14 DAY TRIAL // Security researchers that make up the SCADA StrangeLove group have identified a large number of security weaknesses in multiple components used in modern railway systems.
The group has worked on their research for the past three years and have identified numerous weaknesses that affect the train signaling system, but other adjacent systems as well.
Researchers have said that railway systems are most of the times not connected to the Internet, but a few security holes in some of its equipment could help attackers compromise the whole network, and their attack could trickle down to other systems connected to that particular entry point.
Vulnerabilities in railway automation and route planning components
Among the vulnerable equipment they found is SIBAS, a train protection system used in the railway systems of many European countries, which is a PC-based automation system for various railway components.
SIBAS systems are vulnerable because they use the WinAC RTX controller, a Siemens SIMATIC component in which researchers previously identified security problems.
The CBI (computer-based interlocking) systems used by most railways is also vulnerable. CBI components are used to control train routes and are crucial in optimizing a railway system's activity and avoiding conflicting routes (crashes).
Researchers say that attackers can cause this system to crash, stopping a railway's activity dead in its tracks, or even create routes that cause economic damage, or even worse. Physical access to the network is needed for these types of attacks, but hackers can also trick an employee into accessing malicious links or connecting infected USB drives to a network.
Train control and tracking systems are vulnerable as well
Another significant entry point for attackers is GSM-R SIM cards, used in some countries around the world to detect a train's location, but also to manage various train features and even command or stop locomotives if needed.
The SCADA StrangeLove team discovered that, by using GSM jamming, trains would automatically stop if they lost the connection between their SIM card and the central command center.
These SIM cards also use the 1234 default PIN, which nobody guarantees a train conductor would change. Additionally, the modem devices these SIM cards are placed in allow over-the-air (OTA) firmware updates, which can be hijacked by a skilled attacker.
Furthermore, some of the GSM-R compatible modems are also vulnerable to mobile modem attacks, discovered by the SCADA StrangeLove team earlier this month.
Overall, researchers claim that even if advanced knowledge of ICS/SCADA systems used in railway systems is needed to carry out these attacks, state-sponsored actors that put the time and effort into this type of research would find an easy target to hack.
Below is the SCADA StrangeLove team presenting their findings at the 32nd Chaos Communication Congress (32C3). The presentation's slides are available on Slideshare. The video can also be downloaded from the Conference's website.
