Schneier on Security
A blog covering security and security technology.
« MySpace and U.S. Attorneys General Agree to Fight Sexual Predators |
| Locked Call Boxes and Banned Geiger Counters »
January 17, 2008
Hacking Polish Trams
A 14-year-old built a modified a TV remote control to switch trains on tracks in the Polish city of Lodz:
Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz's tram network was hacked, even by these low standards, is still a bit of an eye opener.
Problems with the signalling system on Lodz's tram network became apparent on Tuesday when a driver attempting to steer his vehicle to the right was involuntarily taken to the left. As a result the rear wagon of the train jumped the rails and collided with another passing tram. Transport staff immediately suspected outside interference.
Here's Steve Bellovin:
The device is described in the original article as a modified TV remote control. Presumably, this means that the points are normally controlled by IR signals; what he did was learn the coding and perhaps the light frequency and amplitude needed. This makes a lot of sense; it lets tram drivers control where their trains go, rather than relying on an automated system or some such. Indeed, the article notes "a city tram driver tried to steer his vehicle to the right, but found himself helpless to stop it swerving to the left instead."
The lesson here is that security by obscurity, combined with physical security of the equipment, wasn't enough. This kid jumped whatever fences there were, and reverse-engineered the IR control protocol. Then he was able to play "trains" with real trains.
Posted on January 17, 2008 at 3:43 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And I can't get my "universal remote" to talk to my tv...
This and the "universal TV remote" thing at CES ought to be enough to convince all 'right thinking citizens' that the only option is to ban these evil devices ...
Actually it'll probably be used as an excuse to 'encrypt' the IR codes (protected by DMCA of course) and lock out third-party remote controls.
Thomas: Encrypt the IR codes?
Don't you think encrypting the tram signal's IR codes would have been a good start? (Leaving aside whether such a spoofable, jammable medium should be used at all for this...)
"reverse-engineered?" Not neccessarily.
How about "jacked up the power and pushed buttons randomly"?
My respect for terrorists dwindles daily. You hear about all these failed attacks and here you have a 14 year old successfully making trains crash into eachother. Terrorists are so incompetent its pathetic.
Encryption wouldn't help against replay attacks, which is probably what this kid used. You would need some sort of authentication system, which IR is not the best medium for.
I'm not sure that it is "security through obscurity" at all. I just don't think security was a consideration. The year the system was designed, even if you asked "Who would want to mess with the tram track switching?" the answer would probably be "No one... It's of no use to them unless they're on the tram"....
Take a look at another system, arguably far more important: Aircraft Instrument Landing System (ILS). That is just a simple RF frequency (108MHz to 112MHz ) with a 90Hz and 150Hz carrier. There is no security (other than the physical security of current airfield antenna systems), and certainly no obscurity - it's just old tech. Back in the days "before terrorism" it probably wasn't even a consideration that someone would mess with it because "no-one would be crazy enough mess with the ILS - someone could get hurt!!!"
Take a look at
Bah - Correction: 108MHz to 112MHz Carrier with 90 & 150 Hz Modulation...
I do know the difference - just in need of coffee....
"My respect for terrorists dwindles daily."
Not much to respect in the first place. They have no clue, no class, no finesse, no sense of style, poor target selection and shoddy aim. The pointless ideology only makes it all the worse.
On the other hand, we have Mark Loizeaux saying "We could drop every bridge in the United States in a couple of days.... I could drive a truck on the Verrazano Narrows Bridge and have a dirt bike on the back, drop that bridge, and I would get away. They would never stop me." (Harper's, 1997 July)
So perhaps we should be thankful smart people almost always end up being productive, that only idiots end up as real terrorists.
I don't think he reverse engineered anything at all; many of the (more expensive) universal remote controls have a learning mode, where you hold them in front of the original remote control, and it receives and stores the signal from the original, to be replayed when the corresponding button is pressed. There is no need to mess with encoding types (there are quite a few), it just samples the signal at a sufficiently high rate to be able to replay it bit-by-bit.
The only thing he probably did, was increase the power, possibly just by shorting the LEDs current limiting resistor, or by adding a transistor and more LEDs.
"They have no clue, no class, no finesse, no sense of style"
and no finance
I find it particularly amusing that one of the comments in the first article rants about how teenaged hackers are not a reasonable foreseeable risk to have to secure a system against.
I've always been of the opinion that teenaged hackers are the baseline risk against which any system should be secured. Organized crime, governments, industrial espionage; they'll only go after you if you seem to have something worthwhile. For a teenager though, going after you is its own reward (given that the alternative is likely boredom and angst).
Good comment. Organised crime, governments etc are more likely to go around the security problem by bribing or blackmailing.
Bored teenage hackers are the ones who confront security head on, and very often find that the solution is simpler than they thought!
@John J: "Encryption wouldn't help against replay attacks, which is probably what this kid used."
Use an IV for the encryption that is composed of the device serial number and a counter value.
The receiver will have to log the last received couter for each transmitter ID.
It appears that the points at Lodz were faulty as according to the documentation available online there was a safety system preventing the points from moving while the tram was passing by (something like a pressure sensor). Perhaps this will be used by the defence of the boy as he now faces the charges.
When considering security on a system like this, it should be noted that its probably not cpu based. But most likely a PLC or at the most a FPGA (unlikely). Adding state based encryption (aka non repeatable IV) becomes quite difficult if not impossible.
As I noted elsewhere when I read the original reports, "In the case of the tram system in Lodz, the whole idea of designing a switching system with 'commodity electronics and a little native wit' is a recipe for failure."
It is apparent that security wasn't even on the list of design criteria when this thing was built.
