Costa Rican hacker Bertin Jose reported in early September on Medium, how he managed to take control of traction substations and signaling systems on the Polish railway network in March. Initially, this story went unnoticed The website Cyberdefence24.pl was the first to describe it in Poland. The hacker had no problem breaking into the systems at the Klecina tram terminus in Wrocław, and he succeeded in doing so after the first attempt to bypass security. The slogan remained unchanged and was simply four 1's. The password 2222 also worked.
A Costa Rican hacker broke into the Wrocław tram terminus
The Costa Rican hacker stumbled upon the Polish system because he is a railway enthusiast and conducts online research on vulnerable equipment. Once he manages to hack into the system, he forwards it information about a security vulnerability to the system operator (contrary to popular belief, the word hacker also refers to cybersecurity specialists trained in checking security, not only criminals).
In this case, however, there was no need to check all security vulnerabilities, because, as we mentioned, we managed to log in to the system using the default password. At this stage, Bertin Jose stopped fiddling with security and decided to contact the authorities managing railway traffic in Poland. However, from March to the date of publication of the text in early September, no one responded to him. However, there were concerns that such attacks, performed by someone less friendly, could allow control of switches or traffic lights.
MPK calms down. There was no threat
“Gazeta WrocÅ‚awska” writesthat MPK WrocÅ‚aw has been informed about the entire situation. The institution assured that access obtained remotely does not allow the control of railway systems. – All control devices and devices responsible for traffic safety are inaccessible to external persons and entities and completely safe. Any changes to the settings of devices controlling signaling or track infrastructure can only be made locally. It is not possible to change such settings remotely, by logging in to any systems – Daniel Misiek from offices MPK WrocÅ‚aw press release.
Misiek said that the Costa Rican only managed to connect to the system monitoring the situation on the Klecina loop, which only allows viewing individual parameters, without the possibility of changing anything.
– There was and is no situation of any threat. The information reported by the industry media concerned opportunities remote connecting to the system for monitoring the entry/exit situation at the Klecina loop, which only allowed for viewing the data collected by this system. Currently, this preview is no longer possible. We emphasize that at no time was it possible to externally control the signals, switches or other elements of the MPK WrocÅ‚aw infrastructure – said Daniel Misiek. – There was no threat to the safety of tram traffic or passengers. MPK WrocÅ‚aw takes the issue of IT security very seriously, we are constantly working on improving the security measures used – added the carrier's representative.