SlideShare ist ein Scribd-Unternehmen logo

The Great Train Robbery: Fast and Furious

S
Sergey Gordeychik

Railway cybersecurity for high speed trains as presented by Sergey Sidorov on Overdrive Con 2017

Technologie
1 von 90
Downloaden Sie, um offline zu lesen
*AllpicturesaretakenfromDr StrangeLovemovieandother Internets Sergey Sidorov
 Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Sidorov Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
Please note, that this talk is by SCADA StrangeLove team. We don’t speak for our employers. All the opinions and information here are of our responsibility (actually no one ever saw this talk before). So, mistakes and bad jokes are all OUR responsibilities.
320 300 210 160 Km/h
L0 Series Max speed: 603 km/h Transrapid Max speed: 550 km/h
Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS
 Train Security (by Jakob Lyng Petersen)  Trains must not collide  Trains must not derail  Trains must not hit person working the tracks  Sadly, animals can’t handle the interview  Operating rules  Italy, Regolamento Segnali  UK, GE/RT8000 Rule Book  North America, GCOR and others  Russia, Rules of technical exploitation
Santiago de Compostela derailment  The accident occurred at the site where transition from the ETCS L1 system to the system ASFA (continuous train control system without speed control)  The observance of the speed is carried out in this mode by machinist
Wenzhou train collision  Lightning strike led to failure of the train protection system (first train stopped)  I/O fuse blown led to wrong-side failure  Human factor: Long- term coordination of further actions
https://en.wikipedia.org/wiki/File:Clear_track_circuit.svg
https://en.wikipedia.org/wiki/File:Occupied_track_circuit.svg
Static speed profile Speed control curve Fictitious stopping point Preset speed Permission for movement limit BKW – change of section identification LZB system:  Lineside computer  Train computer
March 2016 86.000 km  European Railway Traffic Management System  European Train Control System (ETCS)  GSM-R
 ETCS (L1, L2, L3)  Locomotives  Ground devices (Radio Block Center, Lineside Electronic Units, Balises, Base-Station Subsystem, Base Transceiver Station)  GSM-R
ETCS level 1
ETCS level 2
ETCS level 3
The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System
The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System Reactor Protection System (RPS) Train!
 TCN (Train Communication Network)  WTB + MVB  ETB in future - Ethernet Train Backbone (IEC 61375-2-5)  WTB (Wire Train Bus)  Each coach, loco  MVB (Multifunction Vehicle Bus)  Links WTBs  MVB ~= FlexRay  CANopen  etc.
http://uic.org/cdrom/2006/wcrr2006/pdf/292.pdf
“Abusing the Train Communication Network or What could have derailed the Northeast Regional #188?” by Moshe Zioni  no authentication  traffic is not encrypted
http://cordis.europa.eu/pub/t elematics/docs/tap_transport/r osin_d1.3.pdf The same?  no authentication  traffic is not encrypted
 MVB + MVB+ ... = WTB(Train)  Elections by largest number of nodes  Set LocStr to 256  If equal, first Detect_Request wins IEC61375
 Loco’s internals  Traction control  Braking system  Cab signaling  Train protection system  Passenger Information and Entertainment  Software is not available in public  True for the all railroad software  Btw, hardware available in public, but as a part of Public Transportation System
 SIBAS 32  Eurostar e320 high-speed trains  class 120.1 locomotive of German Rail  S 252 of Spanish National Railways (RENFE)  LE 5600 of Portuguese Railways (CP)  EG 3100 in Sweden, Germany and Denmark  Velaro  class 182 2nd gene EuroSprinter  SIBAS PN  New DB ICE trains
 SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS on VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
 SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS to VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
 Hardcodes  No, they are for the authentication  Known protocols  XML over HTTP, S7  Secure network facing services  Self-written web server  Self-written xml parser  Heavily based on WinCC code  2012-2015: 41 vuln  Runs on Windows x86  Vulnerabilities?  Probably
How to access PC-based controllers (WinAC RTX)?  We don’t know  We don’t want to know  We will never know  Yet to not know  Yet to don’t know  Not yet to know
 Driver Information Systems  Track profile, loco speed and location (non-military GPS, GLONASS)  Interfaces  Server infrastructure for processing  External data feed  CAN to acquire data in loco  On the bus with whole train  Mobile operator to push data to the server  Data plan on Customer SIM card detected  Why build additional channels for other systems?
 Gateways  Diagnostic  Diagnostic of diagnostic  Services  Web, telnet, ftp, etc.  Proprietary service to rule them all  Interfaces  GSM-R  And more when GSM-R is too slow  At least no Wi-Fi, right?
Google for Airlink (c)
http://www.hollysys.com.sg/me dia/com_download/3.%20HollyS ys-HighSpeed.pdf
32C3: Sergey Gordeychik, Gleb Gritsai, Aleksandr Timorin: “The Great Train Cyber Robbery”
RLC circuit
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
28C3: Stefan Katzenbeisser: Can trains be hacked?  Multiple trains make use of the same KMAC for a long time  Using weak random number generators during the KSMAC derivation
In areas where the European Train Control System (ETCS) Level 2 or 3 is used, the train maintains a circuit switched digital modem connection to the train control centre at all times. … If the modem connection is lost, the train will automatically stop.
moving "really fast and passed three stations without stopping" … "due to a fault on the train's antenna that ensures trains stop accurately at each station"... "The train was hence not able to pick up the signal to stop at the next three stations”…
http://www.era.europa.eu/Document-Register/Documents/P38T9001%204.2%20FFFIS%20for%20GSM-R%20SIM-CARD.pdf
― Remote data recovery (Kc, TIMSI) • Chanel decryption (including A5/3) • «Clone» the SIM and mobile station ― SIM “malware” ― Block SIM via PIN/PUK brute ― Extended OTA features (FOTA) Karsten Nohl, https://srlabs.de/rooting-sim-cards/ Alexander Zaitsev, Sergey Gordeychik , Alexey Osipov, PacSec, Tokyo, Japan, 2014
Attack host
Control
Control Attack the ATC
… not exactly https://railway-news.com/global-cyber-attack-hits-deutsche-bahn/ https://www.hackread.com/russian-postal-service-hit-by-wannacry-ransomware/
Attacking System Train Control System Defending System Intellectual Technologies on Transport No 1
*Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Sergey Sidorov Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
*Allpicturesaretakenfrom googleandotherInternets
…We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity…

Empfohlen

"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove
Aleksandr Timorin
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
qqlan
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
qqlan
 
Internet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCInternet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLC
qqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
qqlan
 
Enable the smart factory with IO Link
Enable the smart factory with IO LinkEnable the smart factory with IO Link
Enable the smart factory with IO Link
Dan Rossek
 

Empfohlen

"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove"The Great Train Cyber Robbery" SCADAStrangeLove
"The Great Train Cyber Robbery" SCADAStrangeLove
Aleksandr Timorin
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
qqlan
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
Aleksandr Timorin
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
qqlan
 
Internet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLCInternet connected ICS/SCADA/PLC
Internet connected ICS/SCADA/PLC
qqlan
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
qqlan
 
Enable the smart factory with IO Link
Enable the smart factory with IO LinkEnable the smart factory with IO Link
Enable the smart factory with IO Link
Dan Rossek
 
Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
PROFIBUS and PROFINET InternationaI - PI UK
 
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C ImplementationMIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI Alliance
 
An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015
PROFIBUS and PROFINET InternationaI - PI UK
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
qqlan
 
UGM CAN PXI
UGM CAN PXIUGM CAN PXI
UGM CAN PXI
Interlatin
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
qqlan
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate ModesMIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI Alliance
 
STM32 L4 presentation
STM32 L4 presentation STM32 L4 presentation
STM32 L4 presentation
Sylvie Boube-Politano
 
Ec 2 traffic signal controller brochure
Ec 2 traffic signal controller brochureEc 2 traffic signal controller brochure
Ec 2 traffic signal controller brochure
Imtech Traffic and Infra
 
Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
PROFIBUS and PROFINET InternationaI - PI UK
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Aleksandr Timorin
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
qqlan
 
Moxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketMoxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation Market
Eric Lo
 
Iai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheetIai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheet
Electromate
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
RoboticCarKit_MANUAL
RoboticCarKit_MANUALRoboticCarKit_MANUAL
RoboticCarKit_MANUAL
Elijah Barner
 
Railroad Industry Connectivity Solutions
Railroad Industry Connectivity SolutionsRailroad Industry Connectivity Solutions
Railroad Industry Connectivity Solutions
METZ CONNECT USA Inc.
 
