back to article Irked train hackers talk derailment flaws, drop SCADA password list

A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hardcoded industrial control system credentials to kick vendors into action. description Sergey Gordeychik (right), Gleb Gritsai, and Aleksandr Timorin (rear). Industrial control specialist …

  1. jake Silver badge

    Who the fuck ...

    ... would put this kind of kit on a network available to the general public?

    I mean, really? Seems we're no longer even trying to educate teh yoof ...

    1. frank ly

      Re: Who the fuck ...

      But, but, it's cheaper that way and it makes it easier for management to monitor it from the comfort of their office.

      "... possible paths between trains' operational systems and passenger entertainment systems, ..."

      That should be impossible. But, but, but.

      1. leon clarke

        "... possible paths between trains' operational systems and passenger entertainment systems, ..."

        As a workaround, train operators could ensure that no aspect of the journey is in any way entertaining.

        1. allthecoolshortnamesweretaken

          "As a workaround, train operators could ensure that no aspect of the journey is in any way entertaining."

          Whaddaya mean, "could"? In my experience they are alredy pretty good at that even without using any computer aid.

          Re "possible paths between trains' operational systems ans passenger entertainment systems" - are we going to see high speed trains being hacked like, say a Jeep Cherokee?

          1. Anonymous Coward
            Anonymous Coward

            Allegedly already seen in aircraft [but...]

            "possible paths between trains' operational systems and passenger entertainment systems, they say."

            Just like in aircraft then.

            We've already seen claims that someone in a passenger seat got access via the entertainment network to the flight network.

            I took the trouble to follow the claims as far as I could (I used to have some aircraft experience and some network experience).

            There was remarkably little real detail, but one alleged detail I did see after a great deal of digging involved a "logon screen" which was said to be a Solaris logon screen.

            On an aircraft? Chances are small but not quite zero.

            On a safety critical system on an aircraft? Chances are zero.

            I lost interest at that point.

            It'd not be a huge surprise if something similar was going on here, although it also wouldn't be a huge surprise if there was genuine cause for concern.

            Their mention of interlocking systems is interesting. There's at least one UK multiple unit train design that combines the door/motion interlock system (no opening door while train is in motion) with the in-train display system. Neither are directly safety critical, so "for simplicity", Windows was the chosen OS. There is another interlock with the motion control which says the train cannot start unless the door/motion interlock is showing signs of normal behaviour (ie the application is running and driving its handshake IO as required).

            Windows being what it is, unplanned reboots are sometimes required. Driver gets to station and reboots the on-train info system, which therefore knocks out the door/motion interlock till the reboot has completed and the handshaking is alive again. Till startup is finished, the train cannot move off. So, some minutes later, by which time the train is irrecoverably late courtesy of Microsoft and friends, the train is able to set off again. What a marvellous design.

            A better informed train geek than I am may be able to give you chapter and verse (what class train it is, who designed the train and when, who supplied the subsystems, what Windows version, etc).

            1. Someone Else Silver badge
              Boffin

              @ AC -- Re: Allegedly already seen in aircraft [but...]

              Their mention of interlocking systems is interesting. There's at least one UK multiple unit train design that combines the door/motion interlock system (no opening door while train is in motion) with the in-train display system.

              No, not that interlock. They are talking about the interlocks that switch a train from one track to another; to, for instance, bypass a slower moving train, or shunt a train off onto a siding or another line.

        2. Just a geek
          Trollface

          I thought that they already did this as a matter of standard?

      2. Anonymous Coward
        Anonymous Coward

        Re: Who the fuck ...

        The draft BS EN 62580-1 "Electronic railway equipment - On-board multimedia and telematic subsystems for railways" actually features interconnection between train backbone networks and passenger-facing things as part of the standard .......

    2. alain williams Silver badge

      Re: Who the fuck ...

      ... would put this kind of kit on a network available to the general public?

      It has been known for a long time that SCADA systems tend to have poor security controls; many are ancient having been built in an era before today's world where everything is connected. Plenty of time to address the issues but this has not happened.

      So: regard this as a boot up the backside, not just to the vendors but also the users who have been reluctant to invest in upgrades. Granted that upgrading a rail system is not an overnight job.

      Hopefully the result will be more secure infrastructure in a few years time.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who the fuck ...

        "regard this as a boot up the backside, not just to the vendors but also the users who have been reluctant to invest in upgrades."

        Stuxnet should surely have been that boot up the backside? It doesn't seem to have caused much of a rethink, not based on what I've seen anyway. Business as usual, clueless people in charge of budgets and technology.

        It'll be fine, there's no problem, all we have to do is make sure everything on the LAN is a member of the domain (genuine plan at a List X site I'm familiar with). Failing that, device access control via 802.1x. No consideration of kit that can't join the domain for perfectly valid reasons and equally can't play 802.1x either. But what the IT Director wants, the IT Director must have, regardless of the (valid and safe) needs of the rest of the non-IT parts of the business (the bits that actually design, make, test, and repair things, and thereby pay the IT Director's overinflated wages).

        1. Anonymous Coward
          Anonymous Coward

          Re: Who the fuck ...

          " No consideration of kit that can't join the domain for perfectly valid reasons and equally can't play 802.1x either. "

          More likely, equipment that cannot join the domain will be rejected at procurement stage or just given a "pass", and 802.1x would be deemed as technical requirement, and subject to commercial people over-ruling it in an effort to appear to be saving money .....

        2. Anonymous Coward
          Anonymous Coward

          Re: Who the fuck ...

          "Stuxnet should surely have been that boot up the backside? It doesn't seem to have caused much of a rethink, not based on what I've seen anyway. "

          I bet there's somenoe somewhere that uses USB drives for data transfer of logs as it is "more secure" than a one-way file transfer ....

        3. Joe Montana

          Re: Who the fuck ...

          Great, as a pentester the domain is usually the first and easiest target to go for on any given network... All it takes is one vulnerable member system and you can almost always compromise the entire domain, and then every member system is owned. By putting everything in the domain you make it MUCH easier - far greater chance of finding the one vulnerable system you need, and much easier to access everything else (irrespective of how well hardened it is) once you have domain admin.

        4. Anonymous Coward
          Anonymous Coward

          Re: Who the fuck ...

          >But what the IT Director wants, the IT Director must have, regardless of the (valid and safe) needs of the rest of the non-IT parts of the business

          I keep seeing ACs posting on here how the IT department is some parasite fiefdom on its own that doesn't care about the business. Must be all those broken ass banking and consulting companies in the UK because that sure isn't my experience here stateside working mostly for semiconductor manufacturers. Half our current IT staff started as operators on the Fab floor before skilling up. 24/7 manufacturing always comes first no matter what we are doing and being the slim unit we are we spend far more time on requests from the fab than we do from the corporate IT wing. I guess also being in a right to work (ie right to fire) state helps cuts down on the bureaucracy created solely for job security.

          1. Anonymous Coward
            Anonymous Coward

            Re: Who the fuck ...

            And yes I know difference between right to work and employment at will concepts but both together tend to discourage unions which other arguments aside could possibly be the cause of some of the non- business parasite activity ACs on here are always whining about. For a good example see the total clusterfsck that is the VA in the US where it it is nearly impossible to fire employees even if for things you and I would consider fraud. Unsurprisingly they have formed a bureaucracy that is more about protecting their jobs and punishing whistle blowers than serving Veterans (their core mission).

            1. Intractable Potsherd

              Re: Who the fuck ...

              <sarc> Yep - discouraging unions is always a good thing. After all, who needs protection from employers anyway? </sarc>

              The ignorance here is astounding.

              Edit to include sarc tags for the more literal readers.

              1. Anonymous Coward
                Anonymous Coward

                Re: Who the fuck ...

