Forbes.com: Security flaws in two systems used to run British trains

[jon0844]

I mentioned a while ago on here about some security issues with GSM-R, but it has never been widely talked about. However a friend (he ran a magazine that I subsequently became editor of) has published a story about the problems with GSM-R that he has been researching for some time.

I'm not sure about the headline, but I guess it was for the views and also down to a sub-editor...

https://www.forbes.com/sites/simonr...-trains-on-an-insecure-platform/#2637e4d27cfa

Pwned Trains On An Insecure Platform

A teenager in a suburban bedroom could cause more chaos on the UK railway network than RMT boss Mick Cash. There are two levels of security in the system used to run British trains and they both have gaping security flaws. It would be the work of minutes to bring the network to a halt.

 

[krus_aragon]

A bried summary of the two gaping secutiry flaws described:

GSMR is largely equivalent to (2G) GSM used on mobile phones, with encryption standards that were sufficiently complex in the 80s/90s that it would be infeasible to brute force them, but today it could be done with off-the-shelf commercial hardware and a bit of software know-how. Mobile phone networks have long since moved to new encryption algorithms and new transmission standards (3G, 4G), but GSMR hasn't. So anyone with a little cash and know-how could eavesdrop on the system, and make transmissions.

The ERTMS communications protocol transmitted over GSMR has its own verification methods to authenticate the origin of messages, but some, such as an emergency stop order, don't need any authentication. (This is arguably a good thing(tm), as it's generally better to overreact to an emergency message than quibble about digital signatures while you plough into another train.)

The combination of these two issues could allow a nefarious person with a laptop, radio transmitter and some software to broadcast spurious emergency stop messages to the ERTMS network. Hence the claim of being able to stop more trains that the (striking) RMT.

 

[takno]

Going from the summary because I won't read Forbes. They could equally call in a bomb threat, or place items on the line to derail a train. Most of these actions would result in a right-side failure anyway, and the GSM-based ones are as likely as the others to get said teenager get a rude introduction to the British penal system.

Like most of the rubbish on forbes, it's a non-story, severely overstated in an attempt to pretend there is any general interest, and probably not something it's useful to bring widespread attention to.

 

[jopsuk]

whilst obviously this could cause "chaos", the one thing a rogue "emergency stop" message to all trains wouldn't be is dangerous, of course

 

[Doctor Fegg]

Like most of the rubbish on forbes, it's a non-story, severely overstated in an attempt to pretend there is any general interest, and probably not something it's useful to bring widespread attention to.

I don't like Forbes' general approach any more than you do, but Simon Rockman is a very well-respected journalist of long standing (I remember him writing for Personal Computer World and other titles in the '80s. I also remember one of his freelancers pointing out, in the pages of the magazine he edited, that his name was an anagram of Irksom Conman!).

Forbes have also recently hired Carlton Reid, a respected cycling journalist and winner of Transport Journalist of the Year at Press Gazette's recent awards. So their UK transport/technology writing should be pretty much up to snuff.

 

[Llanigraham]

Forbes have also recently hired Carlton Reid, a respected cycling journalist and winner of Transport Journalist of the Year at Press Gazette's recent awards. So their UK transport/technology writing should be pretty much up to snuff.

So what does he know about the railway?

 

[gsnedders]

GSMR is largely equivalent to (2G) GSM used on mobile phones, with encryption standards that were sufficiently complex in the 80s/90s that it would be infeasible to brute force them, but today it could be done with off-the-shelf commercial hardware and a bit of software know-how. Mobile phone networks have long since moved to new encryption algorithms and new transmission standards (3G, 4G), but GSMR hasn't. So anyone with a little cash and know-how could eavesdrop on the system, and make transmissions.

Though in the mobile case you can perform downgrade attacks on mobile phones to force them to connect to a 2G cell, which you can then trivially intercept. (Also note in some countries 3G was practically reserved for data usage, and voice continued to be carried over 2G, though I don't think any of the UK networks did this.)

The combination of these two issues could allow a nefarious person with a laptop, radio transmitter and some software to broadcast spurious emergency stop messages to the ERTMS network. Hence the claim of being able to stop more trains that the (striking) RMT.

And by way of comparison that aviation ATC is all entirely unencrypted: there's nothing technically stopping you from starting to transmit on ATC channels and attempting to cause chaos.

The deterrent in both (aviation and railway) cases is legal rather than technical: primarily the Wireless Telegraphy Act 2006 allows for up to two years imprisonment (with an indictment, which any such case is likely to involve), and the prosecution would probably try and throw the book at you and move for other offences too.