Can you hack a train?

December 29, 2015

Living in a digital age means that most of the things we use are operated and/or controlled by computers. This ranges from telecom appliances to cars, from factories and energy plants to ports and ships. It should come as no surprise that this is also true for railways and trains.

Can you hack a train?

At Chaos Communication Congress in Hamburg on December 28 security researchers Sergey Gordeychik, Alexander Timorin and Gleb Gritsai on behalf of SCADA StrangeLove team presented their study on computer systems used by railways. A brief review of this industry shows that there’s a whole lot of computer systems in the railway industry – more than one might actually expect.

These systems include: computer systems on trains; traffic control systems; computer-based interlocking & signaling at stations and crossings; remote measuring systems, passenger information and entertainment systems; ticketing systems; and ordinary items including general purpose office workstations and network infrastructure.

In addition, all this jumble is even more complicated because every country and railway company has its own standards and is implementing its own computer infrastructure. At the same time the railway systems in question often are interconnected in order to allow trains from one country to proceed to another country without friction.

Eurostar, a high-speed train which connects Brussels, London and Paris, is a good example of how really complex the things are. This train’s signaling, control and protection systems include Belgian, French and British systems that the train needs to be compatible with.

Some of these systems can hardly be called invulnerable, even by a person who tends to use this word frequently. For example, modern version of the automation system in Siemens trains (which are operated not only by Deutsche Bahn, but also by companies operating in Spain, Russia, China and Japan) is based on Siemens WinAC RTX controllers. These are basically x86 computers running Windows and they once had a starring role in Stuxnet cyber-saga.

Vulnerabilities can also be found in Computer Based Interlocking, which is quite a complex system responsible for controlling railway switches. For example, modern approval certificates for new equipment used in flexibility safety processor in London subway system include such weird requirements as Windows XP or even “Windows NT4 service pack 6 and above.”

Another problem with security of interlocking computer systems is that the mighty software frequently is operated by incompetent staff, thus secure authentication is out of question. It’s bad enough when you see a dumb yellow sticker with login and password on some office PC. But what about such sticker on a computer which, if hacked, can throw an item weighing hundreds of tons moving at 100 km/h towards another quite large object moving at the same speed from opposite direction?

Yet another problem is communication part of railway infrastructure. For example, moving trains communicate with railway control system via GSM-R network, which is basically GSM with all it’s special aspects including SIM cloning, jamming, over the air software updates, SMS commands (with default PIN code 1234) and so on.

Default credentials, or even hard-coded credentials are here and there in the railway networks. And of course, everything is interconnected and frequently connected to the Internet. The problem is, as one of SCADA StrangeLove researchers describes it, “When you connect to the Internet, the Internet also connects to you.” Which means that one can even find network appliances installed on board of actual trains with specialised Internet of Things search engines like Shodan.

The study presented at Chaos Communication Congress is neither a ready-to-use hacking technique, nor even a complete list of vulnerabilities in some particular railway computer system. But it shows what probable malefactors would be looking for if they have decided to do some bad stuff with trains and what they could have found and exploited after even shallow analysis of the railway digital infrastructure.

As any other instance of critical infrastructure, railway companies should implement IT security measures way more thoroughly. As Eugene Kaspersky said, “I believe that now it is time to build safe infrastructure and industrial systems.”