32c3 A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hardcoded industrial control system credentials to kick vendors into action.
Industrial control specialist hackers Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai did not describe the bugs in detail, since that would allow others to replicate the attacks nor reveal the names of the affected rail operators.
Flaws affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.
There are also possible paths between trains' operational systems and passenger entertainment systems, they say.
Overlooked bugs in device drivers, even in apparently-benign applications, can also be exploited by clever attackers into more powerful vectors: "If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train," Gordeychik says.
In place of vulnerability details they showed the December Chaos Communications Congress in Hamburg a blank screen.
The flaws follow a tune common to all utility sectors: decades-old industrial control systems once fragmented and offline have been networked to introduce better functionality, but the insecurities of antiquity remain.
These flaws expose physical systems like power grids, dams, and trains to unauthorised external modification in ways largely unknown to those outside of the security industry.
Rail utilities have networked trains, stations, and ticketing systems with increased complexity on European trains like Eurostar which has various systems for entering different countries.
The team says human programming errors are responsible for various remote code execution holes which could affect interlocking systems.
The gossamer upside is that the control systems often use proprietary protocols that may require specialist industry training to navigate, representing a dead-end for dogged hackers.
Some documentation can be found online however.
That open source material is now more valuable with the release of a database of 37 hardcoded credentials allowing hackers the ability to access programmable logic controllers, gateways, and servers.
"We are releasing the list to force vendors to not use hardcoded and default passwords," an irritated Gordeychik says.
The accomplished team known as Scada Strangelove have helped take 60,000 vulnerable industrial control systems off the internet.
Attack vectors against computer-based interlocking include attacks against workstations … attacks against networking gateways that connect interlocking to the rest of the world, and communications between CPU and object controllers and wayside devices.
Gordeychik says the threat model used in most enterprises does not apply to rail and other industrial control systems.
"When we discus computer security we often talk about integrity, availability, and confidentiality but this does not work in the industrial world, "Gordeychik says.
"The first threat is to safety, or cyber-physical … the second is economic threats to impact efficiency and revenue, and the third is threats reliability.
Operators are aware of the risks and are working to fix security risks, the trio says.
For example one popular European operating system SIBAS was upgraded to move off proprietary old operating systems to bolster security frameworks. ®