Hacking the Rail Network

gAtO ThInK – A professor at Darmstadt Technical University in Germany has warned that even unskilled hackers could paralyse a rail network by targeting railway switches with a ‘brute force’ cyber attack.

I just seen too many train action movies, and some dumb kids may try -today “if you can do it, the’ll try and do it”.

The modules ASCI Terminal TRM-3aT USB -SMS cell broadcast- are the problems. When you can send a simple SMS command to a device and actions happened, well write me a script to any crazy movie, stupid hack. Stop all trains in DC during rush hour, how about Grand Central Station and send signal switching trains to different tracks, while texting momma. And let’s not forget the good guy’s using it like as you mentioned Bart-Police. – When the train police has the power to stop free speech, I have a problem with that. Let’s kick it up a pay grade please.

The prime target in the US railway system is hump yards. The prime target in Europe is the European Train Control System (ETCS) which uses GSM-R for communications.

US railroads have a number of control systems at different levels that parallel those of a manufacturing concern. At the top level are the planning systems that track car movements, reconcile between railroads for railcars on “foreign” roads, and plan trains and consists based on customer needs.

Huawei, Nortel and Siemens Transport Systems, three leading vendors of GSM-R equipment. Huawei has ties to Chinese PLA and has been investigated by the “US Arms Service Committee” for putting in hardware backdoor into digital infrastructure systems.

The next level takes the plans and implements them. One part makes up the trains – all freight trains except for unit trains are put together at hump yards. The other part controls the movement of the trains – Centralized Traffic Control (CTC) and its successors (ETCS-like systems are gaining ground in the US). Communication between these two parts are primarily up to the next level and back down – train movements are only dependent on consist when a particular type of car is not allowed on a particular section of track.

gAtOmAlO sAy's

The next level down are the actual train controls and the track controls. Controls within individual trains are centered around the locomotive(s) but they include braking controls. Track controls include switching, safety, and traffic management (the mechanism for the CTC to manage train movements). Communication between the trains and the tracks are common – various mechanisms are used such as balises.

GSM-Rail (GSM-R)

Built on GSM-technology, GSM-R is a secure platform for voice and data communication for railway security, services and communications. It is used as a layer on which security and train tracking applications run, as well as video surveillance, passenger information systems and cargo tracking. GSM-R is the standard for wireless railway communications in Europe, Asia and North-Africa, replacing dozens of legacy standards in use prior to the development on GSM-Rail.

Positive train controls are the most advanced type of control – the train is controlled by the central management through track controls and communications. This has become a highly popular idea since the LA commuter train wreck when the engineer was texting, not driving the train. If one assumes that distracted engineers are the threat, positive train control makes sense. If one assumes that a computer adversary abusing the train control system is the threat, then PTCS is an adversaries dream.

The worrisome aspect of this is that these systems and the software structures under which they run are kept under a tight grip for “security reasons”. Hence, fewer experts and security amateurs are looking into the various possible flaws. I doubt that many companies (even Veracode) who offer code review for security issues support any kind of SCADA systems nor are they interested in supporting it, given the tight grip.

Yet, I can guarantee you that the “big players” PwC, BEA, Northrop Gruman, etc.. have somehow managed to convince government agencies of the illusionist promise that they can audit the security of these systems at some ridiculous premium.

That leaves the interest of such systems and the control of them to the diehard fans, namely: foreign governments, foreign militaries and terrorists.

We’ve done one assessment of light rail, a passenger system in an Asian country. We’ve been unsuccessful in getting interest from the AAR or any of the actual railroads. The systems are relatively standard and anyone can purchase them for RE. Like many control systems, the actual installations tend to be customized to the particular situation. I don’t see how rail systems could be harder to assess than oil refineries or such. I do agree that beltway bandits do charge a lot for superficial depth of experience.

What get’s me is that this summer Lockheed was hacked (big-time) the next thing they get a SCADA contract from the government. (unreal). Is this really the way it works in Washington? I looked into GSM and R-GSM and the hardware is pretty much of the shelf and if everyone does things any old way as Raymond mentioned without standards they are building more backdoors with every mile that’s modernized. How can a company come in and mitigate security solutions, when every company does it their own way.

There’s money to be made in doing security for the railroad.

After some interesting reading I found this out: I want to share with the class.

these are different types of GSM 900 Band.

PGSM: Primary GSM -> UL=890-915 MHz & DL=935-960 MHz
EGSM: Extended GSM -> UL=880-915 MHz & DL=925-960 MHz
RGSM: Railways GSM -> UL=876-915 MHz & DL=921-960 MHz

For more information on GSM Bands, checkout this link:

GSM uses A5/1 security cipher mechanism:
A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It was initially kept secret, but became public knowledge through leaks and reverse engineering.

A number of serious weaknesses in the A5/1-cipher have been identified.

So our normal cell phones are Primary GSM so we cannot use a normal cell phone to hack the RGSM – different frequency. But for a couple of hundred buck one can be purchased. Just when gAtO  though —-gAtO knew it all—-;>, they add this – ah well back to the drawing board –  back to work –gAtO oUt















Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: