Updated November 18 at 17:16: Russian Railways told TASS that on the servers of the Sapsana infotainment system there are no personal data of passengers. The company promised to conduct an investigation.
The user of “Habr” under the pseudonym keklick1337 told how he hacked Wi-Fi in “Sapsan” while traveling from St. Petersburg to Moscow. As it turned out, the server of the high-speed train stores information about all current and past flights.
Hacking Wi-Fi from boredom
Keklick1337 said that he was traveling to Moscow from the ZeroNights information security conference, which did not have “interesting tasks”. He was quickly bored with reading a book, and he decided to work. But on the way, he often caught only 2G-Internet, which was not enough, even to connect to mail.
I decided to connect to the local Sapsana Wi-Fi. I did it for the first time! Well, he asked me to enter the car number, places and the last 4 digits of the passport for authorization, and here I was already a little interested in what I can do with this Sapsan grid, but all the same, the pentest tasks for work were in priority.
Due to a poor connection, the user did not work and was going to return to the book, but tried to hack the Peregrine Falcon. He noted that since authorization in Wi-Fi requires entering the passport numbers and the number of the seat with the car, the train stores data on all passengers.
The user decided to find out how difficult it is to access it. It turned out that for this it’s enough to scan the network and use a couple of public exploits.
How did the hack
First, Keklick1337 scanned the Sapsan network using the nmap utility with the -v -A options. He discovered many services with open ports and noted that such a “hack” took 20 minutes – and that’s because the Sapsan server was buggy.
The user decided to go to each service individually. Soon, he realized that in Sapsan everything works on one server on which Docker is installed – an environment for managing and deploying container applications.
The user examined the contents of the containers and, using public exploits, ended up in the file system. He explained that Sapsan has simple passwords set, and ssh allows you to access Root.
Information on all passengers of the current and past flights was found in the database on the Sapsana disk. In addition, there was a VPN in the Russian Railways network. However, most of all the user was surprised that the company did not buy an encryption certificate for HTTPS, but used the free Let’s Encrypt.
Keklick1337 came to the conclusion that in the “Peregrine Falcon” everything is set up “terribly.” According to him, everywhere they use the same passwords, and the data is stored in text documents.
The user has not published authorization data that is the same for all Sapsans. He explained that several years ago he had already applied to Russian Railways with vulnerability, but he was not paid remuneration and simply corrected the mistake.
Keklick1337 called on the company to fix the vulnerabilities and promised to check them again after a couple of months. At the same time, he reminded all Peregrine Falcon passengers that their data was at risk.
Everyone who is connected to their Wi-Fi is prone to traffic sniffing. Since everything goes through their proxies, you can easily collect HTTP traffic, but if you try a little, then [encrypted] HTTPS (verified). It is not difficult to get access to the data of the passengers of the flight, and it takes 20 minutes on their strength.
The editors of asked RZD for a comment, but did not receive a response. The TASS company said that it will conduct an investigation after the statement of the Habr user about hacking the Sapsana system. The carrier clarified that the personal data of passengers are not stored on the servers of the multimedia portal.
For authorization in the system, the user must enter only the last four characters of the document for which the ticket was purchased, as well as the carriage and seat number. This data is not personal, in accordance with the current legislation of the Russian Federation, and is stored on the IRS server for no more than one day. The IRS server is not connected to the internal network of Russian Railways or other internal management services on the train, it is designed exclusively for entertainment and information topics and does not store any confidential customer data
Russian Railways press service