In a talk at Chaos Communication Congress, researchers outline a long shopping list of problems with railroad systems.
Image: Daniel Schwen
The well-being of critical infrastructure and transportation has long been the elephant in the room when it comes to cybersecurity: plenty of researchers have warned about the possibility of attacks on power-plants, the national grid, and, more recently, even the emergence of internet connected cars.
Now, researchers are warning of the gaping holes in the security of railroad systems. On Sunday at Chaos Communication Congress, a security, arts and politics conference held annually in Hamburg, Germany, members of the SCADA StrangeLove collective presented a long list of problems with railroad systems that attackers could exploit.
For hackers, "it's absolutely easy," to abuse some of these vulnerabilities, Sergey Gordeychik, one of the researchers, told Motherboard. Gordeychik presented alongside Aleksandr Timorin, and 'repdet'. SCADA StrangeLove is a collective of security researchers, who, entirely separately from their day jobs, hunt out vulnerabilities in industrial control systems. Last year, the group presented on issues with green energy infrastructure.
While Gordeychik said that some of the problems were easy to exploit, for others an attacker would need a fairly in-depth knowledge of railroad systems, as well as some of the idiosyncrasies and protocols used. Indeed, Gordeychik has been educated as an electrical engineer in railway automation, he said.
Overall, many of the problems revolve around automated systems in railroad networks; that is, parts of the train or infrastructure that were previously manually or mechanically driven—such as signals or locks—and which are now governed by computers. For context, the Eurostar, a popular high-speed train between Paris and London uses seven different automated systems.
Modern railway systems "tend to be internet connected," repdet told Motherboard.
But it's important to note that the researchers did not point at any specific trains when discussing any of the problems, and they purposefully did not discuss the vulnerabilities in any great detail. Instead, the trio gave a wide-spanning overview of the sort of issues that can be found within modern railroad systems writ-large.
The issues included lack of authentication protections, systems using very old operating systems, and hard-coded passwords for remote access.
There are also worrying design choices in the trains themselves, such as having entertainment devices for customers and engineering systems on the same network, meaning that accessing the former may lead to a compromise of the latter.
"A lot of devices work on the same channel: like engineering equipment and user systems," Timorin said.
"All the vendors are working very hard to fix the situation." repdet added.
However, with all this being said, the railroads aren't screeching to a halt, yet. One of the reasons that hackers seemingly haven't taken advantage of any of these vulnerabilities is because at least some of them require time to really dig into.
"People probably hack into them," repdet said, "but they don't have an opportunity to conduct security research to understand," what exactly they're dealing with.
As for the ones that are easier to exploit, there isn't an obvious way for entrepreneurial cybercriminals to really make much money out of hacking a train. Barring extortion campaigns, it isn't clear why a money-driven hacker would bother investing any resources into attacking a railroad system.
Perhaps there is a chance that railroads would be more of a target for nation-state hacks. Indeed, earlier this week, the Wall Street Journal reported that Iranian hackers had breached a dam in 2013. It's not beyond the realm of possibility that state-sponsored hackers would next time choose to poke around a rival nation's railroad system instead.