It took 20 minutes to hack the Sapsan, and that was because the train’s server was lagging. November 2019, keklick1337 returns by evening express from St. Petersburg, where the ZeroNights international conference was held. This is one of the most famous events in Russia for cybersecurity specialists. ZeroNights participants present reports on cyber threats, and listeners can participate in thematic quests. One of the tasks is hacking the device provided for the contest, for a reward. At the keklick1337 conference, I didn’t find anything worthy of attention, got upset and went home. There were unfinished work tasks for pentesting, so he connected to Wi-Fi, which required the last four digits of the passport and the seat number and worked so incredibly slowly that he didn’t even load the mail. An ordinary person would have taken up other things, but keklick1337 got bored and decided to have fun — hack the Sapsan: once Wi-Fi asks for a passport number, it means that data about all passengers of the train is stored somewhere. Just twenty minutes — and keklick1337 sees the data of all passengers on this and past flights, and no protection and encryption.
Actually, keklick1337 is a white hacker who protects large companies from malicious attacks. In Internet jargon, the last four digits of his nickname are read as “leet”, that is, “elite” is a fairly popular ending under which hackers and information security specialists work.
“Now I am being actively monitored,” keklick1337 is convinced. “Although I did not even use the data obtained as a result of hacking.” But he shared his story on Habra. After that, ambiguous messages began to come to him in social networks: the copy-paste of the meme “you are young, playful, everything is easy for you” ended with the threat “the case will fall on the table, without options.” But it did not go beyond Internet intimidation. The Investigative Committee did not initiate a criminal case, and Russian Railways said that the company had not found vulnerabilities affecting the leakage of critical data.