A team of researchers has analyzed modern railway systems and they’ve determined that it would not be difficult for a motivated attacker to pull off a cyber “train robbery.”
Sergey Gordeychik, Alexander Timorin and Gleb Gritsai of SCADA StrangeLove, a research group focusing on the security of ICS/SCADA systems, disclosed their findings on Sunday at the 32nd Chaos Communication Congress (32C3) in Germany.
Modern railway systems rely on a wide range of digital equipment. For example, the train itself uses cab signaling, traction control systems, automatic train control (ATC) systems for controlling the train and directing operators, protection systems, and passenger information and entertainment systems.
Waysides and train stations rely on digital systems for computer-based interlocking (CBI), centralized traffic control, level crossing protection, and switching yard automation. Digital systems are also used in traction substations, and in ticket/passenger information systems.
Gordeychik told SecurityWeek that they have analyzed various components of a railway system in an effort to raise awareness of the existing security weaknesses and force governments, vendors and operators to review their approach to railway cyber security.
Part of the SCADA StrangeLove team’s research was conducted on behalf of railway companies from around the world that wanted to get a clear picture of the cyber security of their digital assets. This part of the research is under an NDA so the experts cannot share detailed information.
“We worked with operators for 3 years and at the beginning there was a lot of scepticisms, but now they understand the threats,” Gordeychik said via email.
In the public part of the research, experts worked with operators and organizations like the European Network and Information Security Agency (ENISA) to improve the security of railway systems.
SCADA StrangeLove researchers identified security issues in several interlocking and train control devices, and more than 10 transport network devices. Based on their analysis, experts determined that railway systems are not difficult to hack, but the task does require specific knowledge in railway automation and a testbed.
There is also the question of motivation. Hacktivists and profit-driven cybercriminals are unlikely to target railways, but the situation is different when it comes to state-sponsored actors, Gordeychik explained.
The researchers have highlighted that while the software used for railway systems is generally not publicly available, their tests have been conducted on real world installations, and the conclusion was that these systems are “not OK.”
Railway System Vulnerabilities
In their presentation at 32C3, SCADA StrangeLove researchers detailed SIBAS, a train protection system that is widely used in many European countries. SIBAS uses Siemens SIMATIC components, such as the WinAC RTX controller, which is designed for PC-based automation solutions.
Experts have pointed out that WinAC RTX has several security weaknesses, including the ability to control the device without authentication, and the use of known protocols such as XML over HTTP, which makes it possible to create tools for controlling the device.
Another railway component analyzed by researchers is computer-based interlocking (CBI), a signaling system designed to prevent the setting up of conflicting routes.
Experts believe there are three types of threats when it comes to CBIs: safety, economics and reliability. If an attacker can gain access to such a system, they can cause physical damage by changing a switch while a train is passing over it or by setting up conflicting routes. Causing a CBI component to crash, blocking controls or providing false information can have a negative impact on the operator’s revenue. Finally, causing the communications network to crash can affect the system’s reliability.
Attacks against CBI can be conducted by a malicious actor who has physical access to the system or by using social engineering to trick someone with access to the system to execute malicious code (e.g. insert a malicious USB drive).
Using publicly available information, experts determined that in many cases physical security is “terrible.” Furthermore, access passwords are sometimes displayed on post-its that anyone can see (e.g. a documentary about the railway system in the UK captures a username and password written down on pieces of paper stuck to a monitor).
An attacker can also target the communications systems that connect various components of the CBI with each other and with the outside world.
In some countries, such as India and Germany, there are companies that specialize in telecommunications for railways. In Germany, DB Netze provides special GSM-R SIM cards that are used to connect trains to control centers.
These SIM cards have good encryption, but a malicious actor could attempt to jam the connection between the train and the control center using a GSM jammer. Researchers have pointed out that in areas where certain levels of the European Train Control System (ETCS) are used, trains automatically stop if the connection between the train’s modem and the control center is lost. This means that an attacker who can jam the connection can cause a train to stop.
According to the researchers, another problem with GSM-R is that some handsets have a feature that can be used to manage the devices via SMS. An authentication feature that relies on a PIN is used to prevent abuse, but the default code is 1234 and researchers believe engineers rarely change it. Over the air (OTA) management features present in some GSM-R equipment also introduce security risks, especially since some support OTA firmware updates.
The modems used for GSM-R could also be vulnerable to the types of mobile modem attacks disclosed by Positive Technologies researchers — some of whom are members of the SCADA StrangeLove team — in early December. As demonstrated by experts at the time, an attacker who can comprise a modem, for example by using a malicious firmware update pushed via OTA, could also hack the host the modem is connected to.
In the case of railway systems, an attacker who can compromise the modem, could then hijack the automatic train control system, which can allow them to control the train.
Modern trains also have entertainment systems, passenger information systems, intercoms, IP cameras and wireless access points, and these systems can also pose a risk because they all operate via one communications channel.
Researchers analyzed various devices from vendors like Bintec, Digi, Moxa, NetModule and Sierra Wireless that are used in railway systems. One concern with these devices is that their firmware in many cases includes hardcoded private keys for SSL certificates and remote administration features. This exposes supposedly secure communications to man-in-the-middle attacks and allows attackers to remotely login to a device. Attackers can also use the exposed keys to fingerprint devices and attempt to find equipment that is accessible over the Internet using services like Shodan and Censys.
Devices used in railway systems can be exposed to attacks due to the use of default credentials, and researchers have also found RCE vulnerabilities.
According to experts, some of the devices that have a USB port have the Autorun feature enabled. This feature is designed to enable engineers to easily perform software and configuration updates, but it also introduces security risks.
Researchers pointed out in their presentation at 32C3 that while railway systems appear to be isolated from the Internet, an attacker can use the security holes present in various components to reach critical systems remotely.