More public wi-fi hotspots could be targeted in a cyber attack, experts said today after a major security incident impacted some of Britain’s biggest railway stations.
Passengers logging into the wi-fi at 19 stations reported seeing an ‘Islamophobic’ message about terror attacks in Europe, before the service was taken offline.
Network Rail confirmed London Euston, Manchester Piccadilly, Liverpool Lime Street, Birmingham New Street and Glasgow Central were among those impacted.
Wi-fi at the stations is controlled by a third-party provider called Telent, which has revealed an ‘unauthorised change’ was made to the landing page by a ‘legitimate administrator account’ for Global Reach, the provider of the Wi-Fi landing page.
British Transport Police has now begun a criminal investigation into the matter, and Telent insisted no personal data has been affected. Network Rail said station wi-fi will not be restored until the weekend while it carries out further security checks.
Security experts told MailOnline today that the attack which happened yesterday was a ‘stark reminder that public wi-fi can be a playground for cybercriminals’, adding that ‘unsecured public networks in busy areas are easy pickings for hackers’.
Thousands of other public spaces around the UK such as restaurants, coffee shops, libraries, university campuses, Government buildings, hospitals, schools and airports have free wi-fi hotspots and could therefore all be under threat from a similar attack.
Passengers look at their phones next to a wifi poster at London Bridge station this morning
The wifi webpage after the hack said ‘We love you, Europe’ and contained information about terror attacks, which has been obscured by MailOnline in the above image
Adrianus Warmenhoven, cybersecurity expert at NordVPN, said the National Rail hack ‘highlights the need for heightened vigilance when using these services — which can be more vulnerable to cyber attacks’.
He added that the incident should ‘act as a wake-up call for everyone to be more mindful of the risks associated with unsecured public networks’.
Experts advise people using public wi-fi to avoid using sensitive accounts such as online banking or shopping websites that require personal information.
Customers should also ensure they are connecting to the correct network, given that hackers have created fake hotspots with names similar to legitimate networks.
Mr Warmenhoven added: ‘To fortify your online security further, make sure your device’s software – or antivirus programs – are up to date.
‘It’s also wise to disable automatic connections to any available networks, to prevent your device from connecting to any malicious services which could put your security or personal information at risk.’
According to its website, Telent helps design, build, support and manage some of the UK’s ‘critical digital infrastructure’, and its other customers include Openreach, Transport for London (TfL), National Highways, the Maritime and Coastguard Agency and the NHS Ambulance Radio Programme.
It has not yet been confirmed if any of Telent’s other customers have been impacted by the incident.
The wi-fi landing page following the National Rail hack said ‘We love you, Europe’ and contained information about terror attacks, according to users posting on social media.
The attack has been compared to the BBC ‘s new drama Nightsleeper which features a sleeper train travelling from Glasgow to London which is hacked and hijacked.
British Transport Police at London King’s Cross station today after the cyber attack on wi-fi
The wi-fi was still down this morning at the 19 stations, which include Bristol Temple Meads, Edinburgh Waverley, Leeds, Guildford and Reading.
The ten London stations affected were Cannon Street, Charing Cross, Clapham Junction, Euston, King’s Cross, Liverpool Street, London Bridge, Paddington, Victoria and Waterloo.
Among the cyber security experts commenting on the attack today was Alex Richards, director of Liberate IT Services, who told MailOnline: ‘This will have been a malicious actor directly targeting the public wi-fi for propaganda purposes or to promote an agenda.
‘Public wi-fi is always isolated and firewalled from any other network so there will be no risk to data held or processed by Network Rail themselves. Public wi-fi is the easiest target due to its accessibility, and the most visible when tampered with.
‘The only potential danger is that anyone else using the public wi-fi at the time could have had their data snooped. This is where information being sent from/to your device on the public wi-fi is inspected and listened to.
‘This is why it is important to only use encrypted services on public wi-fi, or a VPN service using encryption. Better yet, stay clear of public wi-fi and use your 4G or 5G data service.’
James Bore, director at security and technology consultancy Bores Group, also told MailOnline: ‘This sort of attack largely isn’t a threat to users of the wi-fi as it appears to be an activist attack designed to spread a message.
‘From the details available it’s likely the provider of the wi-fi system was the one compromised, and a lot more of their clients than Network Rail will have been affected – however with the busy stations they were noticed first.
‘This sort of attack involves changing the home page – called the captive portal – to another page, and it can be used to steal credentials but in this case was used to spread a message.
‘Honestly, the protection against this sort of attack is not to use public wi-fi – when you do use it you are placing trust in the provider not to do this sort of thing, and while it’s rare that these attacks happen there is nothing individuals can do to prevent them.’
