Major Data Leak of Moscow Metro Wi-Fi Users Reported

The operator of the free Wi-Fi service in the Moscow Metro, Maxima Telecom, has commented on reports of a serious vulnerability in its system, discovered by security researcher Vladimir Serov in March of this year. For at least a year, this issue allowed access to personal data of passengers connected to the Wi-Fi network, including phone numbers, age, gender, marital status, and the metro stations where they work and live. Furthermore, the researcher presented a script that could use the vulnerability to track passengers’ movements throughout the metro system.

Serov first reported the problem last month on his blog on “Habrahabr,” but it only recently gained widespread media attention. The day after the blog post, Maxima Telecom encrypted phone numbers, but other information could still be accessed. Notably, Serov did not contact the operator directly but instead reached out to developer acquaintances at mos.ru, making sure the report reached the person responsible for metro Wi-Fi.

Details of the Vulnerability

According to the researcher, the vulnerability stemmed from the current anti-terrorism legislation, which requires passengers to provide their phone number when connecting to the MT_FREE network. Authorization is carried out by linking the phone number with the device’s MAC address. Serov noted that with certain utilities, it is easy to change the MAC address, including to that of a device whose owner has paid for premium, ad-free access.

All users of the free Wi-Fi are automatically shown an authorization page with targeted advertising. To enable effective targeting, information about users is collected to create digital profiles, which are then shared with certain advertising companies. In theory, these profiles should be encrypted, but according to Serov, the profiles of Moscow Metro passengers—including phone numbers on the Wi-Fi authorization page—were transmitted in plain text.

While the authorization page does not display users’ names or surnames, linking personal data to a device’s MAC address still puts users at risk. Since the MAC address can be changed, an attacker could view the data provided by the authorization page for any given MAC address.

Operator’s Response and Security Measures

According to TASS, citing an official statement from Maxima Telecom, the operator plans to strengthen measures to protect users’ personal data and completely change the authorization algorithm. The statement says the vulnerability was fixed several weeks after it was reported on the “Habrahabr” website.

“We immediately encrypted the transmission of profile data such as phone number, gender, and age group, and also stopped storing data about users’ movements between metro stations. This eliminated the possibility of hackers tracking users,” the statement reads.