Oz railway lets newspaper photograph train keys
Your opsec slip is showing, Metro Rail
Police are now saying that yesterday's Melbourne train-heist-and-wreck was possible because miscreants bought stolen keys online.
The vandalism, the cost of which is now estimated at AU$3 million rather than the original $2 million, involved people getting into an idle train at Hurstbridge station, starting it, and taking it on a 50-metre trip through the railyard.
The train halted by a “derail block” which then tipped it into another train.
However, in reporting the issue of stolen keys, Melbourne newspaper The Age compounded the problem: it showed a photograph of “universal keys” in sufficient detail for them to be reproduced.
The publication is reminiscent of the emergence in September of 3D printed copies of TSA master luggage-keys, copied from a picture published by the Washington Post - except that a train is much bigger and more dangerous than most suitcases.
That was noticed by Twitter user @AnthonyBriggs:
The image of the keys doesn't appear on The Age's online story about keys being sold on the black market. So it's only available to ... well, pretty much the whole world by now, or soon.
There is, apparently, a program to replace the keys with more complex entry mechanisms, but this is “in its infancy” according to Victoria's Metro Trains. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust