back to article Hacking train Wi-Fi may expose passenger data and control systems

Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers' credit card information, according to infosec biz Pen Test Partners this week. The research was conducted over several years, said Pen Test's Ken Munro. "In most cases they are pretty secure, although whether the Wi-Fi works or not is …

Page:

  1. TonyJ Silver badge

    I known nothing about train architecture but are the brakes really likely to be network-accessible?

    1. theModge

      If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though..

      1. Walter Bishop Silver badge
        Facepalm

        Hacking train Wi-Fi may expose passenger data and control systems

        At least three people disagree with you :)

        @theModge: "If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though"..

    2. katrinab Silver badge

      What I do know is that the trains I travel on were built before ethernet was invented.

      1. Tony Gathercole ...

        Bet they weren't.

        1. TRT Silver badge

          The brakes on my train are controlled by either the driver or, for emergency application only, by a radio signal at 64.25 kHz followed by another a few seconds later at 65.25 kHz or at 66.25 kHz and 65.25 kHz together. I wonder if there was confusion between AWS and AWS? One's cloud, the other's loud.

          1. Tony W

            I'm no expert on trains but my eyebrows went up at the idea of radio at 60 odd kHz, I think it would need rather large aerials. It seems to be done by magnetic induction from loops on the track.

            Is this an interesting way to force a train to stop without connecting to any infrastructure?

            1. paulf Silver badge
              Gimp

              @TWT @Tony W

              The system that uses 64 odd kHz is TPWS, a safety system that is designed to mitigate the consequences of a train passing a red signal. It is an improvement on AWS (in that it can mitigate going to fast and doesn't rely on the driver if the train doesn't stop at a red signal) but not as comprehensive as ETCS/ATP. In most cases up to 70mph (100mph for TPWS+) it can stop the train with an emergency brake application before it becomes a problem (i.e. within the signal overlap), but even if the train doesn't stop in time it can still reduce the consequences of what happens next.

              TPWS uses the two aerials in the four foot (the space between the rails) and a sensor on the train. AWS (the train one not the cloudy one) uses a unit with two magnets (one permanent one electro) which sits in that yellow ramp looking thing also in the four foot. This gives a warning to the driver when approaching a signal showing a restrictive aspect (single yellow, double yellow or red i.e. not green) and can make an emergency brake application if the driver doesn't acknowledge it within 2.7s. If the driver does acknowledge an AWS warning s/he takes the consequences of not reacting accordingly as AWS will take no further action.

              You could potentially hack either but only by getting into the signalling system proper.

    3. Grikath Silver badge

      "are the brakes really likely to be network-accessible?"

      Yes, because of the safety systems regarding signals and stuff.

      Although if you want to cause that kind of havoc and mayhem there are easier ways to get the safety protocols screaming than hacking through the train WIFI system.

  2. Starace

    Security researcher clickbait

    You really need to introduce some editorial control over reporting this 'researcher' bollocks.

    Yet again we have someone who has done some minimal proding on a hotspot, found some minimal vulnerability in a wifi billing system and then based on nothing more than utter ignorance spun this into some sort of critical systems vulnerability because there's a hotspot and it's on a train.

    Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"

    99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks.

    1. 's water music Silver badge
      Pint

      Re: Security researcher clickbait

      Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"

      Yeah sure but can you be certain that would not be possible to bridge from the train ethernet to the nuclear launch codes? Ok he may not be able to but CAN WE AFFORD TO RISK IT? Also what if the researcher had been a PAEDO?

      I've started already-->

      1. Anonymous Coward
        Anonymous Coward

        Re: Security researcher clickbait

        Yes . Will someone think of the children .

        1. TRT Silver badge

          Re: Security researcher clickbait

          What we really need to know, though, is how much is the house he lives in worth.

    2. Jason Bloomberg Silver badge

      Re: Security researcher clickbait

      You really need to introduce some editorial control over reporting this 'researcher' bollocks.

      And preferably before Ben-Gurion University comes along with some wank about how to exfiltrate passenger data by speeding up and slowing down the train to generate a bit stream which can be observed using a satellite-borne camera.

      1. Jamie Jones Silver badge

        Re: Security researcher clickbait

        He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" - especially when there are pull-cords throughout the train to do the very same.

        "Can stop a train without needing a ticket" isn't a very catchy headline.

        1. Anonymous Coward
          Anonymous Coward

          Re: Security researcher clickbait

          "He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" "

          Toyota have already been there done that with the accelerator and yet there's remarkably little visible coverage outside specialist circles. Search for e.g. "koopman unintended acceleration toyota devops".

          may lead to e.g.

          "Investigations into potential causes of Unintended Acceleration (UA) for Toyota vehicles have made news several times in the past few years. Some blame has been placed on floor mats and sticky throttle pedals. But a jury trial verdict found that defects in Toyota's Electronic Throttle Control System software and safety architecture caused a fatal mishap. This verdict was based in part on a wide variety of computer hardware and software issues. In this TSP Symposium 2014 keynote presentation, Philip Koopman outlines key events in the still-ongoing Toyota UA story and pulls together the technical issues that have been discovered by NASA and other experts. The results paint a picture that should inform not only future designers of safety-critical software for automobiles but also all computer-based system designers."

          Then again you may have to remove my devops reference, depending on the search engine you choose ;)

    3. FuzzyWuzzys Silver badge
      Facepalm

      Re: Security researcher clickbait

      "99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks."

      No, they're simply spouting alarmist bollocks in the hopes they'll get in the Daily Fail next week. The company name splashed all over the dailies, right in front of loads numpty middle managers? Holy heck you can't buy quality PR like that, well you can but not at the price Pen Test Partners are likely to be able to afford on a national scale.

      While I don't doubt there is a grain of truth in some of this, the fact that Mr Munro stated his points in nice, neat sound-bite sized sentances that even Vinnie Jones completely pissed could understand, rings my bullshit-o-meter off the wall. Easy Sun/Daily Fail/Mirror formatted twaddle that fits neatly into Twitter 140 char limited messages, so it can be broadcast over the media wires quickly and get attention in the worldwide media, it's classic media phishing, PR bullshit exercise.

    4. Anonymous Coward
      Anonymous Coward

      Re: Security researcher clickbait

      It's the 0.01% you have to worry about.

    5. ForthIsNotDead Silver badge
      Pint

      Re: Security researcher clickbait

      @Starace

      Thank you - that saved me quite a bit of typing. Have a beer!

  3. tiggity Silver badge

    train wifi should be free

    Then there is no need to store peoples details on their system

    After all the tickets are expensive enough!

    Caveat - I try and avoid public WiFi (free or paid for) as you can never be sure of how secure it is. If I must use it I go in VPNed up to the eyeballs & do nothing sensitive.

    1. bombastic bob Silver badge
      Unhappy

      Re: train wifi should be free

      MITM would be easy to do on a train. As a joke, once, I set up my laptop [years ago] on a commuter train, when there was NO wifi available on the trains, so that my laptop was an access point (easy with FreeBSD or Linux). At least one laptop near me tried to connect to me.

      So yeah MITM in a train car would be EASY. Also as you stop at various stations, sometimes the nearby wifi is 'connectable' for a minute. Might be long enough to 'burst transfer' something. Windows boxen are often SO prolific at connecting to "something" when people leave their wifi on.

      And setting MITM up with a Linux or BSD laptop is somewhat trivial. You could even hook well-known IP addresses like 8.8.8.8 for google's DNS [for example], in case someone hard-codes the IP address for DNS rather than relying on DHCP.

      So, yeah, watch your certs and ssh fingerprints when you're on any kind of public wifi! [or else 'they' will]

  4. Hans Neeson-Bumpsadese Silver badge

    "It might be possible, and this is speculation, to lock the braking system."

    It might be possible, and this is speculation, that the claim about being able to make the leap from wifi network to controlling the train's brakes is a bit of headline grabbing

    1. EnviableOne Bronze badge

      Par for the course with PTP

      but depending on the architecture, it may be possible, like it is with the way they integrated stuff into cars.

      1. Alister Silver badge

        but depending on the architecture, it may be possible, like it is with the way they integrated stuff into cars.

        No, it really isn't.

  5. Scott Broukell

    Thing is, if somebody did manage to lock the brake system on a Southern Rail train, would anybody actually notice.