                No I am well aware of also of the value of unions especially for employees and with the US having an union participation rate of barely single digits they are hardly the danger here made out by the righties. Also funny how wages have stagnated since union membership started declining in the 1970s. That said unions can have drawbacks even for employees if they are allowed to run amok (see teacher jobs being given away in wills like in Mexico, a place that can really afford incompetent teachers).

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Who the fuck ...

                  meant barely double digits.

          2. Anonymous Coward
            Anonymous Coward

            Re: Who the fuck ...

            "24/7 manufacturing always comes first no matter what we are doing"

            And rightly so. Automated manufacturing used to be my background too, but for various reasons I ended up in the kind of places where "what the IT Director wants, the IT Director must have, regardless of the (valid and safe) needs of the rest of the non-IT parts of the business".

            "I guess also being in a right to work (ie right to fire) state helps cuts down on the bureaucracy created solely for job security."

            Not sure what that means. By far the worst place I saw for IT is one where the CEO thought he had a clue about IT (because he had a PC at home?) and his IT director (one of his mates) was appointed accordingly, equally cluelessly, and so on down the chain.You could have almost anything you wanted as long as it had a Dell badge and was on the approved parts list (e.g. no hi-res monitors, they weren't approved, unless it was for electronic Andon board substitute which then sit idle for 99% of the time) and either ran Windows or as long as the business user was willing to wait a year while the business justification for not running Windows was evaluated. Non-compatible improvement suggestions were treated as rank insubordination.

            I'm pleased to hear there are still places that aren't quite that stupid. Got any jobs going?

            1. Anonymous Coward
              Anonymous Coward

              Re: Who the fuck ...

              >I'm pleased to hear there are still places that aren't quite that stupid. Got any jobs going?

              I am sure we have some available but 47C in summer is a bit of a weed out factor lol.

    3. Fatman
      Mushroom

      Re: Who the fuck ...

      In one simple, easy to understand word:

      DAMAGEMENT

      MBA PHB: "We need to cut the OPEX budget, those dedicated leased telephone lines for our plant to HQ links costs big $$$$ monthly, can we somehow get rid of them???"

      PHB suckup: "Yes sir boss, we can connect them to the internet, and drop those expensive bonus killing dedicated lines."

      MBA PHB: "Good, I want a larger bonus at year end."

      PHB suckup (to IT): "The C suite wants budget cuts, and we can't afford those expensive leased lines anymore. Connect them to HQ through the Internet."

      IT: "We can do that, but those old systems were NEVER designed for direct Internet connections. We could be compromised."

      PHB suckup: "Who cares!!!! The C suite wants budget cuts."

      .

      .

      .

      Some time later, the ClusterFuck Electric Co's Nuclear power plant is in deep shit because some hacker thought it would be funny to play games with the coolant pumps.

      `MBA PHB` and `PHB suckup` are long gone, but IT gets to clean up the shit they left behind

  2. nsld

    If someone can

    Get into great northern and make them run on time that would be great. .....

    1. Anonymous Coward
      Angel

      Re: If someone can

      The El Reg forum is devoted to empirically sound applications of technology. This being the case, perhaps your specific request should be directed to the "miracles and divine intervention" forum on the Catholic church's website? Is there a patron saint of public transportation? Or even an angry train god that you can sacrifice a goat or some hobo to?

      "Oh, great Loco. Oh, He who moves the masses and cargo. Accept this poor offering and show us your favor!!"

  3. Winkypop Silver badge
    Coat

    Son!

    Don't turn on that Hornby set!

    Mine's the one with the OO track in the pocket.

    1. Anonymous Coward
      Anonymous Coward

      Re: Son!

      Well my G Scale (largish garden scale railway - normally dangerous only to cats who don't pay any attention at the level crossing) is controlled through 3 Raspberries. Networked wirelessly. I'm beginning to harbour suspicions about the terriers intentions - spends a lot of time in my office.

      1. dotdavid

        Re: Son!

