Schneier on Security
A blog covering security and security technology.
« 276 British Spies |
| Code Signing »
September 1, 2005
The Keys to the Sydney Subway
Global secrets are generally considered poor security. The problems are twofold. One, you cannot apply any granularity to the security system; someone either knows the secret or does not. And two, global secrets are brittle. They fail badly; if the secret gets out, then the bad guys have a pretty powerful secret.
This is the situation right now in Sydney, where someone stole the master key that gives access to every train in the metropolitan area, and also starts them.
Unfortunately, this isn't a thief who got lucky. It happened twice, and it's possible that the keys were the target:
The keys, each of which could start every train, were taken in separate robberies within hours of each other from the North Shore Line although police believed the thefts were unrelated, a RailCorp spokeswoman said.
The first incident occurred at Gordon station when the driver of an empty train was robbed of the keys by two balaclava-clad men shortly after midnight on Sunday morning.
The second theft took place at Waverton Station on Sunday night when a driver was robbed of a bag, which contained the keys, she said.
So, what can someone do with the master key to the Sydney subway? It's more likely a criminal than a terrorist, but even so it's definitely a serious issue:
A spokesman for RailCorp told the paper it was taking the matter "very seriously," but would not change the locks on its trains.
Instead, as of Sunday night, it had increased security around its sidings, with more patrols by private security guards and transit officers.
The spokesman said a "range of security measures" meant a train could not be stolen, even with the keys.
I don't know if RailCorp should change the locks. I don't know the risk: whether that "range of security measures" only protects against train theft -- an unlikely scenario, if you ask me -- or other potential scenarios as well. And I don't know how expensive it would be to change the locks.
Another problem with global secrets is that it's expensive to recover from a security failure.
And this certainly isn't the first time a master key fell into the wrong hands:
Mr Graham said there was no point changing any of the metropolitan railway key locks.
"We could change locks once a week but I don't think it reduces in any way the security threat as such because there are 2000 of these particular keys on issue to operational staff across the network and that is always going to be, I think, an issue."
A final problem with global secrets is that it's simply too easy to lose control of them.
Moral: Don't rely on global secrets.
Posted on September 1, 2005 at 8:06 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In my opinion the security decision is quite rational:
The main risk is damage caused by unauthorized operation of a train. Using locks may prevent charges of negligence. If there were different keys for every train there would be a logistical nightmare with key distribution. (If electronic key distribution is hard then ...)
A possible solution might be an electronic authentification & access control system which identifies each driver and allows easy revocation of credentials.
As such systems are quite expensive, prone to malfunction and no not significantly reduce legal exposure, a global key may indeed be a rational security solution.
@ The Ins. Co.
One of the articles implies the risks are mitigated by other measures - So, why have a key at all? For me, the important point to glean from this is that global secrets are brittle. They are "seemingly" useful until one event renders them useless.
Agree - global secrets are brittle. However, they do serve a purpose. There's an analogy with fences.
High fences are meant to keep people out. They won't defeat a determined attacker, but they're generally useful and are widely deployed.
Low fences just demarcate a boundary. An attacker can easily step over them, but will have a clear feeling of having crossed a line.
Different fences have different costs, and keep different classes of people off the lawn. A low fence is sometimes the right choice.
@ Dave M
Yes, they do serve a purpose - but only for a short time... until the secret is out. Then it becomes vitually useless. Adding insult to injury - if the secret was a keystone in the security concept then the whole house of cards falls.
But I'm not sure I'm clear on the fence analogy.
You're right. When the key is out/compromised/stolen, then a system based on a global secret is virtually useless.
My point is that a low fence is also virtually useless - you can just step over it. So why are low fences used at all?
They do achieve something - they draw a line.
There are other ways of doing this. For example, a clear 'staff only' sign on an unlocked door is an even lower, cheaper, fence.
The article claims that there was a directed attack on the key the first key. If this is true, it seems to me that every other fact needs to be evaluated in light of that fact.
The thieves must have had some purpose. They came prepared to steal these keys. They must be expecting to get something from the theft.
Extortion? Probing the security? Do these keys work for other trains in other cities? Are there similar keys in other cities?
"In the remote possibility that a road train did get on the network we are able to instantaneously pull the electricity from part of the overhead on the network." Well, yeah, if you are still in control of the network control center.
Neither the article nor the RailCorp executive inspire me with much confidence. They show a real failure of imagination.
There is a fairly extraordinary fact alleged in the article, plus a remarkable coincidental theft. Some explanation of these facts ought to be considered, especially in light of the pattern of terrorist bombings of trains in countries that have supported the US invasion of Iraq.
I'd be more concerned than the writer or the officials appear to be, but maybe I just don't understand the Aussies.
I've said this before, but locks are designed to keep honest people out. The keys shouldn't be used alone to keep trains (or whatever) secure. The keys should be used to prevent people from unrestricted access. They should change the locks, but leave it so the key can open a train door, but won't allow you to unlock it to get out so they can catch these guys. I don't see why all the trains have the same key. If the different trains are put in smaller groups, each with their own key, that would put a stop to it. The military (US) uses compartmentalization to prevent a security breach from haemoraging. (Whee, I used two really big words!!)
Dave M -
Ok, I can go there with you. Absolutely, a fence can be a good thing - it is one method to serve as boundary designation (as can clearly posted signs). And they can help as a piece of an overall security program.
For instance, for our ICBM launch facilities, we use fences. But we have to understand that they only keep out the cows and the casual observers (small animals can still a be a problem!). Anyway, I am happy that the original designers of the ICBM fleet understood the concepts of Defense in Depth (People, Technology, Operations). The fence is by no means the only line of defense.
"global secret" should be an oxymoron. The cost of key management is usually what results in weak or missing controls. So what's the real cost of replacing 2,000 keys/locks on a regular rotation, versus building a system with logging/alerting/revocation, etc.? And what's the real cost of a runaway train?
Moreover, I thought trains were starting to require biometrics so the engine would not run unless the driver's finger was on the trigger, so to speak. I seem to remember something about this helping with sleepy drivers as well, which would help justify the cost.
Having a master key to open all locks is a stupid solution to a nonexistent problem. Why would any one person have a need to be able to open every lock with a single key? Sure, anyone holding such a key would find it very convenient, but that convenience comes at a price. Would an FDNY firefighter need a single key that would open every lock in New York City? That sure would be convenient, but what if a copy of that key got in the wrong hands? The risk of having many unknown people having total access to everything is not just inviting trouble, but begging for it.
And now, with the subway master keys stolen, a limitless number of duplicates can be made, so 'recovery' isn't even an issue.
The decision not to fix the problem tells me managerial convenience trumps all aspects of security.
I just caught this bit, mentioned by Bob Dobolina above, which seems to a be a critical aspect of the train security strategy:
"In the remote possibility that a road train did get on the network we are able to instantaneously pull the electricity from part of the overhead on the network."
But then they go on to say "it is a concern that [the thieves] are able to access other parts of the carriages".
In that context, I wonder why thieves would prefer a key to a lock-pick attack...is it so they can appear to be an official and open the other parts of the carriages during operation? To hide during operation?
The problem with this article is, there's nothing to either criticise or compliment in RailCorp's actions. They say they'd rather use security guards than change locks (either to another master key or, gasp!, a more flexible setup) ... but they don't say WHY.
Maybe they've got excellent reasons for this. Maybe they don't. No way of telling.
I listened to a radio interview where the RailCorp spokesman noted that the PURPOSE of the keys was not to provide security for the train (other mechanisms do that) but to protect the driver and control cabin from the general public. i.e. it seems the keys unlock the driver's compartment door. The fellow stated that RailCorp's concerns are on staff safety (assualt from the public) and vandalism. Sure, it seems that now two potential attackers can more easily access the driver's compartment, perhaps when the train is in use - but the keys wouldn't be much of an advantage over other methods for someone seriously intent on their task.
On a similar theme: http://www.abc.net.au/news/newsitems/200504/...
Excellent link. I especially appreciated the part about the thief "travelling around on the trams for some time...observing the drivers and observing the operating procedures" in order to "pick up the finer points" of driving a train. He not only dressed the part but was able to switch the tracks en route. A Frank Abignale (professional ID thief) in the making? Or just a really weak authorization system?
The problem with having multiple sets of keys is that you need to keep the key and the train in synch. Drivers drive more than one train (and more than one per day as well) and making sure they always have the correct set of keys is difficult. A master key means you can just give the driver one key and he can use it on any train.
There's enough delays on the trains as it is... it'd be even worse if they also had this problem: "The train on platform 4 is delayed because the driver can't find the keys..."
The interesting thing is that a few months ago there was a big fuss about how the police don't have the keys to the trains, so in the case of a "Terrorist Attack" the police need to get hold of the station master (or some other RailCorp employee) in order to get access to a train.
I have no big issue with that. But if the keys were important to keep them away from the police, then it would seem that this loss is significant.
i.e. Either the keys are not a critical part of the security of the system, in which case it is reasonable to provide emergency services with a copy of the keys, or the keys are critical in which case this loss is a big deal.
My feel is that the keys are that important. I imagine that they're mostly there to stop kids from vandalising the insides of carriages that are parked in railyards overnight (they already vandalise the outside quite regularly), and it was considered to be too much effort to provide and track copies of the keys given to police.
Visions of malcontents taking over a transport system after cleverly targeted key thefts is a "movie plot" scenario.
The value of keys when used in a system like this is not in security, it's in perception. They serve two purposes: They are totems of authority, and are and effective deterent to the nussiance of ramdomites walking into your workspace every morning to ask directions to the closest sunscreen shop. If your cubical was located in a train station, you'd damn sure wish it had a lock and key even of the flimsiest sort.
Back to the totems: Keys in this sort of situation are symbols, both to the general public. (Blokes got the key to the train, must be the driver) and to the train driver as a physical reminder of responsibility.
The system authorities have to say they are "taking this threat seriously" That's what authorities are supposed to do. They can't very well issue a statement saying "Not to worry, the keys are just for looks, and to keep you slobs from hassling the drivers" now can they?
There may or may not be security problems with the Sydney train system, I truly have no idea, but we can rule out missing keys.
don't know if its true, but I heard all the police-issue handcuffs in Queensland use the same key. Makes sense to me.
Ok, I buy that line of reasoning, except for the fact that someone wanted the keys. What for?
Er, if all the keys are the same, why steal two sets?
What would be the implications of the thieves publishing the keys on the 'net?
A truly 'global' secret :-)
I guess the 'low fence' theory still applies, you'd have to manufacture the key before you can use it.
I don't have enough information to discuss the possible intent of the key thefts, but in general:
1. Unauthorized access? In general, all of the critical bits of transit trains are accessable from the exterior of the vehicle. As for leaving a bomb, I personally would choose a train in service, and therefore would not need a key.
2. Hijack? I suppose having the keys might make this easier, but trains are very poor hijacking targets. I trust there are anti-collision controls other than the driver?
3. I don't see any reason to assume the train keys were the target of the thefts.
Overestimating the intelligence of an adversary is just as dangerous as underestimation.
If someone tried taking over a train for hostages and such, they wouldn't need the key. If there are people in the train, then it's running, so if it needs the key, it's there.
The key can provide access to the trains when they're not running so a terrorist could plant a bomb, potentially. However, the alternative would not be choosing a different attack (unless the terrorist had very few resources and could only create mild anti-personnel weapons); the alternative would be putting a bomb in the undercarriage of the train so the whole thing derails, potentially taking another train with it and probably killing many more people than anti-personnel munitions inside the carriages.
So having the keys available might save lives, but sane protections around the parked carriages would do much more.
Re your point 2: I am not an expert on Oz rail systems but my experience in the UK would suggest that there may be mechanisms deployed for preventing collisions but it is no way a given. Generally, the driver is the anti-collision device. (His motivation is that if a collision occurs - he is likely to "experience" it first. An obvious weakness in the age of suicide bombers.)
It seems to me that it would be possible, having got the keys to mount a 9/11 type of attack during normal train operation. Given a uniform and the key, an attacker could enter the driver's compartment, close the door, overpower the driver and slam the train as quickly as possible into the back of the next train as it's stationary in a station. Significant caualties would result and as was shown in London, a coordinated attack can be very effective.
Perhaps the most effective mitigation would be to put a bolt on the drivers side of the door to prevent entry during operation.
Perhaps it's misdirection. Maybe the Opera House is the target...
As has been said, without more info it's all speculation.
From the discussion here, I think we can all agree that the theft of a whole train is unlikely, given the low level of practicality. But what about theft of pieces of a train? A quick Google scan shows that RailCorp recently bought a number of new trains equipped with rather sophisticated computer control and monitoring systems. I would think that sort of equipment would be worth a fair bit if it could be removed. For that matter, there may be all sorts of valuable components that could be removed if a motivated thief had ready access to the interior of a train. The articles don't say anything about how or where the trains are secured when they're not running so we don't know how much of a risk that might be, but I'd guess it's probably a lot higher than the risk of train theft.
Hijacking a train would seem to be the target. Taking one already in service. Use the keys to get into the driver compartment then take over the train. Such a hijack would not be seen untill the train had passed multiple red lights. Objective to maybe ram another train or cause maximum disruption by bringing down one of the over rail shopping centres. This would have to be done in rush hour to ensure another train was on the track and on an open line. An alternate wold be one of the coal trains at one of these structures. The intersection of illawarra and east hills lines at the new overpass would block 2 lines and damage airport transport, a 3 in one.
"Hijacking a train would seem to be the target."
Anyone remember The Taking of Pelham 123?
Again, I'm surprised by the focus on these trains, and their keys.
How many similar systems (trains, etc) have "push-button" access and starters? Does every aircraft around the world have a unique physical key to unlock the door and start 'er up? Every piece of heavy construction equipment? Why do we suddenly think the situation is worse, simply because a minor additional security step was taken, then diminished?
And there are still occasionally incidents where people drive off in the wrong car because their own set of keys worked. (Although I've never seen a definitive answer for how many unique cuts General Motors actually did use in the past, rumours suggest that it was a relatively small number.)
Maybe I'll have to go watch "The Great Train Robbery" (1979) to remind myself what a determined individual can accomplish.
Paul, people who take your car by mistake when their key fits are not going to do anything but be sorry when the mistake is recognised. People who take train keys must have a target in mind. If taking train keys becomes an acceptable (common) practice then why bother with train keys? Back to the small fence argument! Back to potential terrorism.
The idea of terrorism is to create as much chaos and fear as possible, if people die in the process then that is an extra, particularly when the circumstances are so apparently normal that they can be related by all as possibly fitting their own day to day routines and situations.
Make no mistake the theft of keys that can activate any train on the Sydney network must be a cause for great concern. Why would anyone want train keys, maybe setting up a garden railway? Vandalism can be performed without taking keys, just look at the spray graffiti and seats alongside the tracks right now and these are Sydneys own sons and daughters doing this. Why need keys?
We have seen that development of terrorist acts is not a rushed thing, each act is a quietly and slowly developed plan that is thought through to its conclusion and beyond for future use. So far no idea of the acts has been suspect by authorities, why? because the planning is complex and odd things happening are far and few between so not seen to be related, or they cannot be responded to and the authorities pray that nothing will happen.
So, the keys that will open and operate Sydney trains have been stolen. Is this, in itself, the terrorist act? Or is this part of a greater plot? A plot which will be come clear in later days, weeks, months or years. Don’t forget that the Japanese attack on Pearl Harbour was in print by its architect Yamamoto when he was a Japanese Naval Attache to the US in the 1930s , it clearly outlined a plan and objectives, luckily the objectives were not all met, but that is a different story.
If I was interested in train key solutions, I would put a 10cent fence type sliding bolt on the drivers side of the door (pop rivets OK) so no stolen key could be used to hijack a train when in service, I would have had this done last week. Nothing much can be done to improve the electronic system, communications or train placement knowledge in a short term, these things are either there and in place or take months to plan and implement if not years. So the short term security solution has to be quick and simple, keep doors locked and bolted. No access to a drivers compartment once the driver is in place and driving. I would also put a delay of 2 to 3 minutes into the control systems to ensure a train cannot be reversed without a delay. This would ensure any hijacked train is not taken out of a station normally and then reversed into a following train. but of course we have all this covered, don't we?
I think that too many contributors to this thread have been seduced by the idea that train-keys have some kind of magic quality that they don't, in fact, posess. In all the forms in which I have encountered them (I'm a former railway engineer in the UK) they serve the sole purpose of being a low-level deterrent to casual trouble makers, nothing more.
Any serious or moderately knowlegeable attacker can cause major disruption on a railway system with or without train keys, or location-cupboard keys or any of the many other multiply duplicated keys that float around a railway system in unavoidably large numbers.
A real-life case, which is close enough to some of the scenariois being dreamed up here to be relevant, occured in North London some ten years ago: Two diesel locomotives were parked overnight at the Cricklewood sidings. Vandals gained access to the locomotives and released the parking brakes. The two locomotives rolled to the end of the sidings, through the buffers and down a steep enbankment onto a major road junction, very nearly causing serious loss of life.
Whether the vandals had access to train keys or not was irrelevant in that scenario - they could have accessed the unattended cabs without keys, simply by smashing a window, should they have desired. They did not need keys to start the locomotives engines, as it was enough to unscrew the parking brakes of the locomotives and run off (think of smashing the passenger window of a BMW parked on an incline, releasing the handbrake and then running away - no key needed and neither the car alarm nor the steering wheel 'club' would be of much use).
A terrorist/criminal without access to explosives can achieve more disruption and potential loss of life, more reliably, simply by placing a small truck or similar impediment on the track bed on a high speed section of line, than by engaging in some movie-plot scheme to hijack a train and drive it at full speed in the hope that he'll hit another train before reaching the next train-stop cock, trap points or siding, or before the control room removes the traction current from the section he's in, or diverts him down an empty branch-line.
My main point is not so much that such an attack wouldn't work (although as I note above, it would have far more chances of not working than many would expect, due to the fail-safe nature of railway systems), but more that securing effectively against all possibility of it would be prohibitively expensive; Jim's suggestion of a 'delay' circuit when reversing a train is a good example - it would impact routine operations on most commuter railways quite stunningly. Inner bolts on drivers cab doors also have certain operational and safety issues that may make them undesirable.
"Anyone remember The Taking of Pelham 123?"
Interestingly enough, it was shown on a cable channel in Sydney quite recently. Maybe it's _literally_ a movie plot scenario!
My solution: This is basically a (physical) key management problem. In most scenarios today, the best solution is electronic locks, which have such delightful features as allowing instant revocation of lost or stolen keys, and giving everyone access to everything he requires without needing dozens of keys. It has, however, been suggested that electronic locks might not be reliable enough for this application. I have no idea if that is true or not, but certainly CityRail might not be able to afford it. So here is a cheap physical solution. Please comment if you see any holes.
There are essentially two scenarios where the train must be locked: when it is left at a depot while not in use, and to prevent access to the driver during operations. These scenarios have quite different properties and should be solved separately. By doing that, they both become simple.
In the depot, trains could be secured by removable locks (probably, but not necessarily, shrouded padlocks), which would be used to lock the drivers' doors, brakes, and control panel. The padlocks remain the property of a particular depot and are completely removed by depot security staff when a train returns to operations, e.g. in the morning. (With 3 closely spaced locks per locomotive car, this would take only a few seconds.) Because the padlocks are associated with a physical place, there is no need for global keying, and every set of three padlocks could be keyed differently. Various traditional methods exist for managing such a system (colour coding, key presses, day books etc.), the key point is that the locks must not leave the depot. Any time a key goes missing, the depot responsible for it just needs to re-key three padlocks.
A slight variation of this is that keys are associated with a place, but only while in use: these locks are normal fixed locks, but remain unlocked (with the key in a key press in the driver's compartment) during operations. When the train is parked for the night a depot security guard locks it up and secures this key, and enters the key & train serials in the day book. In the morning the the day book is checked, key retrieved from the safe, train unlocked, and the key again secured in a key press in the driver's compartment. (If you do this version, make sure the key is attached to a large red ball so no-one can absent-mindedly go home with a key in his pocket.)
In operation, the driver's compartment could be secured by a simple bolt as others have suggested. Now a concern has been raised that this might create a safety issue, for example if the driver collapses. However, even with the current arrangements only one other person on the train (the guard) can get in without breaking down the door. So a solution might be to key every train uniquely, and keep a key behind a glass panel in each of the driver's and guard's compartments. In the event of either collapsing the other can rescue him (locking his own door behind himself to thwart opportunists); these keys serve no other purpose, and normally the bolts on these locks are only ever thrown by hand, from within the compartment. (Yes, this requires that the locks be deadbolts to avoid accidentally locking yourself out, but I believe they already are.)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.