Securing the Ticketing Backbone: Penetration Test & Configuration Audit for a Public Transport Network

Key Challenges

Our client is a public transport operator that manages most of the public transportation system in its region including trams, trolleybuses, and buses.

The client wanted to assess the security of its ticketing infrastructure. This infrastructure included all the machines and services related to the sale of transportation tickets. To do so, we conducted a configuration audit of the client’s services as well as an infrastructure penetration test.

The scope was limited to the 5 servers that allowed the configuration, the management and the follow-up of the ticket vending machines.

Approach

Services Configuration Audit

Our experts started with a configuration audit on the services identified by the client. The client’s team granted us access to accounts with strong read privileges, allowing us to access the configuration files of their services. The objective of the audit was to assess the maturity of the security best practices on the following products: Postgre SQL, Zabbix, RedHat, etc., and make recommendations to improve them.

We concluded that security best practices were not applied by the operational team.

Infrastructure Penetration Test

We then performed a grey box penetration test, having been granted a VPN access to the infrastructure.

The penetration test revealed critical vulnerabilities that could have had a significant impact on the ticketing infrastructure if they had gone unnoticed. Among the vulnerabilities, many default passwords were discovered as well as vulnerabilities relative to the services (PostgreSQL, Zabbix, Docker). In this case, the services were not up to date, allowing our penetration testers to gain access to the servers. Subsequently, it would have been possible to impact the configurations of the services and the business overall, including the prices of transportation network tickets.

The penetration identified critical vulnerabilities on the identified perimeter:

  • Default and weak passwords
  • Outdated versions of the tools
  • RCE (Remote Code Execution) vulnerabilities
  • Availability of sensitive data on shared folders
  • Availability of the production environment from the pre-production environment

Overall, we uncovered significant deviations from good security practices, misconfigurations, and a lack of product updates that put the operations and the client as a whole at risk.

In a fictional scenario, our experts concluded that if attackers had gained access to the infrastructure’s internal network of the client, they would have been able to impact the perimeter extensively and would have had the ability to pivot to the rest of the client’s infrastructure as well as its suppliers.

In conclusion, we graded the security of the infrastructure as “very insufficient”.

Benefits

Thanks to our methodologies, we were quickly able to identify multiple security flaws. The flaws were documented and graded to help the client prioritize the corrections depending on their criticality and ease of implementation. General and specific recommendations were also given to the client to increase its overall security.

Our penetration testers’ recommendations included:

  • Changing default passwords and using complex ones
  • Not keeping files containing unencrypted passwords
  • Updating services
  • Reviewing permissions on sensitive files and accounts on all servers
  • Decorrelating production and pre-production environments
  • Encrypting database backups

The client now has a global overview of its infrastructure, a detailed list of security flaws and how to correct them, as well as general security recommendations. Equipped with this knowledge, the client was able to take the necessary actions to secure its infrastructure.