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET Journal
 
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdfRailway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
AslamNalband
 

Weitere ähnliche Inhalte

Was ist angesagt?

An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015
PROFIBUS and PROFINET InternationaI - PI UK
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
qqlan
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
Aleksandr Timorin
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
qqlan
 
Moxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketMoxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation Market
Eric Lo
 
Iai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheetIai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheet
Electromate
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
qqlan
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
RoboticCarKit_MANUAL
RoboticCarKit_MANUALRoboticCarKit_MANUAL
RoboticCarKit_MANUAL
Elijah Barner
 

Was ist angesagt? (20)

Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
 
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C ImplementationMIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
MIPI DevCon 2016: A Developer's Guide to MIPI I3C Implementation
 
An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015An introduction to IO-Link - Peter Thomas - Oct 2015
An introduction to IO-Link - Peter Thomas - Oct 2015
 
Kaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the CloudKaspersky SAS SCADA in the Cloud
Kaspersky SAS SCADA in the Cloud
 
UGM CAN PXI
UGM CAN PXIUGM CAN PXI
UGM CAN PXI
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate ModesMIPI DevCon 2016: MIPI I3C High Data Rate Modes
MIPI DevCon 2016: MIPI I3C High Data Rate Modes
 
STM32 L4 presentation
STM32 L4 presentation STM32 L4 presentation
STM32 L4 presentation
 
Ec 2 traffic signal controller brochure
Ec 2 traffic signal controller brochureEc 2 traffic signal controller brochure
Ec 2 traffic signal controller brochure
 
Introduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell SmithIntroduction to IO-Link - Russell Smith
Introduction to IO-Link - Russell Smith
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already knowSCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Moxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation MarketMoxa Solution for Rail and Transportation Market
Moxa Solution for Rail and Transportation Market
 
Iai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheetIai ether cat_pcon_acon_specsheet
Iai ether cat_pcon_acon_specsheet
 
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
RoboticCarKit_MANUAL
RoboticCarKit_MANUALRoboticCarKit_MANUAL
RoboticCarKit_MANUAL
 
Railroad Industry Connectivity Solutions
Railroad Industry Connectivity SolutionsRailroad Industry Connectivity Solutions
Railroad Industry Connectivity Solutions
 

Ähnlich wie The Great Train Robbery: Fast and Furious

An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
IOSR Journals
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
IOSR Journals
 
Indian railway-3977545
Indian railway-3977545Indian railway-3977545
Indian railway-3977545
9586215895
 
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to CloudEmbedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
EmbeddedFest
 
Presentation
PresentationPresentation
Presentation
Videoguy
 
Presentation
PresentationPresentation
Presentation
Videoguy
 
Presentation
PresentationPresentation
Presentation
Videoguy
 

Ähnlich wie The Great Train Robbery: Fast and Furious (20)

IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
IRJET- Automatic Gate Crossing and IoT based Train Track Crack Detection Syst...
 
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdfRailway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
Railway ppt fdocuments.in_indian-railway-ppt.pptx.pdf
 
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
5b50dc69-4ca7-41ee-a9dd-b4e8b220b4fe.pdf
 
Inter vehicle communication
Inter vehicle communicationInter vehicle communication
Inter vehicle communication
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
 
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
An Approach to Improve the Railway Crack Detection in the Tracks by Automated...
 
Passenger amenities (2)
Passenger amenities (2)Passenger amenities (2)
Passenger amenities (2)
 
Integrated Railway Transport Management System
Integrated Railway Transport Management SystemIntegrated Railway Transport Management System
Integrated Railway Transport Management System
 
Automatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway securityAutomatic Crack Detecting system for Railway security
Automatic Crack Detecting system for Railway security
 
Controller area network as the security of the vehicles
Controller area network as the security of the vehiclesController area network as the security of the vehicles
Controller area network as the security of the vehicles
 
Innovation Solutions
Innovation SolutionsInnovation Solutions
Innovation Solutions
 
Report on wireless System CDMA security
Report on wireless System CDMA securityReport on wireless System CDMA security
Report on wireless System CDMA security
 
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
Implementation and Validation of SAE J1850 (VPW) Protocol Solution for Diagno...
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality Check
 
Indian railway-3977545
Indian railway-3977545Indian railway-3977545
Indian railway-3977545
 
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to CloudEmbedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
Embedded Fest 2019. Антон Волошин. Connected Mobility: from Vehicle to Cloud
 
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
ADVANCED RAILWAY SECURITY SYSTEM (ARSS) BASED ON ZIGBEE COMMUNICATION FOR TRA...
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 
Presentation
PresentationPresentation
Presentation
 

Mehr von Sergey Gordeychik

AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
Sergey Gordeychik
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
Sergey Gordeychik
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
Sergey Gordeychik
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
Sergey Gordeychik
 

Mehr von Sergey Gordeychik (12)

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

The Great Train Robbery: Fast and Furious

  • 2.  Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Roman Polushin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Sidorov Sergey Scherbel Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  • 3. Please note, that this talk is by SCADA StrangeLove team. We don’t speak for our employers. All the opinions and information here are of our responsibility (actually no one ever saw this talk before). So, mistakes and bad jokes are all OUR responsibilities.
  • 5. L0 Series Max speed: 603 km/h Transrapid Max speed: 550 km/h
  • 6. Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS
  • 7.  Train Security (by Jakob Lyng Petersen)  Trains must not collide  Trains must not derail  Trains must not hit person working the tracks  Sadly, animals can’t handle the interview  Operating rules  Italy, Regolamento Segnali  UK, GE/RT8000 Rule Book  North America, GCOR and others  Russia, Rules of technical exploitation
  • 8.
  • 9. Santiago de Compostela derailment  The accident occurred at the site where transition from the ETCS L1 system to the system ASFA (continuous train control system without speed control)  The observance of the speed is carried out in this mode by machinist
  • 10. Wenzhou train collision  Lightning strike led to failure of the train protection system (first train stopped)  I/O fuse blown led to wrong-side failure  Human factor: Long- term coordination of further actions
  • 13. Static speed profile Speed control curve Fictitious stopping point Preset speed Permission for movement limit BKW – change of section identification LZB system:  Lineside computer  Train computer
  • 14.
  • 15.
  • 16.
  • 17. March 2016 86.000 km  European Railway Traffic Management System  European Train Control System (ETCS)  GSM-R
  • 18.  ETCS (L1, L2, L3)  Locomotives  Ground devices (Radio Block Center, Lineside Electronic Units, Balises, Base-Station Subsystem, Base Transceiver Station)  GSM-R
  • 22. The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System
  • 23. The train's signalling, control and train protection systems include a Transmission Voie- Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection system, Transmission Beacon Locomotive (TBL) train protection system, Runback Protection System (RPS), European Train Control System (ETCS), Automatic train protection (ATP) system, Reactor Protection System (RPS) and train control system. http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/ KVB - a train protection system used in France MEMOR - Belgian railway signaling TVM - in-cab signaling originally deployed in France TBL - train protection system used in Belgium RPS - Runback Protection ATP - Great Britain implementations of a train protection system ETCS - European Train Control System Reactor Protection System (RPS) Train!
  • 24.  TCN (Train Communication Network)  WTB + MVB  ETB in future - Ethernet Train Backbone (IEC 61375-2-5)  WTB (Wire Train Bus)  Each coach, loco  MVB (Multifunction Vehicle Bus)  Links WTBs  MVB ~= FlexRay  CANopen  etc.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34. “Abusing the Train Communication Network or What could have derailed the Northeast Regional #188?” by Moshe Zioni  no authentication  traffic is not encrypted
  • 36.
