back to article Hacking train Wi-Fi may expose passenger data and control systems

Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers' credit card information, according to infosec biz Pen Test Partners this week. The research was conducted over several years, said Pen Test's Ken Munro. "In most cases they are pretty secure, although whether the Wi-Fi works or not is …

Silver badge

I known nothing about train architecture but are the brakes really likely to be network-accessible?

13
0

If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though..

11
3
Silver badge

What I do know is that the trains I travel on were built before ethernet was invented.

23
0
Silver badge

"are the brakes really likely to be network-accessible?"

Yes, because of the safety systems regarding signals and stuff.

Although if you want to cause that kind of havoc and mayhem there are easier ways to get the safety protocols screaming than hacking through the train WIFI system.

2
7

Bet they weren't.

2
0
TRT
Silver badge

The brakes on my train are controlled by either the driver or, for emergency application only, by a radio signal at 64.25 kHz followed by another a few seconds later at 65.25 kHz or at 66.25 kHz and 65.25 kHz together. I wonder if there was confusion between AWS and AWS? One's cloud, the other's loud.

10
0

I'm no expert on trains but my eyebrows went up at the idea of radio at 60 odd kHz, I think it would need rather large aerials. It seems to be done by magnetic induction from loops on the track.

Is this an interesting way to force a train to stop without connecting to any infrastructure?

2
0
Silver badge
Facepalm

Hacking train Wi-Fi may expose passenger data and control systems

At least three people disagree with you :)

@theModge: "If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though"..

2
1
Silver badge
Gimp

@TWT @Tony W

The system that uses 64 odd kHz is TPWS, a safety system that is designed to mitigate the consequences of a train passing a red signal. It is an improvement on AWS (in that it can mitigate going to fast and doesn't rely on the driver if the train doesn't stop at a red signal) but not as comprehensive as ETCS/ATP. In most cases up to 70mph (100mph for TPWS+) it can stop the train with an emergency brake application before it becomes a problem (i.e. within the signal overlap), but even if the train doesn't stop in time it can still reduce the consequences of what happens next.

TPWS uses the two aerials in the four foot (the space between the rails) and a sensor on the train. AWS (the train one not the cloudy one) uses a unit with two magnets (one permanent one electro) which sits in that yellow ramp looking thing also in the four foot. This gives a warning to the driver when approaching a signal showing a restrictive aspect (single yellow, double yellow or red i.e. not green) and can make an emergency brake application if the driver doesn't acknowledge it within 2.7s. If the driver does acknowledge an AWS warning s/he takes the consequences of not reacting accordingly as AWS will take no further action.

You could potentially hack either but only by getting into the signalling system proper.

5
0

Security researcher clickbait

You really need to introduce some editorial control over reporting this 'researcher' bollocks.

Yet again we have someone who has done some minimal proding on a hotspot, found some minimal vulnerability in a wifi billing system and then based on nothing more than utter ignorance spun this into some sort of critical systems vulnerability because there's a hotspot and it's on a train.

Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"

99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks.

56
1
Silver badge
Pint

Re: Security researcher clickbait

Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"

Yeah sure but can you be certain that would not be possible to bridge from the train ethernet to the nuclear launch codes? Ok he may not be able to but CAN WE AFFORD TO RISK IT? Also what if the researcher had been a PAEDO?

I've started already-->

37
0
Silver badge

Re: Security researcher clickbait

You really need to introduce some editorial control over reporting this 'researcher' bollocks.

And preferably before Ben-Gurion University comes along with some wank about how to exfiltrate passenger data by speeding up and slowing down the train to generate a bit stream which can be observed using a satellite-borne camera.

22
0
Silver badge
Facepalm

Re: Security researcher clickbait

"99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks."

No, they're simply spouting alarmist bollocks in the hopes they'll get in the Daily Fail next week. The company name splashed all over the dailies, right in front of loads numpty middle managers? Holy heck you can't buy quality PR like that, well you can but not at the price Pen Test Partners are likely to be able to afford on a national scale.

While I don't doubt there is a grain of truth in some of this, the fact that Mr Munro stated his points in nice, neat sound-bite sized sentances that even Vinnie Jones completely pissed could understand, rings my bullshit-o-meter off the wall. Easy Sun/Daily Fail/Mirror formatted twaddle that fits neatly into Twitter 140 char limited messages, so it can be broadcast over the media wires quickly and get attention in the worldwide media, it's classic media phishing, PR bullshit exercise.

10
2
Anonymous Coward

Re: Security researcher clickbait

Yes . Will someone think of the children .

5
0
TRT
Silver badge

Re: Security researcher clickbait

What we really need to know, though, is how much is the house he lives in worth.

3
0
Anonymous Coward

Re: Security researcher clickbait

It's the 0.01% you have to worry about.

2
0
Silver badge

Re: Security researcher clickbait

He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" - especially when there are pull-cords throughout the train to do the very same.

"Can stop a train without needing a ticket" isn't a very catchy headline.

4
0
Anonymous Coward

Re: Security researcher clickbait

"He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" "

Toyota have already been there done that with the accelerator and yet there's remarkably little visible coverage outside specialist circles. Search for e.g. "koopman unintended acceleration toyota devops".

may lead to e.g.

"Investigations into potential causes of Unintended Acceleration (UA) for Toyota vehicles have made news several times in the past few years. Some blame has been placed on floor mats and sticky throttle pedals. But a jury trial verdict found that defects in Toyota's Electronic Throttle Control System software and safety architecture caused a fatal mishap. This verdict was based in part on a wide variety of computer hardware and software issues. In this TSP Symposium 2014 keynote presentation, Philip Koopman outlines key events in the still-ongoing Toyota UA story and pulls together the technical issues that have been discovered by NASA and other experts. The results paint a picture that should inform not only future designers of safety-critical software for automobiles but also all computer-based system designers."

Then again you may have to remove my devops reference, depending on the search engine you choose ;)

1
0
Silver badge
Pint

Re: Security researcher clickbait

@Starace

Thank you - that saved me quite a bit of typing. Have a beer!

0
0
Silver badge

train wifi should be free

Then there is no need to store peoples details on their system

After all the tickets are expensive enough!

Caveat - I try and avoid public WiFi (free or paid for) as you can never be sure of how secure it is. If I must use it I go in VPNed up to the eyeballs & do nothing sensitive.

24
0
Silver badge
Unhappy

Re: train wifi should be free

MITM would be easy to do on a train. As a joke, once, I set up my laptop [years ago] on a commuter train, when there was NO wifi available on the trains, so that my laptop was an access point (easy with FreeBSD or Linux). At least one laptop near me tried to connect to me.

So yeah MITM in a train car would be EASY. Also as you stop at various stations, sometimes the nearby wifi is 'connectable' for a minute. Might be long enough to 'burst transfer' something. Windows boxen are often SO prolific at connecting to "something" when people leave their wifi on.

And setting MITM up with a Linux or BSD laptop is somewhat trivial. You could even hook well-known IP addresses like 8.8.8.8 for google's DNS [for example], in case someone hard-codes the IP address for DNS rather than relying on DHCP.

So, yeah, watch your certs and ssh fingerprints when you're on any kind of public wifi! [or else 'they' will]

2
0
Silver badge

"It might be possible, and this is speculation, to lock the braking system."

It might be possible, and this is speculation, that the claim about being able to make the leap from wifi network to controlling the train's brakes is a bit of headline grabbing

19
0
Bronze badge

Par for the course with PTP

but depending on the architecture, it may be possible, like it is with the way they integrated stuff into cars.

4
2
Silver badge

but depending on the architecture, it may be possible, like it is with the way they integrated stuff into cars.

No, it really isn't.

10
0

Thing is, if somebody did manage to lock the brake system on a Southern Rail train, would anybody actually notice.

30
0

you southerners know nothing of rail misery, us northerners have to travel on these bad boys: http://www.docbrown.info/docspics/ArchiveSteam/lococlass142.htm

11
0
Silver badge

You northerners know nothing of rail misery. Us southerners have to travel on something like this.

8
0
Silver badge

Us northerners had to invent and build the trains before we could ride on em

11
0
Silver badge

RE: Class 142/144

Ah, the Leyland busses on rails.

They'll be gone soon as they don't comply with Disability Regulations.

Sad really, because the seats on those Class 7** and 8** trains are about as comfortable as a plank of wood[1]. Be careful what you wish for,

[1] The original Liverpool and Manchester Railway carriages had planks of wood in open trucks for passengers to sit on. Looks like we are going back to 1830.

7
0
Anonymous Coward

finding a Southern Rail train actually running may be more of a challenge.

2
0
Anonymous Coward

@Yet Another Anonymous coward

Yes but we fudged the network up.

0
0
Silver badge

Rail Replacement Bus?

Nah. This is not a bus, but it is what you're doing rail replacement with.

2
0
Silver badge

luxury.

4
0
Silver badge

Re: RE: Class 142/144

Ah, the Leyland busses on rails.

I can't remember who the presenter was, but remember seeing the Pacer units being covered on Tomorrow's World on BBC1 - in the days of Michael Rodd. The handling and ride quality issues of these stem from the fact that they have only single axles at each end of the carriage as opposed to a double axle bogie.

7
0
Silver badge
Joke

Bloody northerners taking the credit for a Cornish invention.

0
0

Luxury! I would have given my right arm to enjoy riding in something like that. We have to get out and push!

4
0

At least you have something to push.

5
0

Digital Railway (Yes, really)

Actually, while one obviously hopes that there's no basis for worries about interaction between public-facing Wifi and internal train management systems, it has to be said that recent rolling stock is heavily reliant on digial systems rather than older (physical or analogue) controls. Examples of this type of train would include the Thameslink class 700 (but that's safe 'cos DfT excluded Wifi from the specification), the Crossrail (Elizabeth Line) class 345 Aventra from Bombadier and the various classes 800/801/802 Hitachi electric / bimodes on GWR and to be introduced on the East Coast Mainline, TransPennine Express and Hull Trains over the next few years.

In addition, we're seeing the first stages of ETCS (level 2 and above) implementations starting to introduce on-board electronic signalling which will in time replace the conventional line side colour light signals across Network Rail. On the Thameslink core route (between St. Pancras International and Blackfriars) ATO (Automatic Train Operation) will be "driving" the trains in order to meet the planned increase in throughput in the next year or so. Not that ATO is in anyway new as its been used on metro systems throughout the world, and in a simplistic form since its opening in 1967 on the London Undergroud Victoria line.

Not in a position to comment on how much security has been baked into the designs of these highly complex systems. Doubtless there will be those amoung this community who may be able to comment further.

6
0
Silver badge

Re: Digital Railway (Yes, really)

Ohhhhhh, we have a RAIL reader in the house! :-)

4
0
Headmaster

Re: Digital Railway (Yes, really)

"Modern Railways" regularly actually ... but RAIL on occasions!

(See Roger Ford's "Informed Sources" article in the current edition for ETCS & ATO on Thameslink central core.)

6
0
Silver badge

Re: Digital Railway (Yes, really)

I've worked on both sides of the industry (signal engineering and train-borne equipment), albeit a long time ago. (Your name rings a bell for some reason, have you worked for LUL?). The fail-safe principles underlying the Victoria line equipment (correct me if I'm wrong) are based on resonant frequency circuitry. If a well-defined pulse of a certain frequency is received then it effectively energises a switch enabling a train to move within a certain speed range, or to coast. Without the code being detected, the train stays where it is. If code is lost, the brakes are applied. Unlike car traffic where the driver of the car behind takes a chance on the bloke in front braking suddenly, the railway signalling system is designed to ensure that there is adequate distance for the train behind to brake with no chance of hitting the other train. This is all automatic, even if the driver were to collapse at the controls, safety is assured.

I seem to remember the ETT (Experimental Tube Train) planned to use Intel 4040 CPU's, because I remember trying to suss out the Assembler code for it. LUL were extremely cautious about microprocessors in those days to the extent of insisting that whatever CPU was used for production systems was 2nd sourced by a different manufacturer, so there was not total reliance on Intel. I think IBM was a second source for early 8-bit CPU's. The use of TTL was frowned upon by the development section I worked with (spiky, high-current, electrically noisy), with preference for CMOS for its higher noise immunity. Usually anything involving CPU's was "front-ended" with relays (train-borne equipment) or with mechanical interlocking frames and/or relays (trackside signalling). Even the frequency of the relays used for trackside use were specially designed to run on 125Hz (33Hz previously) AC. 125Hz being not harmonically related to the industrial 50Hz standard - meaning high noise immunity. The principle of electricity flowing = potentially ok (sorry, tripped over a pun there), no electricity = Whoa! Stop! was engraved into everyone's sub-conscious.

In summary, the Underground is an incredibly safe way to get from A-B.

8
0
Silver badge

Re: Digital Railway (Yes, really)

Have an upvote for mentioning Roger Ford and Modern Railways.

2
0
Bronze badge

Separate WIFI

'Completely isolated, physically separate hardware for passenger Wi-Fi is preferable.'

It probably is separate and the contract given to the lowest bidder. This is not news, if anything you can bet an outfit like crapita is involved and it is totally separate from the running of the train systems and implemented at great cost when a conjoined secure system that actually works could be designed and implemented for 1/4 the cost if the people on this forum had input.

4
1
Silver badge

Re: Separate WIFI

It's usually run by either Nomad, T-Systems, or The Cloud, mostly it's Nomad though because they've done mobile WiFi solutions for forever...

2
0
Silver badge

Re: Separate WIFI

So you want the wireless non-wired network not be wired to the wired non-wireless network ?

2
1
Anonymous Coward

Re: Separate WIFI

"you want the wireless non-wired network not be wired to the wired non-wireless network ?"

I used to read Wireless World, but that was before geranium transistors were obsoleted.

Now I don't even read Wired, but I do get Stack Overflow occasionally.

1
0
Silver badge

Re: before geranium transistors were obsoleted.

Watering them caused too many side-effects.

9
0
Silver badge
Trollface

Simple way to break/brake a train using WiFi

Obtain a burner phone or mobile hotspot. Set up a discoverable WLAN named something threatening like "Bonmb on Trian". Wait until someone sees it on their phone. During the chaos of the emergency evacuation, lift some wallets or something.

If a single wifi device can take planes out of the sky, it'll shut down a train. And when somebody does this in a plane or airport out of reckless stupidity or thinking its a great prank, the authorities usually can't even figure out who did it!

Disclaimer: don't actually do this.

13
0
Silver badge
Pirate

Re: Simple way to break/brake a train using WiFi

Even simpler: anonymously call the train operator that a radicalised person has boarded. Worked well enough for a train headed for Berlin from Amsterdam, couple of months ago. Except that the caller wasn't thorough enough regarding the 'anonymously' part, but that only bit him a couple of weeks later.

5
0
Coat

Routers, Routers, Routers

Would it be any good for Gov enforcing a new design for routers utilised in any infrastructure project.

Hardened routers, No-Wifi-admin and No-remote-admin.

Separate routers for public access that only connect to public networks.

& Encryption:

It's mindboggleing that infrastructure is on any public network, or that it is using accessible devices or even the same system type, without strong encryption. Encryption needs to be stronger than the time the longest trip takes How long are passengers (potential hackers) on the train for ? Perhaps length of a Chunnel trip France-England.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018