Researcher Gains Access to Thousands of Russian Railways Surveillance Cameras
A cybersecurity researcher known as LMonoceros shared on Habr how he managed to access the Russian Railways (RZD) network without hacking, almost by accident. He explains:
“There are a lot of free proxy servers on the internet. But who in their right mind would let anyone access the internet through their router? There are basically two options: either the devices have been hacked, or the owner forgot to disable this function.
This made me wonder: ‘Is there life beyond the proxy?’ I ran nmap on a range of addresses on port 8080. Then, using a proxy checker, I searched for public proxies without authentication and picked the one with the lowest ping to me.
Through this proxy, I scanned addresses in the 172.16.0.0/12 range on port 8291 (Mikrotik Winbox). And I found it! No password!”
LMonoceros admits he didn’t immediately realize the scale of the problem he had discovered. Trying to contact the owner of the vulnerable system, he set up an outgoing VPN to himself to study the network and figure out who it belonged to. That’s how he found over 20,000 devices across Russia, about 1,000 of which were Mikrotik devices, and a huge number of devices were using default passwords. These included IP phones, FreePBX, network equipment, and more.
The author notes that many routers were running the latest firmware, were protected by strong passwords, and were not vulnerable, but there were still plenty of poorly configured and outdated devices.
As a result, the researcher gained access to at least 10,000 (by his “modest estimate”) surveillance cameras made by Beward, Axis, Panasonic, and others. The camera feeds showed railway stations and terminals (inside and out), and even office interiors. It became clear that all this infrastructure belonged to Russian Railways (RZD).
“I always thought vulnerabilities in corporate networks appeared due to mistakes or deliberate actions by unqualified employees. My first thought was that some employee, with security’s permission, set up a VPN from home to the work network using a Mikrotik router at home. But this theory fell apart as soon as I saw the reverse DNS of the address I used to access this Mikrotik. It was actually one of the gateways from the RZD network to the outside world—and vice versa,” LMonoceros explains.
Worse still, LMonoceros found many signs that others had also accessed this network. For example, he repeatedly came across links on routers that had nothing to do with RZD.
In an update to his article, the researcher notes that RZD specialists have already contacted him, and together they closed the discovered vulnerabilities. RZD representatives also told TASS that an investigation is underway and emphasized that “there was no leak of clients’ personal data, and there is no threat to operational safety.”