    1. Kris Akabusi

      you southerners know nothing of rail misery, us northerners have to travel on these bad boys: http://www.docbrown.info/docspics/ArchiveSteam/lococlass142.htm

      1. katrinab Silver badge

        You northerners know nothing of rail misery. Us southerners have to travel on something like this.

        1. Yet Another Anonymous coward Silver badge

          Us northerners had to invent and build the trains before we could ride on em

          1. Anonymous Coward
            Anonymous Coward

            @Yet Another Anonymous coward

            Yes but we fudged the network up.

          2. Mike Richards Silver badge
            Joke

            Bloody northerners taking the credit for a Cornish invention.

        2. Stoneshop Silver badge

          Rail Replacement Bus?

          Nah. This is not a bus, but it is what you're doing rail replacement with.

        3. cantankerous swineherd Silver badge
      2. Steve Davies 3 Silver badge

        RE: Class 142/144

        Ah, the Leyland busses on rails.

        They'll be gone soon as they don't comply with Disability Regulations.

        Sad really, because the seats on those Class 7** and 8** trains are about as comfortable as a plank of wood[1]. Be careful what you wish for,

        [1] The original Liverpool and Manchester Railway carriages had planks of wood in open trucks for passengers to sit on. Looks like we are going back to 1830.

        1. Fruit and Nutcase Silver badge

          Re: RE: Class 142/144

          Ah, the Leyland busses on rails.

          I can't remember who the presenter was, but remember seeing the Pacer units being covered on Tomorrow's World on BBC1 - in the days of Michael Rodd. The handling and ride quality issues of these stem from the fact that they have only single axles at each end of the carriage as opposed to a double axle bogie.

    2. Anonymous Coward
      Anonymous Coward

      finding a Southern Rail train actually running may be more of a challenge.

  6. Halcin

    Luxury! I would have given my right arm to enjoy riding in something like that. We have to get out and push!

    1. Sureo

      At least you have something to push.

  7. Tony Gathercole ...

    Digital Railway (Yes, really)

    Actually, while one obviously hopes that there's no basis for worries about interaction between public-facing Wifi and internal train management systems, it has to be said that recent rolling stock is heavily reliant on digial systems rather than older (physical or analogue) controls. Examples of this type of train would include the Thameslink class 700 (but that's safe 'cos DfT excluded Wifi from the specification), the Crossrail (Elizabeth Line) class 345 Aventra from Bombadier and the various classes 800/801/802 Hitachi electric / bimodes on GWR and to be introduced on the East Coast Mainline, TransPennine Express and Hull Trains over the next few years.

    In addition, we're seeing the first stages of ETCS (level 2 and above) implementations starting to introduce on-board electronic signalling which will in time replace the conventional line side colour light signals across Network Rail. On the Thameslink core route (between St. Pancras International and Blackfriars) ATO (Automatic Train Operation) will be "driving" the trains in order to meet the planned increase in throughput in the next year or so. Not that ATO is in anyway new as its been used on metro systems throughout the world, and in a simplistic form since its opening in 1967 on the London Undergroud Victoria line.

    Not in a position to comment on how much security has been baked into the designs of these highly complex systems. Doubtless there will be those amoung this community who may be able to comment further.

    1. anothercynic Silver badge

      Re: Digital Railway (Yes, really)

      Ohhhhhh, we have a RAIL reader in the house! :-)

      1. Tony Gathercole ...
        Headmaster

        Re: Digital Railway (Yes, really)

        "Modern Railways" regularly actually ... but RAIL on occasions!

        (See Roger Ford's "Informed Sources" article in the current edition for ETCS & ATO on Thameslink central core.)

        1. Steve Davies 3 Silver badge

          Re: Digital Railway (Yes, really)

          Have an upvote for mentioning Roger Ford and Modern Railways.