        "I'm beginning to harbour suspicions about the terriers intentions"

        Terrierist?

    2. phuzz Silver badge

      Re: Son!

      What's the odds that AC's home railway is better secured that a real one?

  4. Anonymous Coward
    Anonymous Coward

    The flaws follow a tune common to all utility sectors: decades-old industrial control systems once fragmented and offline have been networked to introduce better functionality

    NO, no. It isn't for better functionality but to allow the bean counters to meddle with things they know nothing about.

    The big problem is that accountants have replaced engineers in positions where engineers are necessary. Until this is reversed we will continue to have these problems.

  5. Anonymous Coward
    Anonymous Coward

    Will we never learn?

    It's all very well mocking the inadequacies of antiquated systems.

    But a vast new generation of on-line connected, uncertified ND inadequately protected artefacts are coming our way: Things and the Internet thereof.

    Whilst a single refrigeraor or light bulb poses an incomparably small threat compared to a 'plane or train, thousands of such Things driven in concert (cf. DDOS attacks) could be quite another matter.

    1. John Brown (no body) Silver badge

      Re: Will we never learn?

      "Whilst a single refrigeraor or light bulb poses an incomparably small threat compared to a 'plane or train, thousands of such Things driven in concert (cf. DDOS attacks) could be quite another matter."

      Yeah, the thought of 10,000 fridge/freezers all turning on and off again in sync is probably a nightmare the power grid could do without.

      On the other hand, some marketing wonk at the fridge/freezer manufacturer will probably think it 's a cool idea to have all their connected fridges talk to each other and a minor coding error will make them all talk to the same time server and use the same entropy sources.

      1. Anonymous Coward
        Anonymous Coward

        Re: Will we never learn?

        What's wrong with them talking to the same time server? Do you think they should all have a different idea of the current time? Setting them to sync to pool.ntp.org seems the most likely.

        Entropy sources don't matter - fridges aren't deciding when to turn their compressors on and off again based on a schedule, but rather based on internal temperature versus their set temperature. When to turn on the compressor will be different for each one as different homes have different ambient temperatures, different amounts of airflow around them, different amounts/lengths of opening/closing the door, and different contents being added/removed.

        Those are all natural sources of entropy so even though the fridges all have the same amount of insulation built in, they would immediate have their schedules diverge even if they were all turned on with the same contents at the same time to start with.

        1. John Brown (no body) Silver badge
          Thumb Up

          Re: Will we never learn?

          In the real world I would have to agree with every point you make. But the world of marketing and "cool new features" is a whole different kettle of apples. (see what I did there?)

          Upvoted for post-Xmas sanity :-)

        2. Midnight

          Re: Will we never learn?

          Experience has shown that it won't be "pool.ntp.org" that they all sync to, but rather the University of Wisconsin–Madison's time server, or the only stratum 1 NTP server in all of Denmark.

          The same experience also suggests that "Hey, let's have our hardware automatically download firmware updates so the users won't forget to" and "We should hard code a nice, safe time for all our systems to apply updates and reboot when nobody is using them" will also be seen as good ideas, and every single node in the Internet of Fridges will download the same untested update at the same time, apply it, and then power-cycle itself at midnight. UTC, of course, which puts it somewhere around peak evening power usage time in the USA

          Only to come up again with the Metric to American conversion settings all backwards and happily chilling everybody's frozen meats to a nice, cool thirty-two degrees Celsius once the power comes back on.

          1. asdf
            Coffee/keyboard

            Re: Will we never learn?

            @Midnight LMFAO

        3. billse10

          Re: Will we never learn?

          "What's wrong with them talking to the same time server? Do you think they should all have a different idea of the current time?"

          I definitely think it's a good idea to have a single reference time source.

          Hi from Greenwich :)

  6. Faszination

    Utter nonsense.

    Once again media hype is making this something it clearly isn't.

    I fail to see how compromising the systems on a single train would allow a hacker to then compromise the interlocking for signalling. For a start, the interlocks and their associated signals, points and crossovers are all controlled from regional signalling centres and have nothing whatsoever to do with the trains that run on them.

    Even if someone with the requisite knowledge were to be able to control a train, there is no way they could make the leap from there to controlling the national infrastructure.

    Garbage.

    1. Nixinkome

      Re: Utter nonsense.

      Are not some of the Russian Rocket Force [Nuclear Deterrents] train borne?

    2. Stoneshop
      FAIL

      Re: Utter nonsense.

      Try reading and comprehending this sentence, present in the article you are labelling as garbage: Flaws affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.

      They are NOT ONLY dealing with rolling stock control systems. And even if they were, would you like to be in one where a black hat had access to the ATP/Indusi/Integra/whatever, making it ignore the next red signal?

      Lots of interlock and signalling systems, from Alstom, Bombardier, Siemens as well as dozens of smaller system vendors are controlled via IP now. Stuff that used to use serial comms over dedicated copper or fiber is now fitted with Westermo's and connected via some flavour of IP network. An RFC1918 network most likely, but get into a control node via your exploit of choice and you can fsck up the lot quite a bit

      1. Anonymous Coward
        Anonymous Coward

        Re: Utter nonsense.

        @Stoneshop

        They may be RFC1918 addresses, but figuring out the IP in use within those ranges gets a lot easier if people use the relevant EN.

  7. Anonymous Coward
    Anonymous Coward

    Ah the rail industry. I had to visit site to investigate some equipment which was down. It'd been down for some months (regulatory required equipment) but no one had reported/tested/been aware. Fortunately I retrieved it by pulling a disc in the raid set and it booted to the OS and then rebuilt.

    Typical next question.. "where's all the data that we didn't record?"

    Profits margins are so low that they aren't employing people do a good job, just enough to keep things running.

    1. Intractable Potsherd

      " ... they aren't employing people do a good job, just enough to keep things running."

      Unfortunately, this is the case in a lot of places. A number of bridges affected by the recent water-related problems in the UK are testament to inadequate maintenance. The cult of bean-counting means that few people pay any attention to resilience these days.

  8. Anonymous Coward
    Anonymous Coward

    Hold them accountable

    All involved should be held accountable for their actions or lack of proper security.

  9. Anonymous Coward
    Anonymous Coward

    First world problems

    Over here in America, we don't need hackers to derail our shiny new medium-speed trains. I'm always hearing about derailments and emergency track closures on the main northeast rail lines. All it takes is a rockslide, a neglected track, an engineer with a smartphone...

    1. asdf

      Re: First world problems

      Train wrecks are hardly first world problems even if the new causes are (makes me think of late 19th century over there in the UK or India today). First world problem is busting your ass on a hover board and posting hospital pics on FB expecting sympathy.

  10. Cincinnataroo

    It's a sad and dangerous world that needs a data drop like this to ATTEMP a fix.

    Our organisations are effectively brain dead.

    1. Intractable Potsherd

      Our organisations are effectively brain dead.

      They are all held in thrall to the Cult of Bean Counters, whose first rule is "Know the price of everything and the value of nothing". Their second rule is "No-one else knows the value of anything either, regardless of qualifications." Their disciples, known as MBAs, are so thoroughly indoctrinated into the creed that they can see no God but the accounts ledger.

  11. Anonymous Coward
    Anonymous Coward

    Ruski on rails: Russian trio relegate SCADA to Brio

    Cracking SCADA systems shown to be child's play

  12. Steam

    The list does not contain the info claimed

    If you follow the urls and download the list and open the file. You see a list of documents showing how to log on to a newly shipped comms device. If I change the SIM for my phone it has a default code - typically 0.0.0.0 or 1.2.3.4. I would like the SIM supplier to say which it is. If I do not change it, its my fault not the SIM supplier, The supplier still have to tell me what the orginal code is so I can use the the SIM. Replace SIM with switch, same thing. No story here...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like