A Russian programmer who discovered the vulnerability in the Moscow metro WiFi, developed a program that allows for tracking anybody traveling underground.Pavel Golovkin/TASS
For over a year a vulnerability in the Moscow metro's WiFi system allowed the possibility of acquiring the phone number and personal data of everyone on the trains, including their age, marital status and regular commute route. Vladimir Serov, who discovered the vulnerability, developed a program that allows for tracking anybody traveling underground.
According to Russian anti-terror legislation, commuters have to provide their phone numbers to use the network. Each device has a unique identifier called a media access control address (MAC address). When passengers register their phone numbers, their MAC address and personal data become available to the network’s operator. Normally, it’s used for geo-targeting and ad placement.
According to Serov, MaximaTelecom, which was managing the network, didn’t provide the necessary protection to user data. “So, I decided to check the authorization page,” he told Russian journalists.
“Although the page does not give out personal data, when knowing a MAC address you can obtain users’ data on the Wi-Fi authorization page,” said Serov, adding that with the help of special programs a criminal can potentially collect the data of everyone on the train.
He contacted the Moscow authorities but received no reply, and so he decided to tell about his unexpected discovery on a collaborative blog for programmers, Habrahabr. He wrote a post titled, “How to get the phone number of almost any beauty in Moscow, or an interesting peculiarity of MT_FREE.”
Serov, who didn't get a response from authorities, kept teasing the network. For example, he found a special indicator for the train stations and was able to track a girl who was commuting home from work.
“The readers and myself had a lot of fun,” Serov said.
After the publication on Habrahabr, MaximaTelecom secured the network and asked Serov to remove his post. He refused.
“All this time the company was aware that it was violating the basic rules of personal data protection,” Serov said. “They not only stored unsecured information about users, which is unprecedented, but also made it available via an unencrypted channel in an open network. Why should I remain silent about my personal data being treated like this?”
According to MaximaTelecom, almost 12 million users were registered on MT_FREE in 2016. The same network is also available in the St. Petersburg metro, on the Moscow airport express trains and even on Russian Railways.
If using any of Russia Beyond's content, partly or in full, always provide an active hyperlink to the original material.