back to article Hacking train Wi-Fi may expose passenger data and control systems

Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers' credit card information, according to infosec biz Pen Test Partners this week. The research was conducted over several years, said Pen Test's Ken Munro. "In most cases they are pretty secure, although whether the Wi-Fi works or not is …

  1. TonyJ Silver badge

    I known nothing about train architecture but are the brakes really likely to be network-accessible?

    1. theModge

      If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though..

      1. Walter Bishop Silver badge
        Facepalm

        Hacking train Wi-Fi may expose passenger data and control systems

        At least three people disagree with you :)

        @theModge: "If you want to talk to bit actually operational bits of train rather than monitoring or customer entertainment you'd be better off with an RS232 or RS485 dongle rather than twatting about with Ethernet. Apart from anything else when most of our current rolling stock was designed the sort of microprocessor that did Ethernet was not the sort of microprocessor you had doing engine control. CCTV and other more recently fitted stuff might use the same connection though"..

    2. katrinab Silver badge

      What I do know is that the trains I travel on were built before ethernet was invented.

      1. Tony Gathercole ...

        Bet they weren't.

        1. TRT Silver badge

          The brakes on my train are controlled by either the driver or, for emergency application only, by a radio signal at 64.25 kHz followed by another a few seconds later at 65.25 kHz or at 66.25 kHz and 65.25 kHz together. I wonder if there was confusion between AWS and AWS? One's cloud, the other's loud.

          1. Tony W

            I'm no expert on trains but my eyebrows went up at the idea of radio at 60 odd kHz, I think it would need rather large aerials. It seems to be done by magnetic induction from loops on the track.

            Is this an interesting way to force a train to stop without connecting to any infrastructure?

            1. paulf Silver badge
              Gimp

              @TWT @Tony W

              The system that uses 64 odd kHz is TPWS, a safety system that is designed to mitigate the consequences of a train passing a red signal. It is an improvement on AWS (in that it can mitigate going to fast and doesn't rely on the driver if the train doesn't stop at a red signal) but not as comprehensive as ETCS/ATP. In most cases up to 70mph (100mph for TPWS+) it can stop the train with an emergency brake application before it becomes a problem (i.e. within the signal overlap), but even if the train doesn't stop in time it can still reduce the consequences of what happens next.

              TPWS uses the two aerials in the four foot (the space between the rails) and a sensor on the train. AWS (the train one not the cloudy one) uses a unit with two magnets (one permanent one electro) which sits in that yellow ramp looking thing also in the four foot. This gives a warning to the driver when approaching a signal showing a restrictive aspect (single yellow, double yellow or red i.e. not green) and can make an emergency brake application if the driver doesn't acknowledge it within 2.7s. If the driver does acknowledge an AWS warning s/he takes the consequences of not reacting accordingly as AWS will take no further action.

              You could potentially hack either but only by getting into the signalling system proper.

    3. Grikath Silver badge

      "are the brakes really likely to be network-accessible?"

      Yes, because of the safety systems regarding signals and stuff.

      Although if you want to cause that kind of havoc and mayhem there are easier ways to get the safety protocols screaming than hacking through the train WIFI system.

  2. Starace

    Security researcher clickbait

    You really need to introduce some editorial control over reporting this 'researcher' bollocks.

    Yet again we have someone who has done some minimal proding on a hotspot, found some minimal vulnerability in a wifi billing system and then based on nothing more than utter ignorance spun this into some sort of critical systems vulnerability because there's a hotspot and it's on a train.

    Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"

    99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks.

    1. 's water music Silver badge
      Pint

      Re: Security researcher clickbait

      Just another variation on the theme of "I hacked a plane by plugging into the infotainment but have no evidence to back my technically impossible assertion but please give me lots of coverage"

      Yeah sure but can you be certain that would not be possible to bridge from the train ethernet to the nuclear launch codes? Ok he may not be able to but CAN WE AFFORD TO RISK IT? Also what if the researcher had been a PAEDO?

      I've started already-->

      1. Anonymous Coward
        Anonymous Coward

        Re: Security researcher clickbait

        Yes . Will someone think of the children .

        1. TRT Silver badge

          Re: Security researcher clickbait

          What we really need to know, though, is how much is the house he lives in worth.

    2. Jason Bloomberg Silver badge

      Re: Security researcher clickbait

      You really need to introduce some editorial control over reporting this 'researcher' bollocks.

      And preferably before Ben-Gurion University comes along with some wank about how to exfiltrate passenger data by speeding up and slowing down the train to generate a bit stream which can be observed using a satellite-borne camera.