Passengers at London Euston this morning, one of the stations affected by the cyber attack
And Jake Moore, global cybersecurity adviser at Eset, said the incident appeared to be an attempt to draw attention to a lack of security, rather than a ‘genuine threat’.
‘Cyber attacks often occur in stealth mode and attempt to carry out activities without anyone noticing anything until the real damage is complete,’ he said.
‘However, by defacing the wifi logon screen with a terror message suggests that the motive may simply be to test its general security rather than to pose a genuine threat – and in this case, via the weakest link in the supply chain and most likely via a phishing campaign.
‘Financially motivated cyber criminals are out to find data they can either steal or sabotage with a ransom demand put in place.
‘However, it seems nothing more has been demanded here other than more security in place following a separate attack on TfL earlier this month.’
London Waterloo station, pictured today, was also impacted by the cyber attack on wi-fi
A Network Rail spokeswoman told MailOnline: ‘We are currently dealing with a cyber security incident affecting the public wi-fi at Network Rail’s managed stations.
‘This service is provided via a third party and has been suspended while an investigation is underway.’
In a later statement, a Network Rail spokesperson said: ‘Last night the public wi-fi at 19 of Network Rail’s managed stations was subjected to a cyber security incident and was quickly taken off-line. The incident is subject to a full investigation.
‘The wi-fi is provided by a third party, is self-contained and is a simple ‘click & connect’ service that doesn’t collect any personal data. Once our final security checks have been completed we anticipate the service will be restored by the weekend.’
Network Rail manages 20 stations across the network, with London St Pancras the only one that has not been affected by the attack.
The cyber attack has been compared to the BBC’s new drama Nightsleeper, starring Joe Cole
And a British Transport Police spokesman said: ‘We received reports at around 5.03pm yesterday of a cyber-attack displaying Islamophobic messaging on some Network Rail Wi-Fi services.
‘We are working alongside Network Rail to investigate the incident at pace.’
Also today, a spokeswoman for Telent said: ‘We are aware of the cyber security incident affecting the public Wi-Fi at Network Rail’s managed stations and are investigating with Network Rail and other stakeholders.
‘We have been informed there is an ongoing investigation by the British Transport Police into this incident, so it would not be appropriate to comment further at this stage.’
In a later statement, Telent added: ‘Following the incident affecting the public Wi-Fi at Network Rail’s managed stations, Telent have been working with Network Rail and other stakeholders.
‘Through investigations with Global Reach, the provider of the wi-fi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police.
Nightsleeper features a train travelling from Glasgow to London which is hacked and hijacked
‘No personal data has been affected. As a precaution, Telent temporarily suspended all use of Global Reach services while verifying that no other Telent customers were impacted.’
While the cyber attack itself did not appear to be affecting train services today, there was major disruption on Avanti West Coast and TransPennine Express services.
All lines between Lockerbie and Carstairs were blocked after an object got caught in the overhead cables, affecting services between Carlisle, Glasgow and Edinburgh.
Elsewhere, flooding continued to disrupt services between Wanborough and Ash in Surrey – while a tree was blocking the line between Hebden Bridge and Todmorden in West Yorkshire.
It comes after a separate cyber security incident was launched on Transport for London (TfL) on September 1, which saw some customer data accessed.
Network Rail confirmed Manchester Piccadilly is among the affected train stations (file photo)
A 17-year-old boy has been arrested in Walsall on suspicion of Computer Misuse Act offences in relation to the TfL attack.
TfL has been investigating the incident alongside the NCA and said some customer names and contact details had been compromised.
Some Oyster card refund data may also have been accessed in the cyber attack which could include bank account details.
TfL said this could include bank account numbers and sort codes for about 5,000 customers, and it has directly contacted these people with guidance.
Meanwhile the Football League has issued an alert to clubs following a series of cyber attacks which have seen breaches at both Bristol City and Sheffield Wednesday in recent weeks.
Hackers are thought to be targeting many of the league’s bigger clubs, hunting for the personal data of season ticket holders and those on email lists.
Should they be successful, that information, which can include passwords, is often sold on to a variety of buyers which are thought to include organised crime networks who can then attempt to use the data to carry out a variety of scams.
A further cyber attack back in June led to more than 10,000 NHS appointments being cancelled after pathology services provider Synnovis was targeted.
The hackers were thought to have obtained confidential medical information and blood test results of more than 100,000 patients.
Last month, they were ordered by a High Court judge to ‘unmask’ themselves and return or delete the stolen data.
And in July, Microsoft suffered a service outage which affected some of its apps and features which was sparked by an attempted cyber attack.
The US technology firm said problems on its Azure cloud platform had been triggered by a distributed denial-of-service (DDoS) attack, where hackers try to knock a platform offline by flooding it with traffic until it can no longer cope.