{"id":10946,"date":"2015-12-29T09:00:19","date_gmt":"2015-12-29T14:00:19","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=10946"},"modified":"2017-09-24T08:11:08","modified_gmt":"2017-09-24T12:11:08","slug":"train-hack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/train-hack\/10946\/","title":{"rendered":"Can you hack a train?"},"content":{"rendered":"<p>Living in a digital age means that most of the things we use are operated and\/or controlled by computers. This ranges from telecom appliances to cars, from factories and energy plants to ports and ships. It should come as no surprise that this is also true for railways and trains.<\/p>\n<p><img decoding=\"async\" class=\"alignright size-full wp-image-10948\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/12\/06023353\/train-hack-FB.jpg\" alt=\"Can you hack a train?\" width=\"1280\" height=\"1280\"><\/p>\n<p>At Chaos Communication Congress in Hamburg on December 28 security researchers Sergey Gordeychik, Alexander Timorin and Gleb Gritsai on behalf of <a href=\"http:\/\/scadastrangelove.blogspot.ru\/\" target=\"_blank\" rel=\"noopener nofollow\">SCADA StrangeLove<\/a> team presented their study on computer systems used by railways. A brief review of this industry shows that there\u2019s a whole lot of computer systems in the railway industry \u2013 more than one might actually expect.<\/p>\n<p><iframe title='\"The Great Train Cyber Robbery\" SCADAStrangeLove' src=\"https:\/\/www.slideshare.net\/slideshow\/embed_code\/key\/6rVzcZtz5MjaOB\" width=\"427\" height=\"356\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" style=\"border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;\" allowfullscreen> <\/iframe> <\/p>\n<div style=\"margin-bottom:5px\"> <strong> <a href=\"https:\/\/www.slideshare.net\/AlexanderTimorin\/the-great-train-cyber-robbery-scadastrangelove\" title='\"The Great Train Cyber Robbery\" SCADAStrangeLove' target=\"_blank\" rel=\"noopener nofollow\">\"The Great Train Cyber Robbery\" SCADAStrangeLove<\/a> <\/strong> from <strong><a href=\"https:\/\/www.slideshare.net\/AlexanderTimorin\" target=\"_blank\" rel=\"noopener nofollow\">Aleksandr Timorin<\/a><\/strong> <\/div>\n<p>These systems include: computer systems on trains; traffic control systems; computer-based interlocking &amp; signaling at stations and crossings; remote measuring systems, passenger information and entertainment systems; ticketing systems; and ordinary items including general purpose office workstations and network infrastructure.<\/p>\n<p>In addition, all this jumble is even more complicated because every country and railway company has its own standards and is implementing its own computer infrastructure. At the same time the railway systems in question often are interconnected in order to allow trains from one country to proceed to another country without friction.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Maritime industry is easy meat for cyber criminals \u2013 <a href=\"http:\/\/t.co\/arylkFBOTc\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/arylkFBOTc<\/a> <a href=\"http:\/\/t.co\/v6QKzcjJXM\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/v6QKzcjJXM<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/601876502058262528?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 22, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Eurostar, a high-speed train which connects Brussels, London and Paris, is a good example of how really complex the things are. This train\u2019s signaling, control and protection systems include Belgian, French and British systems that the train needs to be compatible with.<\/p>\n<p>Some of these systems can hardly be called invulnerable, even by a person who tends to use this word frequently. For example, modern version of the automation system in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Siemens_Mobility\" target=\"_blank\" rel=\"noopener nofollow\">Siemens trains<\/a> (which are operated not only by Deutsche Bahn, but also by companies operating in Spain, Russia, China and Japan) is based on <a href=\"http:\/\/w3.siemens.com\/mcms\/programmable-logic-controller\/en\/software-controller\/software-plc-simatic-winac\/simatic-winac-rtx\/pages\/default.aspx\" target=\"_blank\" rel=\"noopener nofollow\">Siemens WinAC RTX controllers<\/a>. These are basically x86 computers running Windows and they once had a starring role in <a href=\"https:\/\/www.kaspersky.com\/blog\/stuxnet-victims-zero\/6775\/\" target=\"_blank\" rel=\"noopener nofollow\">Stuxnet cyber-saga<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Before <a href=\"https:\/\/twitter.com\/hashtag\/Stuxnet?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Stuxnet<\/a>, there was little thought about proactively securing industrial facilities <a href=\"https:\/\/t.co\/2r3pXlbf7Z\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/2r3pXlbf7Z<\/a> <a href=\"http:\/\/t.co\/vvj9ChCHAb\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/vvj9ChCHAb<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/534775738558578688?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 18, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Vulnerabilities can also be found in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Computer-based_interlocking\" target=\"_blank\" rel=\"noopener nofollow\">Computer Based Interlocking<\/a>, which is quite a complex system responsible for controlling railway switches. For example, modern approval certificates for new equipment used in flexibility safety processor in London subway system include such weird requirements as Windows XP or even \u201cWindows NT4 service pack 6 and above.\u201d<\/p>\n<p>Another problem with security of interlocking computer systems is that the mighty software frequently is operated by incompetent staff, thus secure authentication is out of question. It\u2019s bad enough when you see a dumb yellow sticker with login and password on some office PC. But what about such sticker on a computer which, if hacked, can throw an item weighing hundreds of tons moving at 100 km\/h towards another quite large object moving at the same speed from opposite direction?<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The wrong way to use passwords <a href=\"https:\/\/t.co\/dQgoRrLQx8\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/dQgoRrLQx8<\/a> Are you doing it wrong? <a href=\"https:\/\/t.co\/k9IYb4fJb8\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/k9IYb4fJb8<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/671724509360201728?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 1, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Yet another problem is communication part of railway infrastructure. For example, moving trains communicate with railway control system via <a href=\"https:\/\/en.wikipedia.org\/wiki\/GSM-R\" target=\"_blank\" rel=\"noopener nofollow\">GSM-R network<\/a>, which is basically GSM with all it\u2019s special aspects including SIM cloning, jamming, over the air software updates, SMS commands (with default PIN code 1234) and so on.<\/p>\n<p>Default credentials, or even hard-coded credentials are here and there in the railway networks. And of course, everything is interconnected and frequently connected to the Internet. The problem is, as one of SCADA StrangeLove researchers describes it, \u201cWhen you connect to the Internet, the Internet also connects to you.\u201d Which means that one can even find network appliances installed on board of actual trains with specialised Internet of Things search engines like <a href=\"https:\/\/en.wikipedia.org\/wiki\/Shodan_(website)\" target=\"_blank\" rel=\"noopener nofollow\">Shodan<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"earth-2050\">\n<p>The study presented at Chaos Communication Congress is neither a ready-to-use hacking technique, nor even a complete list of vulnerabilities in some particular railway computer system. But it shows what probable malefactors would be looking for if they have decided to do some bad stuff with trains and what they could have found and exploited after even shallow analysis of the railway digital infrastructure.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">So <a href=\"https:\/\/twitter.com\/hashtag\/malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#malware<\/a> attacks against critical infrastructure are inevitable. What\u2019s next? <a href=\"https:\/\/t.co\/O8VqC30PiO\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/O8VqC30PiO<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/514811301093052416?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 24, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>As any other instance of critical infrastructure, railway companies should implement IT security measures way more thoroughly. As Eugene Kaspersky said, \u201cI believe that now it is time to build safe infrastructure and industrial systems.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The modern rail system is basically a network of hundreds of different, but interconnected computers. Are these systems flawless security-wise?<\/p>\n","protected":false},"author":421,"featured_media":10947,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[1347,658,1349,97,422,1348],"class_list":{"0":"post-10946","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-32c3","9":"tag-internet-of-things","10":"tag-railways","11":"tag-security-2","12":"tag-threats","13":"tag-trains"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/train-hack\/10946\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/train-hack\/6463\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/train-hack\/6544\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/train-hack\/6486\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/train-hack\/7426\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/train-hack\/7146\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/train-hack\/10377\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/train-hack\/5874\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/train-hack\/6650\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/train-hack\/9968\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/train-hack\/10377\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/train-hack\/10946\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/train-hack\/10946\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/32c3\/","name":"32c3"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10946"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10946\/revisions"}],"predecessor-version":[{"id":19290,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10946\/revisions\/19290"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10947"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}