      1. Jamie Jones Silver badge

        Re: Security researcher clickbait

        He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" - especially when there are pull-cords throughout the train to do the very same.

        "Can stop a train without needing a ticket" isn't a very catchy headline.

        1. Anonymous Coward
          Anonymous Coward

          Re: Security researcher clickbait

          "He should have gone for "hack the accelerator" - far more scary than "hacked the train to be able to do an emergency stop" "

          Toyota have already been there done that with the accelerator and yet there's remarkably little visible coverage outside specialist circles. Search for e.g. "koopman unintended acceleration toyota devops".

          may lead to e.g.

          "Investigations into potential causes of Unintended Acceleration (UA) for Toyota vehicles have made news several times in the past few years. Some blame has been placed on floor mats and sticky throttle pedals. But a jury trial verdict found that defects in Toyota's Electronic Throttle Control System software and safety architecture caused a fatal mishap. This verdict was based in part on a wide variety of computer hardware and software issues. In this TSP Symposium 2014 keynote presentation, Philip Koopman outlines key events in the still-ongoing Toyota UA story and pulls together the technical issues that have been discovered by NASA and other experts. The results paint a picture that should inform not only future designers of safety-critical software for automobiles but also all computer-based system designers."

          Then again you may have to remove my devops reference, depending on the search engine you choose ;)

    3. FuzzyWuzzys Silver badge
      Facepalm

      Re: Security researcher clickbait

      "99.9% of these stories are total bullshit by people trying to get publicity because they're idiots and don't know they're talking bollocks."

      No, they're simply spouting alarmist bollocks in the hopes they'll get in the Daily Fail next week. The company name splashed all over the dailies, right in front of loads numpty middle managers? Holy heck you can't buy quality PR like that, well you can but not at the price Pen Test Partners are likely to be able to afford on a national scale.

      While I don't doubt there is a grain of truth in some of this, the fact that Mr Munro stated his points in nice, neat sound-bite sized sentances that even Vinnie Jones completely pissed could understand, rings my bullshit-o-meter off the wall. Easy Sun/Daily Fail/Mirror formatted twaddle that fits neatly into Twitter 140 char limited messages, so it can be broadcast over the media wires quickly and get attention in the worldwide media, it's classic media phishing, PR bullshit exercise.

    4. Anonymous Coward
      Anonymous Coward

      Re: Security researcher clickbait

      It's the 0.01% you have to worry about.

    5. ForthIsNotDead
      Pint

      Re: Security researcher clickbait

      @Starace

      Thank you - that saved me quite a bit of typing. Have a beer!

  3. tiggity Silver badge

    train wifi should be free

    Then there is no need to store peoples details on their system

    After all the tickets are expensive enough!

    Caveat - I try and avoid public WiFi (free or paid for) as you can never be sure of how secure it is. If I must use it I go in VPNed up to the eyeballs & do nothing sensitive.

    1. bombastic bob Silver badge
      Unhappy

      Re: train wifi should be free

      MITM would be easy to do on a train. As a joke, once, I set up my laptop [years ago] on a commuter train, when there was NO wifi available on the trains, so that my laptop was an access point (easy with FreeBSD or Linux). At least one laptop near me tried to connect to me.

      So yeah MITM in a train car would be EASY. Also as you stop at various stations, sometimes the nearby wifi is 'connectable' for a minute. Might be long enough to 'burst transfer' something. Windows boxen are often SO prolific at connecting to "something" when people leave their wifi on.

      And setting MITM up with a Linux or BSD laptop is somewhat trivial. You could even hook well-known IP addresses like 8.8.8.8 for google's DNS [for example], in case someone hard-codes the IP address for DNS rather than relying on DHCP.

      So, yeah, watch your certs and ssh fingerprints when you're on any kind of public wifi! [or else 'they' will]

  4. Hans Neeson-Bumpsadese Silver badge

    "It might be possible, and this is speculation, to lock the braking system."

    It might be possible, and this is speculation, that the claim about being able to make the leap from wifi network to controlling the train's brakes is a bit of headline grabbing

    1. EnviableOne Bronze badge

      Par for the course with PTP

      but depending on the architecture, it may be possible, like it is with the way they integrated stuff into cars.

      1. Alister Silver badge

        but depending on the architecture, it may be possible, like it is with the way they integrated stuff into cars.

        No, it really isn't.

  5. Scott Broukell

    Thing is, if somebody did manage to lock the brake system on a Southern Rail train, would anybody actually notice.

    1. Kris Akabusi

      you southerners know nothing of rail misery, us northerners have to travel on these bad boys: http://www.docbrown.info/docspics/ArchiveSteam/lococlass142.htm

      1. katrinab Silver badge

        You northerners know nothing of rail misery. Us southerners have to travel on something like this.

