Oops! Train control centre passwords revealed on BBC TV

Graham Cluley

Nick and MargaretA BBC documentary revealed more than it planned this week, exposing the passwords used at a rail control centre.

Nick Hewer and Margaret Mountford (both famous for being Alan Sugar’s sidekicks in “The Apprentice”) were on the prowl in “Nick and Margaret: The Trouble with Our Trains” on Wednesday night on BBC Two, raising their notorious querulous eyebrows at the sorry state of the British rail network.

And the dynamic duo’s travels took them to the Wessex Integrated Control Centre, located above the platform entrances at London Waterloo railway station, manned 24 hours a day by teams of controllers from both South West Trains and Network Rail.

Rail control password

Maybe it would be a good idea to blur the passwords before broadcast next time or – even better – not have them stuck onto your monitor in the first place?

While you’re at it, a stronger password than “Password3” might be an idea as well.

Just a thought…

Of course, just knowing a password doesn’t mean that it can necessarily be exploited by anyone remotely. It’s quite possible that the password is for the purpose of logging into the physical desktop computer itself, but still… You’ve reduced the point of a password if you’ve stuck it on the very device which needs the password.

Coincidentally, BBC News ran a story just last week discussing fears that computer systems controlling the signal system in the UK could be vulnerable to hacking attacks.

This isn’t, of course, the first time that an organisation has made the schoolboy mistake of letting a TV company into its offices, only to discover passwords have been exposed in the background.

For instance, there was the Sky News report from the emergency flood centre, or CBS’s report from the Super Bowl’s top secret security center, or – most fabulously – French TV station TV5MONDE discussing how its systems were recently hacked… while revealing yet more passwords at the same time.

For the next month or so, UK television license payers can watch “Nick and Margaret: The Trouble with Our Trains” on BBC iPlayer.

The passwords are revealed at about 43 minutes into the programme.

Hat-tip: @MikeSel.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

12 Replies to “Oops! Train control centre passwords revealed on BBC TV”

  1. Remember network rail CSO ranting on about mobile security being poor?
    http://www.computing.co.uk/ctg/news/2236827/cisos-big-security-vendors-caught-on-the-hop-by-rise-in-enterprise-mobility . He said "The whole industry has missed a trick". Well, it does appear network rail have just "missed a trick" . Maybe review your own processes first and get them in order before fixing the world.

  2. The passwords aren't the only security fail visible in that screenshot. Hint: look at the window chrome and colour scheme…

      1. I wonder how many zero days have already been found for XP that people are just sitting on until M.S officially stops updating it.

        35,000 still running in the MET, could a tech savy criminal give themselves a clean slate I wonder?

      2. Wait, so you can tell this is XP just by looking at the colouring ? Each day I am amazed that I can see at all. Thankful. But amazed. That is with three eye surgeries as a kid, and that was all they could do. Of course I won't say that it is only my vision; it could also be that I've not seen XP in a long time (or never would recognise it without a specific logo in a large size).

        On the subject of XP – do we know why the UK government thought they'd be saving money by spending a large amount for updates for 1 year, only to then have to worry about upgrading all the XP systems (and don't forget updated software, possibly hardware, etc.!) as well, i.e extra cost ? Or is this just one of the examples of 'government intelligence' (etc.) being an oxymoron ?

  3. i interpret that photo as the login requiring "password #3" on the ops password list (which should change weekly or some such). However your interpretation is probably more likely :-)

    1. Well… I didn't see a #. That doesn't necessarily mean anything. But even if that is the case, what is the other part ? It says it is the login so unless that is obfuscation I suppose it is the login. In any case, while it is troubling, I think it makes the story more fun – albeit scary – to have the password be 'Password3' …

  4. It is interesting – and quite amusing – to note that the login is more complicated than the password. I'll argue something else though; the amateur mistake isn't to allow recording equipment in to the premise (that is of course another issue entirely, at a premise that is meant to be as secure as possible, so unless that reveals the problem – that it wasn't meant to be secure – it is another mistake) so much as having a password that weak and worse still visible any where. I have to wonder too:

    Is their memory that poor, that they can't remember 'Password3' ? Never mind choosing such a password; why would you have to write it down ? If you're going to write it down, at least make the password complicated! That way there is at least an excuse that they could argue is legit in some way (however wrong they would be) – that it is so difficult that they have to write it down (because password safes and such aren't on their radar). But no. Password3 is the password, they write it down, they allow cameras in, that they use XP (as above) and because they wrote the login credentials down, it is a shared account, too (probably was in any case[1]). To think that the TV station was explaining how they were compromised on TV, while giving a demonstration of such practises is the best example you give. But in many ways this story isn't much better.

    [1] Maybe that's their logic and is why they have it written down ?

  5. Bear in mind less than 12 hours later there was chaos at Clapham Junction. This was reported as being an electrical fault but you want to admit your rail network system had been hacked? Perhaps it really was an electrical fault and it's just a coincidence, but I'm just saying. Weak security shown at the Control Centre , a few hours later, problems with the rail network.

    1. Nah, I've worked in environments like that – that'll be monitoring station number three. You’ll never guess the passwords for stations one and two…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES