Man on a houseboat secretly collects train travellers’ sensitive data through unencrypted Wi-Fi network

A computer scientist has exposed how anybody can collect sensitive information from the millions of people who travel on Dutch trains.

Hannes Mühleisen has been infiltrating the public Wi-Fi network of the Netherlands’ principal railway operator, Nederlandse Spoorwegen, for the past five months – and been publishing all the data on a real-time database that anyone can view.

Mühleisen, 31, who lives very close to Amsterdam Central Station, noticed the network was unencrypted when he could connect to a train's Wi-Fi from his houseboat.

>See also: SyncME app publicly shares your name and mobile number without your consent – and sells it to third parties

After wondering whether he could 'listen in' to the devices connected to the network, he hung two cheap antennas on his boat to absorb the data traffic – and used open-source software to generate comprehensible information.

He soon found that he was able to collect private information from anybody connected to the free Wi-Fi network, including the sites they visit, the apps they use and the model and unique identification number of their device.

He also has access to any information entered on unencrypted websites, which he calculates at being around 50% of the total number of sites visited by users of the Wi-Fi. This information could include passwords, credit card information, chats and email exchanges.

‘I was completely overwhelmed by everything that came in,’ he told Dutch website De Correspondent. ‘The network simply blows [out] all of the data, and I can just pick them [out] off the air. If I wanted to, I could seriously mess with it.’

In the first five months of absorbing traffic through the antennas, Mühleisen has collected data from around 115,000 different devices and 10 million attempts to connect with a website or app.

‘You can do so much with it,’ he said. ‘Imagine that you have ten of these types of antennas dropped at strategic locations in the Netherlands – you get a pretty good picture of the behavior of millions of Dutch.’

>See also: Windows 10 may be free, but it comes at a huge price to your privacy

Mühleisen decided to make his database public following numerous failed attempts to alert Nederlandse Spoorwegen of the problem.

Since April, he has attempted to contact the company via email, Twitter and its website – and even reached out to senior members of its IT department on LinkedIn – but nothing has been done.

‘There is no reason why they should not encrypt their network,’ he said. ‘Sometimes you have to see it to really make a point.’

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Security