        1. Yet Another Anonymous coward Silver badge

          Us northerners had to invent and build the trains before we could ride on em

          1. Anonymous Coward
            Anonymous Coward

            @Yet Another Anonymous coward

            Yes but we fudged the network up.

          2. Mike Richards Silver badge
            Joke

            Bloody northerners taking the credit for a Cornish invention.

        2. Stoneshop Silver badge

          Rail Replacement Bus?

          Nah. This is not a bus, but it is what you're doing rail replacement with.

        3. cantankerous swineherd Silver badge
      2. Steve Davies 3 Silver badge

        RE: Class 142/144

        Ah, the Leyland busses on rails.

        They'll be gone soon as they don't comply with Disability Regulations.

        Sad really, because the seats on those Class 7** and 8** trains are about as comfortable as a plank of wood[1]. Be careful what you wish for,

        [1] The original Liverpool and Manchester Railway carriages had planks of wood in open trucks for passengers to sit on. Looks like we are going back to 1830.

        1. Fruit and Nutcase Silver badge

          Re: RE: Class 142/144

          Ah, the Leyland busses on rails.

          I can't remember who the presenter was, but remember seeing the Pacer units being covered on Tomorrow's World on BBC1 - in the days of Michael Rodd. The handling and ride quality issues of these stem from the fact that they have only single axles at each end of the carriage as opposed to a double axle bogie.

    2. Anonymous Coward
      Anonymous Coward

      finding a Southern Rail train actually running may be more of a challenge.

  6. Halcin

    Luxury! I would have given my right arm to enjoy riding in something like that. We have to get out and push!

    1. Sureo

      At least you have something to push.

  7. Tony Gathercole ...

    Digital Railway (Yes, really)

    Actually, while one obviously hopes that there's no basis for worries about interaction between public-facing Wifi and internal train management systems, it has to be said that recent rolling stock is heavily reliant on digial systems rather than older (physical or analogue) controls. Examples of this type of train would include the Thameslink class 700 (but that's safe 'cos DfT excluded Wifi from the specification), the Crossrail (Elizabeth Line) class 345 Aventra from Bombadier and the various classes 800/801/802 Hitachi electric / bimodes on GWR and to be introduced on the East Coast Mainline, TransPennine Express and Hull Trains over the next few years.

    In addition, we're seeing the first stages of ETCS (level 2 and above) implementations starting to introduce on-board electronic signalling which will in time replace the conventional line side colour light signals across Network Rail. On the Thameslink core route (between St. Pancras International and Blackfriars) ATO (Automatic Train Operation) will be "driving" the trains in order to meet the planned increase in throughput in the next year or so. Not that ATO is in anyway new as its been used on metro systems throughout the world, and in a simplistic form since its opening in 1967 on the London Undergroud Victoria line.

    Not in a position to comment on how much security has been baked into the designs of these highly complex systems. Doubtless there will be those amoung this community who may be able to comment further.

    1. anothercynic Silver badge

      Re: Digital Railway (Yes, really)

      Ohhhhhh, we have a RAIL reader in the house! :-)

      1. Tony Gathercole ...
        Headmaster

        Re: Digital Railway (Yes, really)

        "Modern Railways" regularly actually ... but RAIL on occasions!

        (See Roger Ford's "Informed Sources" article in the current edition for ETCS & ATO on Thameslink central core.)

        1. Steve Davies 3 Silver badge

          Re: Digital Railway (Yes, really)

          Have an upvote for mentioning Roger Ford and Modern Railways.

    2. Ken Moorhouse Silver badge

      Re: Digital Railway (Yes, really)

      I've worked on both sides of the industry (signal engineering and train-borne equipment), albeit a long time ago. (Your name rings a bell for some reason, have you worked for LUL?). The fail-safe principles underlying the Victoria line equipment (correct me if I'm wrong) are based on resonant frequency circuitry. If a well-defined pulse of a certain frequency is received then it effectively energises a switch enabling a train to move within a certain speed range, or to coast. Without the code being detected, the train stays where it is. If code is lost, the brakes are applied. Unlike car traffic where the driver of the car behind takes a chance on the bloke in front braking suddenly, the railway signalling system is designed to ensure that there is adequate distance for the train behind to brake with no chance of hitting the other train. This is all automatic, even if the driver were to collapse at the controls, safety is assured.

