Major London rail station reveals system passwords during TV documentary

Updated What looks like system passwords at one of London's busiest railway stations – printed and attached to the top of a station controller's monitor – were exposed to viewers during a BBC documentary on Wednesday night.

The login credentials were visible just before the 44 minute minute mark in the documentary Nick and Margaret: The Trouble With our Trains. The creds could be seen stuck to a monitor during a scene where the two business experts, best known for their supporting role on The Apprentice went into London Waterloo's control room.

A cropped screen-cap of the offending monitor with the machine-produced login (utility unknown) can be found here (note that screen-cap is 3,000px wide/180kB, if you're on a mobile device or a slow connection). ‪The screenshot seems to be of the workstation on a signaller's control desk‬ which appears to be running software that controls signals and trains over‪ the final approach to Waterloo station‬. ‪A live map of Waterloo displaying the same type of information can be found here.‬

The documentary, starring Nick Hewer and Margaret Mountford, is available via YouTube here. El Reg flagged up the snafu to National Rail in the interests of encouraging a switch of passwords.

There are precedents for visual security slip-ups of this kind. Back in 2012 the UK's Ministry of Defence was obliged to reset user names and passwords following the publication of pictures of the Duke of Cambridge at work as a helicopter pilot on an RAF station.

Some of the pictures, released by St James's Palace, showed Prince William at work at RAF Valley but failed to redact sensitive login info, written on a bulletin boards in the background of shots taken at the RAF base in north Wales. The pictures were pulled but not before they had been widely circulated, as El Reg reported at the time.

More recently, the Wi-Fi passwords for the security team for Super Bowl XLVIII and the Brazil 2014 World Cup were broadcast live on air. Some security experts argue that Wi-Fi password slip-ups aren't that big a deal. However, French network TV5Monde's failure to keep its passwords secret not once – but twice – in the aftermath of getting knocked off the air by pro-ISIS hackers is surely deeply unwise.

More examples of people and organisations accidentally broadcasting their password on live TV can be found in a blog post here.

The lesson is: when TV crews visit, remember to wipe the whiteboard. ®

Bootnote

Thanks to keen-eyed Reg readers Anthony D and Ian R for bringing this to our attention to the Waterloo station control room password snafu.

Update

Network Rail has yet to respond to our request for comment, though its PR staff have said it changes its passwords regularly.

Our story has generated a discussion thread among people on a rail interest forum, who know much more about how the system works than Reg staffers.

London Waterloo's signalling is not controlled from Waterloo itself and it doesn't use desktop computers as it's controlled from dedicated signalling panels. The information displayed is, we understand, a local login for a workstation and therefore of absolutely no use to anyone sitting at home‬ (or elsewhere) hoping to play trains. The login may be an index number for the particular map being displayed on the monitor, but more than that remains unclear to El Reg.