I known nothing about train architecture but are the brakes really likely to be network-accessible?
Hacking train Wi-Fi may expose passenger data and control systems
Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers' credit card information, according to infosec biz Pen Test Partners this week. The research was conducted over several years, said Pen Test's Ken Munro. "In most cases they are pretty secure, although whether the Wi-Fi works or not is …
COMMENTS
-
-
Friday 11th May 2018 14:17 GMT theModge
If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though..
-
Saturday 12th May 2018 08:35 GMT Anonymous Coward
Hacking train Wi-Fi may expose passenger data and control systems
At least three people disagree with you :)
@theModge: "If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though"..
-
-
-
-
Friday 11th May 2018 19:36 GMT TRT
The brakes on my train are controlled by either the driver or, for emergency application only, by a radio signal at 64.25 kHz followed by another a few seconds later at 65.25 kHz or at 66.25 kHz and 65.25 kHz together. I wonder if there was confusion between AWS and AWS? One's cloud, the other's loud.
-
-
Sunday 13th May 2018 14:00 GMT paulf
@TWT @Tony W
The system that uses 64 odd kHz is TPWS, a safety system that is designed to mitigate the consequences of a train passing a red signal. It is an improvement on AWS (in that it can mitigate going to fast and doesn't rely on the driver if the train doesn't stop at a red signal) but not as comprehensive as ETCS/ATP. In most cases up to 70mph (100mph for TPWS+) it can stop the train with an emergency brake application before it becomes a problem (i.e. within the signal overlap), but even if the train doesn't stop in time it can still reduce the consequences of what happens next.
TPWS uses the two aerials in the four foot (the space between the rails) and a sensor on the train. AWS (the train one not the cloudy one) uses a unit with two magnets (one permanent one electro) which sits in that yellow ramp looking thing also in the four foot. This gives a warning to the driver when approaching a signal showing a restrictive aspect (single yellow, double yellow or red i.e. not green) and can make an emergency brake application if the driver doesn't acknowledge it within 2.7s. If the driver does acknowledge an AWS warning s/he takes the consequences of not reacting accordingly as AWS will take no further action.
You could potentially hack either but only by getting into the signalling system proper.
-
-
-
-
-
-
Friday 11th May 2018 14:29 GMT Starace
Security researcher clickbait
You really need to introduce some editorial control over reporting this 'researcher' bollocks.
Yet again we have someone who has done some minimal proding on a hotspot, found some minimal vulnerability in a wifi billing system and then based on nothing more than utter ignorance spun this into some sort of critical systems vulnerability because there's a hotspot and it's on a train.
Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"
99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks.
-
Friday 11th May 2018 14:52 GMT 's water music
Re: Security researcher clickbait
Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"
Yeah sure but can you be certain that would not be possible to bridge from the train ethernet to the nuclear launch codes? Ok he may not be able to but CAN WE AFFORD TO RISK IT? Also what if the researcher had been a PAEDO?
I've started already-->
-
Friday 11th May 2018 16:42 GMT Jason Bloomberg
Re: Security researcher clickbait
You really need to introduce some editorial control over reporting this 'researcher' bollocks.
And preferably before Ben-Gurion University comes along with some wank about how to exfiltrate passenger data by speeding up and slowing down the train to generate a bit stream which can be observed using a satellite-borne camera.
-
Sunday 13th May 2018 04:07 GMT Jamie Jones
Re: Security researcher clickbait
He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" - especially when there are pull-cords throughout the train to do the very same.
"Can stop a train without needing a ticket" isn't a very catchy headline.
-
Sunday 13th May 2018 12:03 GMT Anonymous Coward
Re: Security researcher clickbait
"He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" "
Toyota have already been there done that with the accelerator and yet there's remarkably little visible coverage outside specialist circles. Search for e.g. "koopman unintended acceleration toyota devops".
may lead to e.g.
"Investigations into potential causes of Unintended Acceleration (UA) for Toyota vehicles have made news several times in the past few years. Some blame has been placed on floor mats and sticky throttle pedals. But a jury trial verdict found that defects in Toyota's Electronic Throttle Control System software and safety architecture caused a fatal mishap. This verdict was based in part on a wide variety of computer hardware and software issues. In this TSP Symposium 2014 keynote presentation, Philip Koopman outlines key events in the still-ongoing Toyota UA story and pulls together the technical issues that have been discovered by NASA and other experts. The results paint a picture that should inform not only future designers of safety-critical software for automobiles but also all computer-based system designers."
