose account was compromised somebody that needed to routinely have access to Oyster card refund information?
- Was the person whose account was compromised somebody that needed to routinely have access to Oyster card refund information for a handful of customers, as part of working in a support role?
- Was the person whose account was compromised somebody that needed to have access to Oyster card refund for five thousand distinct customers, accessed in a very short timeframe? Why didn't security controls exist that prevented exfiltration of those volumes of data?
- Why were TfL directly storing bank account details in the first place when there are better-equipped partners who have experience securing data that could have handled this?
- Why is TfL so awful at providing Oyster refunds in the first place? They could very easily make it so you could get refunds back onto a Debit/Credit card (without needing to store the PAN), but instead the only options they give you are bank account/sort code (which have to be given over the phone) or back onto the Oyster card - needing to be physically collected within 3 to 4 days or the refund gets "lost" - completely useless if you don't live in London.
> that shit is _hard_, even harder for a safety critical place like TFL. They have something like 40k employees, and a whole bunch of disparate systems.
I don't care, it's not good enough. Everybody in London has no choice but to share some amounts of data with TfL if they want to use the transport system. They've shown they're incompetent time and time again. They can't do the work they've committed to do on-time either, and we pay them shedloads of public funds for this level of service.
Makes it sound like the message itself was 'terrorist'. Also abhor the fact that we're never trusted with being able to see the actual source content. We MUST be told what we should think about it by 3rd parties.
> The Manchester Evening News reported that passengers accessing the wifi at Piccadilly station were directed to a webpage titled “we love you, Europe”, which contained Islamophobic messages and details of several terrorist attacks that have taken place in the UK and in Europe.
I think "[Stations] among those targeted with Islamophobic message" would have been a more informative wording.
Should result in slightly improved performance :-P
(Actually, to be fair, some of those stations have working and viable wifi. Only some have wifi where connection simply doesn't work - and by this I mean consistently over a couple of years.)
What is the value proposition for wifi at stations?
If you can offload an amount of those people from asking your staff questions about train times and connections and get them checking online instead, I would guess that could be a cost saving?
I suppose it is also something that helps make the train more appealing than other forms of transport. If I know I can turn up 30 mins early and get some work done (or just browse the web), then that help cement the train as a nicer way to travel compared to a bus, or even a car where you cannot work at all if you are the driver.
We need a better way of doing it though, this unauthenticated network with a captive portal running on some embedded device or some php on a cloud server somewhere is total junk.
There is wifi that is authed via your mobile provider on TFL (now mostly redundant as lines now have 4g/5g) but I think it's actually also piped back to your mobile provider and usage comes out of your allowance if you've got one. What if we were able to do the auth step via sim (so we know who is on the network if there's bad traffic) but terminated the traffic ourselves (i.e doesn't come out of your mobile allowance or get piped to them in the first place).
On train wifi is bad every time I've tried it.
The on train hardware is usually half decent but they typically go with the cheapest tender for the operation of it.
This is the kind of BS you get when you have private companies run parts of your infrastructure. Imagine the productivity gain of millions of journeys where users can reliably access fast internet. In most cases stumping for a quality multi sim provider, maybe a 5G upgrade and decent bandwidth allowance and support would get you most the way to that. WCML for example already has really decent coverage on my phone doing tethering but somehow onboard wifi is unusable, despite the train having multi sim multi radio hardware and special external antennas.
It could be as simple as they found a single way in dropped a randosomware and left. Never covered their tracks, used a VPN and so the IP address went straight to their address.
Where teens fall down is their own overconfidence / arrogance / hubris / doing things impulsively, or generally just not considering (or possibly even comprehending) the full impact or risk of stuff they are doing. Like, understanding the technical side really well, but with a severely impaired frontal lobe.
So I feel it's a bit of a disservice to say it's "kids doing easy hacks". Without extra context we don't know what exploits they used or what they discovered. Could've been something easy and well known, could've discovered something novel.
I think the 17yo in question was indeed arrogant and I don't agree with their politics and I think it's unfortunate they've been indoctrinated by the right wing, but I would argue that they're probably pretty technically competent and motivated and I hope later on in life it serves them well and they make a whitehat career out of it.
Basically provide a system interpreter for LLM to run all hack functions on and off you go.
But yeah, script kiddies learn their skills online, same as it's always been.
https://naich.net/wordpress/index.php/abusing-public-wifi-ac...
Vodafone though I see there is a BT managed wifi on my phone too. Not sure which one it actually uses since it’s automatic