Train Systems Are Vulnerable To Hacking

Commute delayed? Could be a cyberattacker on the tracks

Train technology is so old it should be futureproof. The lumbering iron giants cover much of the world, carrying billions of tons of freight and billions of passengers. Since the first trains were introduced just over two centuries ago, trains have adapted to increased use, world wars, and natural disasters, and engineers have still made the mechanical beasts work. Now, security researchers in Germany have found a new foe with which trains must contend: hackers.

Many of the risks stem from new, internet-dependent automated systems. Motherboard reports:

The flaws were exposed by German whitehat security researchers SCADA Strangelove, who have previously looked at security flaws in green energy systems and smartgrids. Their presentation, entitled “The Great Train Cyber Robbery,” was given at the Chaos Communication Congress in Hamburg on December 27th. It details the change from simple mechanical rail-switches (think levers thrown on tracks in old-timey movies) to more automated means. One problem is that some switches require constant access to the internet, and if that signal is lost the trains stop automatically. More embarrassing, for one of the train systems they looked at there were still default passwords associated with admin accounts, leaving access to the system wide open.

Their discoveries are detailed in a 110-slide presentation, though not in so much detail that an attacker can figure out exactly the trains to traget. In their presentation abstract, SCADA Strangelove clarifies “No vendor names and vulnerabilities details will be released, for obvious reasons.” While trains can’t be commandeered and stolen like other vehicles, there is still plenty that can go wrong if a malicious attacker takes control, with delays at a minimum and train-on-train collision as the scarier risk.

Fortunately, just because it can be done doesn’t mean it’s likely. There’s no obvious profit in delaying trains, and getting into the systems to find the vulnerabilities is a time-intensive process.

Which is to say: man-machines in electric cafes will still need to do some kraftwerk in computer world to figure out how to turn radio activity into trans-europe distress. Then, and only then, does it make more sense to take the autobahn.

Motherboard

Kelsey D. Atherton
Kelsey D. Atherton

Kelsey D. Atherton is a defense technology journalist based in Albuquerque, New Mexico. His work on drones, lethal AI, and nuclear weapons has appeared in Slate, The New York Times, Foreign Policy, and elsewhere.