      I seem to remember the ETT (Experimental Tube Train) planned to use Intel 4040 CPU's, because I remember trying to suss out the Assembler code for it. LUL were extremely cautious about microprocessors in those days to the extent of insisting that whatever CPU was used for production systems was 2nd sourced by a different manufacturer, so there was not total reliance on Intel. I think IBM was a second source for early 8-bit CPU's. The use of TTL was frowned upon by the development section I worked with (spiky, high-current, electrically noisy), with preference for CMOS for its higher noise immunity. Usually anything involving CPU's was "front-ended" with relays (train-borne equipment) or with mechanical interlocking frames and/or relays (trackside signalling). Even the frequency of the relays used for trackside use were specially designed to run on 125Hz (33Hz previously) AC. 125Hz being not harmonically related to the industrial 50Hz standard - meaning high noise immunity. The principle of electricity flowing = potentially ok (sorry, tripped over a pun there), no electricity = Whoa! Stop! was engraved into everyone's sub-conscious.

      In summary, the Underground is an incredibly safe way to get from A-B.

  8. LeahroyNake Bronze badge

    Separate WIFI

    'Completely isolated, physically separate hardware for passenger Wi-Fi is preferable.'

    It probably is separate and the contract given to the lowest bidder. This is not news, if anything you can bet an outfit like crapita is involved and it is totally separate from the running of the train systems and implemented at great cost when a conjoined secure system that actually works could be designed and implemented for 1/4 the cost if the people on this forum had input.

    1. anothercynic Silver badge

      Re: Separate WIFI

      It's usually run by either Nomad, T-Systems, or The Cloud, mostly it's Nomad though because they've done mobile WiFi solutions for forever...

      1. Yet Another Anonymous coward Silver badge

        Re: Separate WIFI

        So you want the wireless non-wired network not be wired to the wired non-wireless network ?

        1. Anonymous Coward
          Anonymous Coward

          Re: Separate WIFI

          "you want the wireless non-wired network not be wired to the wired non-wireless network ?"

          I used to read Wireless World, but that was before geranium transistors were obsoleted.

          Now I don't even read Wired, but I do get Stack Overflow occasionally.

          1. Ken Moorhouse Silver badge

            Re: before geranium transistors were obsoleted.

            Watering them caused too many side-effects.

  9. DNTP
    Trollface

    Simple way to break/brake a train using WiFi

    Obtain a burner phone or mobile hotspot. Set up a discoverable WLAN named something threatening like "Bonmb on Trian". Wait until someone sees it on their phone. During the chaos of the emergency evacuation, lift some wallets or something.

    If a single wifi device can take planes out of the sky, it'll shut down a train. And when somebody does this in a plane or airport out of reckless stupidity or thinking its a great prank, the authorities usually can't even figure out who did it!

    Disclaimer: don't actually do this.

    1. Stoneshop Silver badge
      Pirate

      Re: Simple way to break/brake a train using WiFi

      Even simpler: anonymously call the train operator that a radicalised person has boarded. Worked well enough for a train headed for Berlin from Amsterdam, couple of months ago. Except that the caller wasn't thorough enough regarding the 'anonymously' part, but that only bit him a couple of weeks later.

  10. Anonymous Coward
    Coat

    Routers, Routers, Routers

    Would it be any good for Gov enforcing a new design for routers utilised in any infrastructure project.

    Hardened routers, No-Wifi-admin and No-remote-admin.

    Separate routers for public access that only connect to public networks.

    & Encryption:

    It's mindboggleing that infrastructure is on any public network, or that it is using accessible devices or even the same system type, without strong encryption. Encryption needs to be stronger than the time the longest trip takes How long are passengers (potential hackers) on the train for ? Perhaps length of a Chunnel trip France-England.

    1. SloppyJesse

      Re: Routers, Routers, Routers

      >Would it be any good for Gov enforcing a new design for routers utilised in any infrastructure project.

      Doubt it - because, um, government

      >Hardened routers, No-Wifi-admin and No-remote-admin.

      No remote admin? So you want any changes to be made by the train assistant? Or require a trip to the depot?

      >Separate routers for public access that only connect to public networks.

      At some point the 'private' stuff on the train is going to need to reach out across t'Internet. Unless you're suggesting the railways build a private wireless infrastructure for their trains? (which might not always have been as mad as it sounds - I recall stories of proposals in the early days of mobile for just that since they had a huge wired commas network for trackside)

      >Encryption needs to be stronger than the time the

      >longest trip takes How long are passengers (potential hackers) on the train for ? Perhaps length of a >Chunnel trip France-England.

      Is that a joke? Takes me longer to get to London from the Midlands than the Eurostar. Maybe London -> Scotland. There's a reason you can get a bed!

      1. Justin Case
        Joke

        Re: Routers, Routers, Routers

        @ SloppyJesse

        >>I recall stories of proposals in the early days of mobile for just that since they had a huge wired commas network for trackside

        Imagine if someone hacked that. What an apostrophe!