I wondering if the IR switching system had replaced an old manual switching system where you had to have a person operate the switches manually? The new system was probably justified as a cost saving in that they could have eliminated one or more positions. I wonder if they are rethinking that decision now or especially after all the law suits are settled?
Just because something can be automated doesn't always mean that it should be esp. if the newer system is less secure & reliable.
I live in Lodz, I know our tram system from the passanger's point of view and I also read a little bit about this incident. Thus I'm going to defend our tram system.
The switching system isn't as bad as it seems. First, there's no comparison to the train or aircraft systems in possible danger to the public. We're talking about city trams - slow and moving on one way tracks. Wrong signal would most likely just send the tram to the wrong direction on the crossroads - no big deal, the driver would just hit reverse.
The teenager, however, found the most dangerous mode of operation. He switched direction when the tram was in a middle of the points - i.e. front part drove in one direction, aft part in the other, which caused derailment. The points are supposed to be safeguarded against that - there are pressure sensors under the tracks. I guess the guy tried many times before he found a faulty device.
Anyone urging to prosecute the designers: the switching systems is years old, I think it was introduced in 1970s. Way before universal remotes and other cheap, off-the-shelf equipment that could be used to control the points. At that time it was secure enough. If someone wanted to disrupt traffic, it would be much easier to physically damaged the tracks or joints. I'd rather blame the city officials or transit corporation's managers who didn't think about replacing the system before the accidents.
This is more a failure of safety engineering than one of security. The fact that it was possible for a switch to move while a train occupied the switch should have been a fundamental element of the safety case. For that to happen on a safe system there would need to be multiple component failures of which the kid's signal was just one. The security failing in the safety case would be the assumption that the IR transmission component failure would be a non-malicious event and therefore based on mean time between failure data rather than forced by a malicious intruder and therefore of vastly higher probability. A correct safety case for this gear would assume failure in the insecure communications portion and require two low-p failure components to also fail before becoming unsafe.
I'm going to add that this gem from Steve:
"This makes a lot of sense; it lets tram drivers control where their trains go, rather than relying on an automated system or some such."
...is insane. If there's a driver on the train your chance of being injured goes through the roof. Historically, automated rail systems (because they are very simple problem spaces as transportation goes) are vastly safer than anything a driver controls.
BMurray says that
"If there's a driver on the train your chance of being injured goes through the roof. Historically, automated rail systems (because they are very simple problem spaces as transportation goes) are vastly safer than anything a driver controls."
That would only be true if the automated system operates in a well controlled environment, ie. no people, animals, cars wandering across or blocking the tracks.
When the front truck goes one way and the back one goes the other, it's called splitting the switch. It can happen even when the switch is manually controlled. I saw the results of one such more than 50 years ago.
Capture your signal from one tram at one set of points and replay it at a different location.
answer 2: shared secret + time based authentication +- 5 min..;
problem 2: rapid, secure distribution of shared secret; otherwise capture of any single controller will breach the system (still better than above, but not a very good gain for the extra cost).
Does anyone actually see a decent solution to this which a) has local control from the tram and b) doesn't require more than one way communication from tram to points.
The best I can come up with is that the points can't be changed when a tram is within a few metres of them and a light flashes which direction they are going. If the light flashes the wrong way the driver stops until they start flashing the right way. To improve from that I think the best way is a centralised system; tram communicates with base; base communicates with points. Trams register to the system each day with voice based authentication via a secure mobile system such as TETRA. Unfortuantely TETRA didn't exist in the 1970s.
Regardless of what the kid did I would have along talk with the engineers and everybody involved in the project. The event only manages to bring old memories and the false sense of security we all have, "question everything" thats the only way to mitigate errors.
MC says: "That would only be true if the automated system operates in a well controlled environment, ie. no people, animals, cars wandering across or blocking the tracks."
Level crossings are always an issue but they are always a greater risk when there is a driver in the cab than when the system is automated. The best case time from detection of intrusion to emergency brake of the vehicle is always the automated case. Hoping a driver's judgement and reaction time is better than a sensor trip + calculated braking curve of the vehicle is misguided.
Certainly the sensor can fail. It is more likely that the driver will fail.
We are talking about a TRAM. This is a light rail system, with the tracks running down the middle of public roads.
I haven't been to Lodz, but I've seen trams in a few cities and I'm assuming that the Lodz trams are similar.
Perhaps you could imagine your level crossing problem 100% of the time, with no sensors other than the driver's eyes and ears (and stuff intended to stop switching the track while the tram is still on that section of track).
There's a much simpler solution than applying encryption. Trams in some European cities send electricity over the rails to make a point switch. When the tram enters the segment just before the point, the point is reset to the straight position by a pressure sensor. If an electric pulse is sent over the rails the point switches to the diverging position with a very audible click to confirm that. It's foolproof, much harder to hack (because you'd have to wire the tracks together and they are 3 feet apart), and has worked for over 70 years.
Why is anyone using such complex technologies? The Scottish city of Glasgow, from about 1910, used a simple technique whereby the driver coasted over a marker on the road if he wanted to go straight ahead, or powered gently over it if he wanted to turn off. The whole thing was worked from the 600V overhead line. No IR, no sensors, no radio, no hacking, no failures.
@I K Brunel
That system was used in Warsaw until a few years ago and was troublesome in winter: trams have electrical heating, whose current draw sometimes was enough to switch the switch. And now, when some trams have AC, switching it off for a few seconds every 10 minutes is a good way to decrease its lifespan.
As far as the problems with pressure switches are concerned, they're somewhat surprising: the signals before the switch tell the driver which way the switch points and if it is locked by pressure switch; afaik they are long enough in driver's field of view to notice that the pressure switch didn't activate, so its failures should be spotted quite quickly.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.