Train technology is so old it should be futureproof. The lumbering iron giants cover much of the world, carrying billions of tons of freight and billions of passengers. Since the first trains were introduced just over two centuries ago, trains have adapted to increased use, world wars, and natural disasters, and engineers have still made the mechanical beasts work. Now, security researchers in Germany have found a new foe with which trains must contend: hackers.
Many of the risks stem from new, internet-dependent automated systems. Motherboard reports:
The issues included lack of authentication protections, systems using very old operating systems, and hard-coded passwords for remote access.
There are also worrying design choices in the trains themselves, such as having entertainment devices for customers and engineering systems on the same network, meaning that accessing the former may lead to a compromise of the latter.
The flaws were exposed by German whitehat security researchers SCADA Strangelove, who have previously looked at security flaws in green energy systems and smartgrids. Their presentation, entitled “The Great Train Cyber Robbery,” was given at the Chaos Communication Congress in Hamburg on December 27th. It details the change from simple mechanical rail-switches (think levers thrown on tracks in old-timey movies) to more automated means. One problem is that some switches require constant access to the internet, and if that signal is lost the trains stop automatically. More embarrassing, for one of the train systems they looked at there were still default passwords associated with admin accounts, leaving access to the system wide open.
Their discoveries are detailed in a 110-slide presentation, though not in so much detail that an attacker can figure out exactly the trains to traget. In their presentation abstract, SCADA Strangelove clarifies “No vendor names and vulnerabilities details will be released, for obvious reasons.” While trains can’t be commandeered and stolen like other vehicles, there is still plenty that can go wrong if a malicious attacker takes control, with delays at a minimum and train-on-train collision as the scarier risk.
Fortunately, just because it can be done doesn’t mean it’s likely. There’s no obvious profit in delaying trains, and getting into the systems to find the vulnerabilities is a time-intensive process.
Which is to say: man-machines in electric cafes will still need to do some kraftwerk in computer world to figure out how to turn radio activity into trans-europe distress. Then, and only then, does it make more sense to take the autobahn.