    2. Ken Moorhouse Silver badge

      Re: Digital Railway (Yes, really)

      I've worked on both sides of the industry (signal engineering and train-borne equipment), albeit a long time ago. (Your name rings a bell for some reason, have you worked for LUL?). The fail-safe principles underlying the Victoria line equipment (correct me if I'm wrong) are based on resonant frequency circuitry. If a well-defined pulse of a certain frequency is received then it effectively energises a switch enabling a train to move within a certain speed range, or to coast. Without the code being detected, the train stays where it is. If code is lost, the brakes are applied. Unlike car traffic where the driver of the car behind takes a chance on the bloke in front braking suddenly, the railway signalling system is designed to ensure that there is adequate distance for the train behind to brake with no chance of hitting the other train. This is all automatic, even if the driver were to collapse at the controls, safety is assured.

      I seem to remember the ETT (Experimental Tube Train) planned to use Intel 4040 CPU's, because I remember trying to suss out the Assembler code for it. LUL were extremely cautious about microprocessors in those days to the extent of insisting that whatever CPU was used for production systems was 2nd sourced by a different manufacturer, so there was not total reliance on Intel. I think IBM was a second source for early 8-bit CPU's. The use of TTL was frowned upon by the development section I worked with (spiky, high-current, electrically noisy), with preference for CMOS for its higher noise immunity. Usually anything involving CPU's was "front-ended" with relays (train-borne equipment) or with mechanical interlocking frames and/or relays (trackside signalling). Even the frequency of the relays used for trackside use were specially designed to run on 125Hz (33Hz previously) AC. 125Hz being not harmonically related to the industrial 50Hz standard - meaning high noise immunity. The principle of electricity flowing = potentially ok (sorry, tripped over a pun there), no electricity = Whoa! Stop! was engraved into everyone's sub-conscious.

      In summary, the Underground is an incredibly safe way to get from A-B.

  8. LeahroyNake Bronze badge

    Separate WIFI

    'Completely isolated, physically separate hardware for passenger Wi-Fi is preferable.'

    It probably is separate and the contract given to the lowest bidder. This is not news, if anything you can bet an outfit like crapita is involved and it is totally separate from the running of the train systems and implemented at great cost when a conjoined secure system that actually works could be designed and implemented for 1/4 the cost if the people on this forum had input.

    1. anothercynic Silver badge

      Re: Separate WIFI

      It's usually run by either Nomad, T-Systems, or The Cloud, mostly it's Nomad though because they've done mobile WiFi solutions for forever...

      1. Yet Another Anonymous coward Silver badge

        Re: Separate WIFI

        So you want the wireless non-wired network not be wired to the wired non-wireless network ?

        1. Anonymous Coward
          Anonymous Coward

          Re: Separate WIFI

          "you want the wireless non-wired network not be wired to the wired non-wireless network ?"

          I used to read Wireless World, but that was before geranium transistors were obsoleted.

          Now I don't even read Wired, but I do get Stack Overflow occasionally.

          1. Ken Moorhouse Silver badge

            Re: before geranium transistors were obsoleted.

            Watering them caused too many side-effects.

  9. DNTP Silver badge
    Trollface

    Simple way to break/brake a train using WiFi

    Obtain a burner phone or mobile hotspot. Set up a discoverable WLAN named something threatening like "Bonmb on Trian". Wait until someone sees it on their phone. During the chaos of the emergency evacuation, lift some wallets or something.

    If a single wifi device can take planes out of the sky, it'll shut down a train. And when somebody does this in a plane or airport out of reckless stupidity or thinking its a great prank, the authorities usually can't even figure out who did it!

    Disclaimer: don't actually do this.

    1. Stoneshop Silver badge
      Pirate

      Re: Simple way to break/brake a train using WiFi

      Even simpler: anonymously call the train operator that a radicalised person has boarded. Worked well enough for a train headed for Berlin from Amsterdam, couple of months ago. Except that the caller wasn't thorough enough regarding the 'anonymously' part, but that only bit him a couple of weeks later.

  10. Anonymous Coward
    Coat

    Routers, Routers, Routers

    Would it be any good for Gov enforcing a new design for routers utilised in any infrastructure project.

    Hardened routers, No-Wifi-admin and No-remote-admin.

    Separate routers for public access that only connect to public networks.

    & Encryption:

    It's mindboggleing that infrastructure is on any public network, or that it is using accessible devices or even the same system type, without strong encryption. Encryption needs to be stronger than the time the longest trip takes How long are passengers (potential hackers) on the train for ? Perhaps length of a Chunnel trip France-England.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019