Then again you may have to remove my devops reference, depending on the search engine you choose ;)
-
-
-
Friday 11th May 2018 19:04 GMT FuzzyWuzzys
Re: Security researcher clickbait
"99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks."
No, they're simply spouting alarmist bollocks in the hopes they'll get in the Daily Fail next week. The company name splashed all over the dailies, right in front of loads numpty middle managers? Holy heck you can't buy quality PR like that, well you can but not at the price Pen Test Partners are likely to be able to afford on a national scale.
While I don't doubt there is a grain of truth in some of this, the fact that Mr Munro stated his points in nice, neat sound-bite sized sentances that even Vinnie Jones completely pissed could understand, rings my bullshit-o-meter off the wall. Easy Sun/Daily Fail/Mirror formatted twaddle that fits neatly into Twitter 140 char limited messages, so it can be broadcast over the media wires quickly and get attention in the worldwide media, it's classic media phishing, PR bullshit exercise.
-
-
Friday 11th May 2018 14:39 GMT tiggity
train wifi should be free
Then there is no need to store peoples details on their system
After all the tickets are expensive enough!
Caveat - I try and avoid public WiFi (free or paid for) as you can never be sure of how secure it is. If I must use it I go in VPNed up to the eyeballs & do nothing sensitive.
-
Saturday 12th May 2018 20:11 GMT bombastic bob
Re: train wifi should be free
MITM would be easy to do on a train. As a joke, once, I set up my laptop [years ago] on a commuter train, when there was NO wifi available on the trains, so that my laptop was an access point (easy with FreeBSD or Linux). At least one laptop near me tried to connect to me.
So yeah MITM in a train car would be EASY. Also as you stop at various stations, sometimes the nearby wifi is 'connectable' for a minute. Might be long enough to 'burst transfer' something. Windows boxen are often SO prolific at connecting to "something" when people leave their wifi on.
And setting MITM up with a Linux or BSD laptop is somewhat trivial. You could even hook well-known IP addresses like 8.8.8.8 for google's DNS [for example], in case someone hard-codes the IP address for DNS rather than relying on DHCP.
So, yeah, watch your certs and ssh fingerprints when you're on any kind of public wifi! [or else 'they' will]
-
-
-
-
Friday 11th May 2018 18:45 GMT Steve Davies 3
RE: Class 142/144
Ah, the Leyland busses on rails.
They'll be gone soon as they don't comply with Disability Regulations.
Sad really, because the seats on those Class 7** and 8** trains are about as comfortable as a plank of wood[1]. Be careful what you wish for,
[1] The original Liverpool and Manchester Railway carriages had planks of wood in open trucks for passengers to sit on. Looks like we are going back to 1830.
-
Saturday 12th May 2018 07:25 GMT Fruit and Nutcase
Re: RE: Class 142/144
Ah, the Leyland busses on rails.
I can't remember who the presenter was, but remember seeing the Pacer units being covered on Tomorrow's World on BBC1 - in the days of Michael Rodd. The handling and ride quality issues of these stem from the fact that they have only single axles at each end of the carriage as opposed to a double axle bogie.
-
-
-
-
Friday 11th May 2018 16:19 GMT Tony Gathercole ...
Digital Railway (Yes, really)
Actually, while one obviously hopes that there's no basis for worries about interaction between public-facing Wifi and internal train management systems, it has to be said that recent rolling stock is heavily reliant on digial systems rather than older (physical or analogue) controls. Examples of this type of train would include the Thameslink class 700 (but that's safe 'cos DfT excluded Wifi from the specification), the Crossrail (Elizabeth Line) class 345 Aventra from Bombadier and the various classes 800/801/802 Hitachi electric / bimodes on GWR and to be introduced on the East Coast Mainline, TransPennine Express and Hull Trains over the next few years.
In addition, we're seeing the first stages of ETCS (level 2 and above) implementations starting to introduce on-board electronic signalling which will in time replace the conventional line side colour light signals across Network Rail. On the Thameslink core route (between St. Pancras International and Blackfriars) ATO (Automatic Train Operation) will be "driving" the trains in order to meet the planned increase in throughput in the next year or so. Not that ATO is in anyway new as its been used on metro systems throughout the world, and in a simplistic form since its opening in 1967 on the London Undergroud Victoria line.
