A computer scientist has exposed how anybody can collect sensitive information from the millions of people who travel on Dutch trains.
Hannes Mühleisen has been infiltrating the public Wi-Fi network of the Netherlands’ principal railway operator, Nederlandse Spoorwegen, for the past five months – and been publishing all the data on a real-time database that anyone can view.
Mühleisen, 31, who lives very close to Amsterdam Central Station, noticed the network was unencrypted when he could connect to a train's Wi-Fi from his houseboat.
After wondering whether he could 'listen in' to the devices connected to the network, he hung two cheap antennas on his boat to absorb the data traffic – and used open-source software to generate comprehensible information.
He soon found that he was able to collect private information from anybody connected to the free Wi-Fi network, including the sites they visit, the apps they use and the model and unique identification number of their device.
He also has access to any information entered on unencrypted websites, which he calculates at being around 50% of the total number of sites visited by users of the Wi-Fi. This information could include passwords, credit card information, chats and email exchanges.
‘I was completely overwhelmed by everything that came in,’ he told Dutch website De Correspondent. ‘The network simply blows [out] all of the data, and I can just pick them [out] off the air. If I wanted to, I could seriously mess with it.’
In the first five months of absorbing traffic through the antennas, Mühleisen has collected data from around 115,000 different devices and 10 million attempts to connect with a website or app.
‘You can do so much with it,’ he said. ‘Imagine that you have ten of these types of antennas dropped at strategic locations in the Netherlands – you get a pretty good picture of the behavior of millions of Dutch.’
Mühleisen decided to make his database public following numerous failed attempts to alert Nederlandse Spoorwegen of the problem.
Since April, he has attempted to contact the company via email, Twitter and its website – and even reached out to senior members of its IT department on LinkedIn – but nothing has been done.
‘There is no reason why they should not encrypt their network,’ he said. ‘Sometimes you have to see it to really make a point.’