Southern Rail ticket kiosks allegedly open to cyber-attack
Southern Rail ticket kiosks allegedly open to cyber-attack

Information kiosks used by Southern Rail in stations with fewer staff are wide-open to cyber-attacks, according to a security researcher.

He says that there are significant issues with the certificate upload process of the machines, which could lead to uploading of a compromised certificate for criminal activities, adding that it highlights a relaxed use of escalated privileges.

Alerting SC Media UK to the problem, the researcher, who tweets under the handle @vonsenger, but asked to remain anonymous, claimed that the issue first occurred in November 2016.

He notified the relevant people at Southern, but said he doubted much has happened since. “The machines are clearly remotely administered which would indicate a connection is required to allow this process.”

“The concern is that the machine not only allows privileged access to this degree, as demonstrated in my picture, but more importantly, it will allow the machine to be used as a bounce point for further attacks.”

SC contacted Govia ThamesLink Railway, the parent company which owns and operates Southern Rail, who said the kiosks are for information only and do not sell tickets. They didn't want to say any more as, “there needs to be a thorough investigation.”

A Southern spokesperson said: "There is no personal or confidential information held on these information kiosks, which merely give access to websites allowing our passengers to plan their journeys and check other information. However, as a precaution, we have taken immediate steps to lock the kiosks out of use while our suppliers carry out a thorough investigation."

@vonsenger also claimed that the kiosks could potentially allow for access to Southern's corporate network.  

He explains: “Given time I could install tools or access telnet to try and access deeper parts of the network or even footprint the organisation. It could also allow me to install applications to create further havoc.”

He added that this seemingly harmless lapse in security highlights reflects badly on Southern Rail's general approach to information security saying:  “This could be prevented by a simple GPO or even adequate protective monitoring alerting to the abnormal use of escalated privileges.”

Mark James, IT security specialist at ESET commented: “Sadly keeping security up together is not always as simple as it seems. As systems develop and mould into the gateways we use each and every day to achieve our tasks, the underlying software often is cobbled or stuck together as more and more is added. When it comes to making it safe and secure it's not as easy as your average desktop PC. But when the public are using these gateways to hand over private and financial details we would expect them to be as safe as possible.”

Javvad Malik, security advocate at AlienVault said: “Generally speaking, I'm reminded of the old Microsoft article regarding the 10 immutable laws of security. Laws 2 and 3 are most relevant in this scenario where a bad guy can alter the operating system and has unrestricted physical access to the computer. Any public facing device and software will always be a target for attack by criminals. The onus is always on the company to lock down and harden systems as well as have monitoring controls.”

Malik added: “Kiosk security is somewhat easier because there are only a limited number of legitimate actions anyone should be able to take, all other actions should be blocked or closely monitored. Running virtual instances that can be rebuilt every night can also help in reducing any exposure that may arise from systems that have been compromised.”