Not in a position to comment on how much security has been baked into the designs of these highly complex systems. Doubtless there will be those amoung this community who may be able to comment further.
-
Saturday 12th May 2018 20:20 GMT Ken Moorhouse
Re: Digital Railway (Yes, really)
I've worked on both sides of the industry (signal engineering and train-borne equipment), albeit a long time ago. (Your name rings a bell for some reason, have you worked for LUL?). The fail-safe principles underlying the Victoria line equipment (correct me if I'm wrong) are based on resonant frequency circuitry. If a well-defined pulse of a certain frequency is received then it effectively energises a switch enabling a train to move within a certain speed range, or to coast. Without the code being detected, the train stays where it is. If code is lost, the brakes are applied. Unlike car traffic where the driver of the car behind takes a chance on the bloke in front braking suddenly, the railway signalling system is designed to ensure that there is adequate distance for the train behind to brake with no chance of hitting the other train. This is all automatic, even if the driver were to collapse at the controls, safety is assured.
I seem to remember the ETT (Experimental Tube Train) planned to use Intel 4040 CPU's, because I remember trying to suss out the Assembler code for it. LUL were extremely cautious about microprocessors in those days to the extent of insisting that whatever CPU was used for production systems was 2nd sourced by a different manufacturer, so there was not total reliance on Intel. I think IBM was a second source for early 8-bit CPU's. The use of TTL was frowned upon by the development section I worked with (spiky, high-current, electrically noisy), with preference for CMOS for its higher noise immunity. Usually anything involving CPU's was "front-ended" with relays (train-borne equipment) or with mechanical interlocking frames and/or relays (trackside signalling). Even the frequency of the relays used for trackside use were specially designed to run on 125Hz (33Hz previously) AC. 125Hz being not harmonically related to the industrial 50Hz standard - meaning high noise immunity. The principle of electricity flowing = potentially ok (sorry, tripped over a pun there), no electricity = Whoa! Stop! was engraved into everyone's sub-conscious.
In summary, the Underground is an incredibly safe way to get from A-B.
-
Friday 11th May 2018 16:36 GMT LeahroyNake
Separate WIFI
'Completely isolated, physically separate hardware for passenger Wi-Fi is preferable.'
It probably is separate and the contract given to the lowest bidder. This is not news, if anything you can bet an outfit like crapita is involved and it is totally separate from the running of the train systems and implemented at great cost when a conjoined secure system that actually works could be designed and implemented for 1/4 the cost if the people on this forum had input.
-
Friday 11th May 2018 17:16 GMT DNTP
Simple way to break/brake a train using WiFi
Obtain a burner phone or mobile hotspot. Set up a discoverable WLAN named something threatening like "Bonmb on Trian". Wait until someone sees it on their phone. During the chaos of the emergency evacuation, lift some wallets or something.
If a single wifi device can take planes out of the sky, it'll shut down a train. And when somebody does this in a plane or airport out of reckless stupidity or thinking its a great prank, the authorities usually can't even figure out who did it!
Disclaimer: don't actually do this.
-
Friday 11th May 2018 20:57 GMT Stoneshop
Re: Simple way to break/brake a train using WiFi
Even simpler: anonymously call the train operator that a radicalised person has boarded. Worked well enough for a train headed for Berlin from Amsterdam, couple of months ago. Except that the caller wasn't thorough enough regarding the 'anonymously' part, but that only bit him a couple of weeks later.
-
-
Friday 11th May 2018 21:49 GMT Anonymous Coward
Routers, Routers, Routers
Would it be any good for Gov enforcing a new design for routers utilised in any infrastructure project.
Hardened routers, No-Wifi-admin and No-remote-admin.
Separate routers for public access that only connect to public networks.
& Encryption:
It's mindboggleing that infrastructure is on any public network, or that it is using accessible devices or even the same system type, without strong encryption. Encryption needs to be stronger than the time the longest trip takes How long are passengers (potential hackers) on the train for ? Perhaps length of a Chunnel trip France-England.
-
Saturday 12th May 2018 08:11 GMT SloppyJesse
Re: Routers, Routers, Routers
>Would it be any good for Gov enforcing a new design for routers utilised in any infrastructure project.
Doubt it - because, um, government
>Hardened routers, No-Wifi-admin and No-remote-admin.
