The Great Chicago Ghost Train Mystery

CHICAGO - During Monday rush hour this week, a Blue Line train that was scheduled for repairs did a very mysterious thing: it moved without a conductor on board. After quietly and slowly maneuvering its way around the curves of the Forest Park train yard after being parked there for a week, the rogue machine passed through the Forest Park station, headed eastbound on a westbound track and climbed a hill before ramming into another train at Harlem station and injuring 30 people. The media is calling it “the ghost train” and investigators are completely baffled.

The incident is unlike any “veteran city rail workers say they have seen” reports the Chicago Tribune, as multiple failsafes that should have stopped the train didn’t. The president of the local rail union Robert Kelly told CBS Chicago he’s never heard of anything like this in 27 years and called it a “great concern” considering “we have people working in these yards 24 hour a day, seven days a week.” To add more to the intrigue, the cameras facing the ghost train when it was parked in the yard the morning of were not working. No one saw anyone leave the train after the collision, not the conductor in the train that was rammed or the Forest Park station supervisor that ran after the rogue train while radioing ahead.

It’s a puzzle investigators have been stuck on for days now, perhaps because they were originally looking in the wrong place. Nowadays, if you want to do something remotely, you can do so via the Internet of Things (loT) where everything, including refrigerators, is becoming connected to the web. The rise of this machine-to-machine industry prompted Wired's Andrew Rose to write in January “the IoT will unveil unprecedented security challenges: in data privacy, safety, governance and trust.”

In keeping with Rose’s prediction, Forbes journalist Kashmir Hill “haunted a complete stranger’s home” this July by turning the lights on and off in a “smart home.” A month earlier, University of Texas researchers took control of a yacht in the Mediterranean via GPS. At this year’s DEFCON, the annual hacker convention, two security researchers showed off their ability to disable the brakes in two cars, a Toyota Prius and a Ford Escape. While it’s not as easy as using your iPad to move a model train on a track, hacking a public transit train is certainly within the realm of possibility.

So how would a hacker do something as large as moving a train? For starters, through a supervisory control and data acquisition (SCADA) system. SCADAs are widely used to monitor and maintain everything from air conditioners in a corporate building to nuclear enrichment centrifuges in Iran. They’ve been popular since the 1960’s but as common as they are, SCADAs are still vulnerable to exploitation much like their simpler IoT counterparts.

The CTA implemented their SCADA system in 2009 after getting a grant from Homeland Security (pdf) to do so. Many SCADA systems more or less put all data, monitoring and administrative controls into one interface, and it is systems like SCADA that make smartphone apps like the CTA Train Tracker possible. CTA’s current SCADA system, implemented by California-based company LightRiver Technologies after October 2012, includes video surveillance.

Hacking into the CTA’s system then, would certainly explain why the ghost train was able to remove its brakes at the Forest Park train yard, maneuver the curves without crashing into anything while there, and even bypass the CTA safeguards and disable the cameras that should have recorded the beginning of the incident.

Don A. Bailey, one of the founders of the security, privacy and engineering firm Capital Hill Consultants, wrote via email “a system compromise leading to this event is absolutely possible.” Given that the CTA’s system was relatively new, “there is a chance that controls enforcing confidentiality and integrity of data may not have been enabled or verified” which “may lead to the subversion of administrative capabilities” wrote Bailey.

“Until we know more,” Bailey added, Capital Hill was unwilling to speculate further on the ghost train being an “incident caused by malicious intent”

On Tuesday, when LightRiver Technologies was contacted for a comment on whether or not their system was breached, the receptionist was unaware a train on their system had even malfunctioned. A follow-up on Wednesday was directed immediately to Patrick Dailey, the marketing manager at LightRiver Technologies, who said they were “unable to comment” on their code or systems due to “the ongoing investigation.” Calls to the Mayor’s office in Forest Park (fielding calls for the police department) and the National Transportation Safety Board (fielding calls for the CTA) went unreturned.

Investigators aren’t saying anything, but it is clear LightRiver Technologies was not part of the investigation until after Tuesday.

Given the evidence, or lack thereof, a hack is clearly one of the easiest answers to the ghost train mystery. An even bigger, mind-boggling question: why did it take investigators three days to consider the ghost train as hacked?