        1. David 132 Silver badge
          Joke

          Re: Routers, Routers, Routers

          Justin Case >>I recall stories of proposals in the early days of mobile for just that since they had a huge wired commas network for trackside

          Imagine if someone hacked that. What an apostrophe!

          That would certainly give a period of chaos and would be a dire critical situation.

      2. Anonymous Coward
        Anonymous Coward

        Re: Routers, Routers, Routers

        you'd be amazed what waits until back at depot :)

        Having worked on a project to integrate some limited networking capabilities to an older train, the biggest risk i saw was not the tech, it was the procurement policy. Vendors could "prove" their security capabilities simply by having staff who had passed the right exams, and that was enough - third-party testing too expensive, internal testing might mean slippage, and commercial would typically over-rule technical anyway.

      3. Anonymous Coward
        Anonymous Coward

        Re: BR S+T

        [Ignoring the spurious comma stories for now]

        Some readers might be interested in

        https://www.railengineer.uk/2015/08/12/uk-railway-telecommunications-2015-update/

        by Clive Kessell BSc CEng FIET FIRSE

        Note the brief mention of a radical concept, now lost in the mists of history, of an outsourced service provider paying a *significant* penalty if their service didn't match the agreed standards. Good job that never caught on, eh chaps, otherwise IT cheapsourcing would never have made us middlemen any money.

        "[...]

        The UK history of rail telecommunications over the past twenty years has been somewhat traumatic. From the earliest days, the railways were permitted to run their own telegraph systems by the then Post Office monopoly because of the operational necessity that these provided. This status quo existed for around 150 years until the Thatcher government sought to liberalise telecoms firstly with the duopoly (BT and Mercury) and latterly to any company that could provide the right credentials.

        Under rail privatisation plans, the extensive railway telecom network was formed into a separate grouping – British Rail Telecoms (BRT) – and sold firstly to Racal Electronics and from there to either Global Crossing (now Level 3) for the main networks or to Thales for everything else.

        None of these private companies really understood what they were buying and became increasingly nervous when the performance and safety requirements plus some embarrassing failures invoked penalties that questioned the value of the services they now owned.

        [...]"

  11. J J Carter Silver badge
    Boffin

    Trivial exploit

    An obvious attack vector is to take over the train control system and play pr0nz on the driver’s display. Distracted by the smut, he'll miss the red signal and the train, packed with orphan children on a trip to the seaside, will wreck. Will somebody please think of the orphan children!

    1. bombastic bob Silver badge
      Childcatcher

      Re: Trivial exploit

      naw, the 'sploiter would just need to get the train driver to start texting in order to update a web site...

      https://www.reuters.com/article/us-usa-train-crash/train-engineer-was-texting-just-before-california-crash-idUSN0152835520081002

    2. sebt27

      Re: Trivial exploit

      "Will somebody please think of the orphan children!"

      To really annoy the "think of the children" crowd, you should take over the orphan children's devices and play pr0nz on them as well. Then they'll not only die, but not go to Heaven.

  12. Cynicalmark

    Load of .....

    What a crock of shite kneejerk article. Train safety and aircraft systems are not that vulnerable.

    Fyi. To stop a train just pull the fucking red handle bullshit billy.

  13. Anonymous Coward
    Anonymous Coward

    Keep It Simple, Stupid

    There's a much lower-tech method of stopping a train, and the risk of you personally getting caught is slight enough to justify sticking around to watch it happen. Just print up some self-adhesive labels with the word FLUSH on them, and discreetly affix one of these next to the emergency handle in every toilet compartment on the train. Sooner or later, one of them will get pulled.

    Anyone who has just been is in a temporary state of bliss, operating on autopilot and easily suggestible, so they are much more likely to fall for it. Even if immediately before they began their business, they were thinking Hah! Who the hell were they expecting to fool with a stunt like that?

    Wearing the mask, just in case .....

  14. Anonymous Coward
    Anonymous Coward

    Really?!

    "Completely isolated, physically separate hardware for passenger Wi-Fi is preferable"

    But.. completely necessary, given the correct configuration! How hard is it to set some goddamn basic firewall rules and a couple of VLANs!? On most *consumer* grade routers, you can turn off Wireless Client Separation as well as create firewall rules. Nobody on the public WiFi should be able to log into the router, regardless - Just sounds like piss poor setup to me.

    1. Ken Moorhouse Silver badge

      Re: some goddamn basic firewall rules and a couple of VLANs

      In my days at LUL, those concepts would never be entertained unless there were optoisolators separating circuitry.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019