  • 37.  MVB + MVB+ ... = WTB(Train)  Elections by largest number of nodes  Set LocStr to 256  If equal, first Detect_Request wins IEC61375
  • 38.  Loco’s internals  Traction control  Braking system  Cab signaling  Train protection system  Passenger Information and Entertainment  Software is not available in public  True for the all railroad software  Btw, hardware available in public, but as a part of Public Transportation System
  • 39.  SIBAS 32  Eurostar e320 high-speed trains  class 120.1 locomotive of German Rail  S 252 of Spanish National Railways (RENFE)  LE 5600 of Portuguese Railways (CP)  EG 3100 in Sweden, Germany and Denmark  Velaro  class 182 2nd gene EuroSprinter  SIBAS PN  New DB ICE trains
  • 40.  SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS on VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
  • 41.  SIBAS 32 updates to SIBAS PN  Proprietary SIBAS OS to VxWorks + WinAC RTX  WTB (Wire Train Bus) to ETB (Ethernet Train Bus)  And PROFINET  Goodbye weird executable formats and IS. Hello ELF/PE and x86/ppc  S7 controllers to PC-based controllers with WinAC RTX software  “configured and programmed with STEP 7 in exactly the same way as a normal S7 controller”
  • 42.  Hardcodes  No, they are for the authentication  Known protocols  XML over HTTP, S7  Secure network facing services  Self-written web server  Self-written xml parser  Heavily based on WinCC code  2012-2015: 41 vuln  Runs on Windows x86  Vulnerabilities?  Probably
  • 43. How to access PC-based controllers (WinAC RTX)?  We don’t know  We don’t want to know  We will never know  Yet to not know  Yet to don’t know  Not yet to know
  • 44.  Driver Information Systems  Track profile, loco speed and location (non-military GPS, GLONASS)  Interfaces  Server infrastructure for processing  External data feed  CAN to acquire data in loco  On the bus with whole train  Mobile operator to push data to the server  Data plan on Customer SIM card detected  Why build additional channels for other systems?
  • 45.  Gateways  Diagnostic  Diagnostic of diagnostic  Services  Web, telnet, ftp, etc.  Proprietary service to rule them all  Interfaces  GSM-R  And more when GSM-R is too slow  At least no Wi-Fi, right?
  • 48.
  • 49.
  • 50. 32C3: Sergey Gordeychik, Gleb Gritsai, Aleksandr Timorin: “The Great Train Cyber Robbery”
  • 51.
  • 52.
  • 54.
  • 55.
  • 56. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 57. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 58. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 59. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 60. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 61. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 62. Notation in a chart RDA-RT Remote Data Access Train Router MSC Mobile Switching Center RBC Radio Block Center YW Yardmaster’s workstation IG Integration gateway TCC Train Control Center CTC Centralized traffic control CBI Computer-based interlocking
  • 63. 28C3: Stefan Katzenbeisser: Can trains be hacked?  Multiple trains make use of the same KMAC for a long time  Using weak random number generators during the KSMAC derivation
  • 64. In areas where the European Train Control System (ETCS) Level 2 or 3 is used, the train maintains a circuit switched digital modem connection to the train control centre at all times. … If the modem connection is lost, the train will automatically stop.
  • 65. moving "really fast and passed three stations without stopping" … "due to a fault on the train's antenna that ensures trains stop accurately at each station"... "The train was hence not able to pick up the signal to stop at the next three stations”…
  • 66.
  • 68. ― Remote data recovery (Kc, TIMSI) • Chanel decryption (including A5/3) • «Clone» the SIM and mobile station ― SIM “malware” ― Block SIM via PIN/PUK brute ― Extended OTA features (FOTA) Karsten Nohl, https://srlabs.de/rooting-sim-cards/ Alexander Zaitsev, Sergey Gordeychik , Alexey Osipov, PacSec, Tokyo, Japan, 2014
  • 69.
  • 70.
  • 73.
  • 75.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.
  • 82.
  • 83.
  • 84.
  • 85.
  • 87. *Allpicturesaretakenfrom googleandotherInternets Alexander Timorin Alexander Tlyapov Alexander Zaitsev Alexey Osipov Andrey Medov Artem Chaykin Denis Baranov Dmitry Efanov Dmitry Nagibin Dmitry Serebryannikov Dmitry Sklyarov Evgeny Ermakov Gleb Gritsai Ilya Karpov Ivan Poliyanchuk Kirill Nesterov Roman Ilin Sergey Bobrov Sergey Drozdov Sergey Gordeychik Sergey Scherbel Sergey Sidorov Timur Yunusov Valentin Shilnenkov Vladimir Kochetkov Vyacheslav Egoshin Yuri Goltsev Yuriy Dyachenko
  • 89.
  • 90. …We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity…