Oops! Train control centre passwords revealed on BBC TV

Nick and MargaretA BBC documentary revealed more than it planned this week, exposing the passwords used at a rail control centre.

Nick Hewer and Margaret Mountford (both famous for being Alan Sugar's sidekicks in "The Apprentice") were on the prowl in "Nick and Margaret: The Trouble with Our Trains" on Wednesday night on BBC Two, raising their notorious querulous eyebrows at the sorry state of the British rail network.

And the dynamic duo's travels took them to the Wessex Integrated Control Centre, located above the platform entrances at London Waterloo railway station, manned 24 hours a day by teams of controllers from both South West Trains and Network Rail.

Rail control password

Maybe it would be a good idea to blur the passwords before broadcast next time or - even better - not have them stuck onto your monitor in the first place?

While you're at it, a stronger password than "Password3" might be an idea as well.

Just a thought...

Of course, just knowing a password doesn't mean that it can necessarily be exploited by anyone remotely. It's quite possible that the password is for the purpose of logging into the physical desktop computer itself, but still... You've reduced the point of a password if you've stuck it on the very device which needs the password.

Coincidentally, BBC News ran a story just last week discussing fears that computer systems controlling the signal system in the UK could be vulnerable to hacking attacks.

This isn't, of course, the first time that an organisation has made the schoolboy mistake of letting a TV company into its offices, only to discover passwords have been exposed in the background.

For instance, there was the Sky News report from the emergency flood centre, or CBS's report from the Super Bowl's top secret security center, or - most fabulously - French TV station TV5MONDE discussing how its systems were recently hacked... while revealing yet more passwords at the same time.

For the next month or so, UK television license payers can watch "Nick and Margaret: The Trouble with Our Trains" on BBC iPlayer.

The passwords are revealed at about 43 minutes into the programme.

Hat-tip: @MikeSel.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

12 Responses

  1. gsc2000

    May 1, 2015 at 12:32 pm #

    Remember network rail CSO ranting on about mobile security being poor?
    http://www.computing.co.uk/ctg/news/2236827/cisos-big-security-vendors-caught-on-the-hop-by-rise-in-enterprise-mobility . He said "The whole industry has missed a trick". Well, it does appear network rail have just "missed a trick" . Maybe review your own processes first and get them in order before fixing the world.

  2. Mike Sirell

    May 1, 2015 at 1:34 pm #

    The passwords aren't the only security fail visible in that screenshot. Hint: look at the window chrome and colour scheme…

    • Graham Cluley in reply to Mike Sirell.

      May 1, 2015 at 1:41 pm #

      Windows XP? Gulp…

      • Anonymous in reply to Graham Cluley.

        May 1, 2015 at 9:03 pm #

        I wonder how many zero days have already been found for XP that people are just sitting on until M.S officially stops updating it.

        35,000 still running in the MET, could a tech savy criminal give themselves a clean slate I wonder?

      • Coyote in reply to Graham Cluley.

        May 2, 2015 at 12:03 am #

        Wait, so you can tell this is XP just by looking at the colouring ? Each day I am amazed that I can see at all. Thankful. But amazed. That is with three eye surgeries as a kid, and that was all they could do. Of course I won't say that it is only my vision; it could also be that I've not seen XP in a long time (or never would recognise it without a specific logo in a large size).

        On the subject of XP – do we know why the UK government thought they'd be saving money by spending a large amount for updates for 1 year, only to then have to worry about upgrading all the XP systems (and don't forget updated software, possibly hardware, etc.!) as well, i.e extra cost ? Or is this just one of the examples of 'government intelligence' (etc.) being an oxymoron ?

  3. pau

    May 1, 2015 at 2:53 pm #

    Good work blurring the passwords out of the pics.

  4. Perry

    May 1, 2015 at 5:47 pm #

    i interpret that photo as the login requiring "password #3" on the ops password list (which should change weekly or some such). However your interpretation is probably more likely :-)

    • Coyote in reply to Perry.

      May 2, 2015 at 12:09 am #

      Well… I didn't see a #. That doesn't necessarily mean anything. But even if that is the case, what is the other part ? It says it is the login so unless that is obfuscation I suppose it is the login. In any case, while it is troubling, I think it makes the story more fun – albeit scary – to have the password be 'Password3' …

  5. Coyote

    May 2, 2015 at 12:19 am #

    It is interesting – and quite amusing – to note that the login is more complicated than the password. I'll argue something else though; the amateur mistake isn't to allow recording equipment in to the premise (that is of course another issue entirely, at a premise that is meant to be as secure as possible, so unless that reveals the problem – that it wasn't meant to be secure – it is another mistake) so much as having a password that weak and worse still visible any where. I have to wonder too:

    Is their memory that poor, that they can't remember 'Password3' ? Never mind choosing such a password; why would you have to write it down ? If you're going to write it down, at least make the password complicated! That way there is at least an excuse that they could argue is legit in some way (however wrong they would be) – that it is so difficult that they have to write it down (because password safes and such aren't on their radar). But no. Password3 is the password, they write it down, they allow cameras in, that they use XP (as above) and because they wrote the login credentials down, it is a shared account, too (probably was in any case[1]). To think that the TV station was explaining how they were compromised on TV, while giving a demonstration of such practises is the best example you give. But in many ways this story isn't much better.

    [1] Maybe that's their logic and is why they have it written down ?

  6. Jon Tout

    May 2, 2015 at 9:00 am #

    Bear in mind less than 12 hours later there was chaos at Clapham Junction. This was reported as being an electrical fault but you want to admit your rail network system had been hacked? Perhaps it really was an electrical fault and it's just a coincidence, but I'm just saying. Weak security shown at the Control Centre , a few hours later, problems with the rail network.

  7. Hoglet

    May 3, 2015 at 8:44 am #

    You can bet there is a password1 and password2 in there too!

    • Mr Man in reply to Hoglet.

      May 4, 2015 at 1:44 pm #

      Nah, I've worked in environments like that – that'll be monitoring station number three. You’ll never guess the passwords for stations one and two…

Leave a Reply