No remote admin? So you want any changes to be made by the train assistant? Or require a trip to the depot?
>Separate routers for public access that only connect to public networks.
At some point the 'private' stuff on the train is going to need to reach out across t'Internet. Unless you're suggesting the railways build a private wireless infrastructure for their trains? (which might not always have been as mad as it sounds - I recall stories of proposals in the early days of mobile for just that since they had a huge wired commas network for trackside)
>Encryption needs to be stronger than the time the
>longest trip takes How long are passengers (potential hackers) on the train for ? Perhaps length of a >Chunnel trip France-England.
Is that a joke? Takes me longer to get to London from the Midlands than the Eurostar. Maybe London -> Scotland. There's a reason you can get a bed!
-
-
Saturday 12th May 2018 18:00 GMT David 132
Re: Routers, Routers, Routers
Justin Case >>I recall stories of proposals in the early days of mobile for just that since they had a huge wired commas network for trackside
Imagine if someone hacked that. What an apostrophe!
That would certainly give a period of chaos and would be a dire critical situation.
-
-
Saturday 12th May 2018 17:23 GMT Anonymous Coward
Re: Routers, Routers, Routers
you'd be amazed what waits until back at depot :)
Having worked on a project to integrate some limited networking capabilities to an older train, the biggest risk i saw was not the tech, it was the procurement policy. Vendors could "prove" their security capabilities simply by having staff who had passed the right exams, and that was enough - third-party testing too expensive, internal testing might mean slippage, and commercial would typically over-rule technical anyway.
-
Sunday 13th May 2018 12:52 GMT Anonymous Coward
Re: BR S+T
[Ignoring the spurious comma stories for now]
Some readers might be interested in
https://www.railengineer.uk/2015/08/12/uk-railway-telecommunications-2015-update/
by Clive Kessell BSc CEng FIET FIRSE
Note the brief mention of a radical concept, now lost in the mists of history, of an outsourced service provider paying a *significant* penalty if their service didn't match the agreed standards. Good job that never caught on, eh chaps, otherwise IT cheapsourcing would never have made us middlemen any money.
"[...]
The UK history of rail telecommunications over the past twenty years has been somewhat traumatic. From the earliest days, the railways were permitted to run their own telegraph systems by the then Post Office monopoly because of the operational necessity that these provided. This status quo existed for around 150 years until the Thatcher government sought to liberalise telecoms firstly with the duopoly (BT and Mercury) and latterly to any company that could provide the right credentials.
Under rail privatisation plans, the extensive railway telecom network was formed into a separate grouping – British Rail Telecoms (BRT) – and sold firstly to Racal Electronics and from there to either Global Crossing (now Level 3) for the main networks or to Thales for everything else.
None of these private companies really understood what they were buying and became increasingly nervous when the performance and safety requirements plus some embarrassing failures invoked penalties that questioned the value of the services they now owned.
[...]"
-
-
-
Saturday 12th May 2018 04:02 GMT Anonymous Coward
Trivial exploit
An obvious attack vector is to take over the train control system and play pr0nz on the driver’s display. Distracted by the smut, he'll miss the red signal and the train, packed with orphan children on a trip to the seaside, will wreck. Will somebody please think of the orphan children!
-
Sunday 13th May 2018 14:48 GMT Anonymous Coward
Keep It Simple, Stupid
There's a much lower-tech method of stopping a train, and the risk of you personally getting caught is slight enough to justify sticking around to watch it happen. Just print up some self-adhesive labels with the word FLUSH on them, and discreetly affix one of these next to the emergency handle in every toilet compartment on the train. Sooner or later, one of them will get pulled.
Anyone who has just been is in a temporary state of bliss, operating on autopilot and easily suggestible, so they are much more likely to fall for it. Even if immediately before they began their business, they were thinking Hah! Who the hell were they expecting to fool with a stunt like that?
Wearing the mask, just in case .....
-
Sunday 13th May 2018 21:58 GMT Anonymous Coward
Really?!
"Completely isolated, physically separate hardware for passenger Wi-Fi is preferable"
But.. completely necessary, given the correct configuration! How hard is it to set some goddamn basic firewall rules and a couple of VLANs!? On most *consumer* grade routers, you can turn off Wireless Client Separation as well as create firewall rules. Nobody on the public WiFi should be able to log into the router, regardless - Just sounds like piss poor setup to me.