Introduction
It’s not an unusual plotline for Hollywood movies—our intrepid protagonists need to stop and hijack a train carrying high-value national organization or military assets and the audience is treated to an action scene of them carrying this out. It may sound fantastic, but such scenarios occur in real life too. Nation-state APT groups are now attempting to replicate these scenarios by exploiting security vulnerabilities in railroad telemetry systems. For instance, in July 2021, Iran’s railway network suffered a cyberattack from the fierce nationalist hacker group, Gonjeshk-e-Darande. In April 2024, Russian APT groups attempted to infiltrate the railway control systems of Poland and the Czech Republic to disrupt European rail support to Ukraine. These attacks highlight the increasing threat trends in rail security as geopolitical tensions escalate. This article aims to help readers understand attack strategies to prevent rail cybersecurity threats.
Practical Application of Emergency Braking
In an emergency situation, such as when someone falls onto the tracks or if there’s an obstruction ahead of the train, activating the emergency brakes can be the difference between life and death. Emergency braking systems are far more powerful than the train’s standard brakes as they simultaneously cut off the train’s engine and apply the maximum brake force. Modern trains are equipped with emergency braking systems that passengers can activate from special compartments or by pulling a cord. However, in these modern trains, not only can passengers activate the emergency brakes as intended, but attackers near the railway can also falsify emergency brake signals, posing a new security risk for physical train hijacking.
Past Security Research on Railroad Telemetry Systems
At DEFCON 26’s Wireless Village, researcher Eric Reuter detailed the design and operation of railroad telemetry systems. Maintaining the same speed for multiple train cars is challenging. If the last car moves faster than the first, collisions occur. Conversely, if the last car is slower, the train could split in half. To address this, classic train design includes EOT and HOT components to ensure all cars move at the same speed.
Reuter further noted that communication between End-of-Train (EOT) and Head-of-Train (HOT) devices occurs via radio frequency (RF) signals, which can be sniffed and decoded. EOT devices, attached to the last car, function as IoT sensors, monitoring brake pressure and speed, and transmitting data to the HOT device on the lead car. Additionally, EOT devices provide flashing red lights to warn passersby and can activate brake pipes in emergencies upon HOT’s request. Consequently, attackers can intercept these signals using devices like HackRF and send falsified emergency stop commands.
Reuter’s research reveals that anyone with a HackRF device can capture and decode these RF signals, which operate between 452.9 to 457.9 MHz using FFSK. This reveals data such as device battery status, brake pipe pressure, valve circuit status, and marker light status. The only protective measure in EOT/HOT design is BCH coding, which ensures data integrity but does not prevent signal spoofing. Due to the lack of signal source verification, attackers near the railway can use RF devices to send falsified emergency stop commands, remotely controlling train stops without needing to be on the train.
Although this security issue has been known in the railway industry and was even discussed in a 2005 paper, it remains unresolved in North America’s railway control systems to this day.
Recent Attacks Highlight the Importance of Preventing RF Attacks
According to a BBC report, critical infrastructure (CI) is highly valuable and therefore attractive targets to nation-state hackers. For example, during Russia’s invasion of Ukraine, state hackers took over Viasat’s satellite modems, disrupting satellite communication for Ukrainians.
In another recent BBC-reported attack, due to Poland being a major hub for transporting Western weapons to Ukraine, unknown hacker groups used RF devices to prevent trains carrying these weapons from reaching Ukraine. We should be more concerned than ever about increasing attacks on transportation and railways. Protecting critical infrastructure from physical RF attacks by nation-state hackers is essential.
Conclusion
As tensions between nations escalate, the security risks of railroad and train telemetry systems become increasingly severe. To protect these critical infrastructures, we must enhance RF signal verification mechanisms to prevent attackers from falsifying emergency stop commands. Additionally, relevant authorities should strengthen the security monitoring and protective measures of railway systems to ensure the safety of public transportation systems as a whole.
