Radio Hobbyist Stops High‑Speed Trains with £300 Kit; IoT Lawn‑Mowers Hijacked for Credential Harvesting
What Happened — A 23‑year‑old radio enthusiast purchased a £300 radio‑controlled device and used it to bring four high‑speed passenger trains to an emergency stop, exploiting unsecured signalling equipment. In a separate incident, owners of $4,000 autonomous lawn‑mowers discovered that the devices could be commandeered over the internet, allowing attackers to harvest Wi‑Fi passwords, email addresses and GPS coordinates; default passwords are automatically reset by firmware updates, negating simple remediation.
Why It Matters for TPRM
- Critical infrastructure (rail transport) can be disrupted with inexpensive, off‑the‑shelf hardware, exposing supply‑chain and service‑continuity risks.
- Consumer‑grade IoT devices are being weaponised for data exfiltration, highlighting gaps in vendor security‑by‑design and patch‑management processes.
- Both cases illustrate how weak authentication and undocumented vulnerabilities can be leveraged by low‑skill actors, raising the threat baseline for third‑party risk assessments.
Who Is Affected — Transportation & logistics operators, rail‑infrastructure owners, IoT device manufacturers, end‑users of autonomous lawn‑mowers, and any organisations that rely on the same supply‑chain components.
Recommended Actions
- Review contracts with rail‑signalling and IoT vendors for security‑by‑design clauses.
- Verify that all third‑party hardware implements strong, immutable authentication (e.g., certificate‑based, MFA).
- Conduct penetration testing of critical OT systems and consumer‑grade IoT devices used in corporate environments.
- Ensure firmware update mechanisms do not silently revert security settings; require signed updates and audit logs.
Technical Notes —
- Attack vector: exploitation of unsecured radio‑frequency control interfaces (train) and default credential abuse combined with firmware‑reset behavior (lawn‑mower).
- Vulnerabilities: No public CVE IDs yet; likely a zero‑day in rail signalling RF protocol and a design flaw in IoT device password management.
- Data types exposed: Wi‑Fi SSIDs/passwords, email addresses, GPS location data.