Download - Abusing the Train Communication Network or What could have derailed the Northeast Regional #188?
~$> whoami
By day
• Moshe Zioni
• Disguised as ’s Security Research manager.
• Getting paid for doing what I love for some reason. Don’t tell them.
By night
• I’m Batman!
• @dalmoz_
• Messing things up, literally.
Down the track:
• Exposition - The derailment case
• Loco breakdown - components
• Computer and Brains , influential elements
• The train bus – intro and attack.
• Attack vectors
• AMTRAK environment and infrastructural additions/modifications
• Concluded attack surface
• Q&A
Friendly Disclaimer
• For educational purposes only.
• NOT A RAIL ACCIDENT EXPERT
• I’m not implying that I’m refuting any conclusions done by court or NTSB.
• I’m not related/employed to/by Amtrak, or Amtrak employees, in any way.
• No intention to insult Siemens/Amtrak engineers. Humor is just a delivery mechanism.
Philadelphia May 12, 2015
Northeast Regional #188
- Due to over-speeding 102-106mph (~164-171kph)
- 4th deg. curve,max. speed 50mph
- Results in 8 fatal casualties and most of the passengers injured (200+).
- NTSB appointed a team to investigate, filed a report earlier this month.
Vector of attack?
•One thing is definite – the derailment’s cause wasn’t due to changes in signaling OR railroad switch system (interlocking).
•What can achieve control over locomotive speed?
Amtrak Cities Sprinter (ACS) - 64- Design by Siemens Mobility based on EuroSprinter
(2001) and Vectron (2010) models
- Manufactured by Siemens, Florida 2012-2014
- Deployed on Northeast and Keystone corridors
- Electric locomotive, no diesel combo
- Automation system: Siemens’ SIBAS 32
- There are thousands of ACS-64-like locomotives around the world. Mainly, in Europe.
Multifunction Vehicle Bus - MVB
- Field bus protocol, designed to be fail-safe.
- Single Master – Many Slaves
- Central Control Unit (CCU) – Master node, sending all other nodes polling requests.
- Traction Control Unit (TCU) – one of many slave nodes, controlled over MVB in order to adjust state (e.g. speed).
WTB Node WTB NodeMVB GATEWAY MVB GATEWAY
• Traction• Brakes (except Air-Brakes)
• Seat Reservation• Air conditioning, HVAC• Door control• Information Display• PA• …
Multifunction Vehicle Bus - MVB
- Different physical-layer interfaces: - ESD, RS485, short distance- EMD, Coupled, medium distance- Fiber – for long distances- Very common to see repeaters in use
- Each device is basically a node, identified by ID number(s) (up to 4095 total)
- Not all MVB created equal – there are more privileged then others …
MVB – Principle of Operation
- Addresses can be polled for status or response that will feed others on the bus.
- Example –- Master polling the throttle lever -> - The lever answers “increase speed” ->- answer read by Traction System -> - Execute!
MVB Protocol security weaknesses
• No authentication
• Traffic not encrypted
• No built-in screening process. Promiscuous.
•“Single Master” … YES. annnnnd NO
Forging requests should be easy, right?
• Straight-forward injections proved to be non-deterministic in nature.
• Very sensitive to timing, delays, sync.
• “Clock” is on Master side.
• Slaves respond only on polling.
• Different stacks (vendors) behaved differently.
• So – we need more power!
Hijacking Mastership – Act 0
Listen and enumerate devices on the bus.Select an unoccupied ID.
CCU (Master) ID: 1 ID: 2
Hijacking Mastership – Act 1
Await status poll scan – and identify yourselfBA bit set to 1
CCU (Master) ID: 1 ID: 2ID: 1337BA bit = 1
Hijacking Mastership – Act 2
Master: are you open to mastership now?Attacker: YES!! ME! ME! ME! (ACT bit = 1)
CCU (Master) ID: 1 ID: 2ID: 1337ACT bit = 1
Hijacking Mastership – Act 2
Enjoy your Mastership!(normally, up to 256 x 1024 ms)
CCU ID: 1 ID: 2ID: 1337BA bit = 1(Master)
INFECTION VECTORS – PHYSICAL DOMAIN- Most ‘accessible’ location is the electronics cabinet.
Resides at the end of each Amfleet Business/Couch.
- MVB extended locations (e.g. lighting, reservation, A/C, Doors)
- Supply chain compromise – 70+ factories where involved in assembling the ACS-64.
- ACS-64s were on public displays and out-of-base tours, like in Veterans’ day and National Train day.
- And… just ask for a cab ride!
“…the equipment is connected to the Central Control Unit(CCU) or ‘brain.’ The brain itself is located inside the train…access points are what send the brain’s communicationsthroughout the train and allow a customer to connect tothe Internet”
Positive Train Control
External comms.:GSM-R & RF
Internally –Connected through MVB/Ethernet.
The only thing, except the driver, that should ‘command’ the TCU.
“Utilizing existing [PTC] infrastructure is critical to the success of the project … Certainly on the Northeast Corridor this is absolutely key to the initiative … Amtrak is very excited about the possibilities that this could offer”
Wrapping up
• MVB is old, should be treated as legacy and dangerous.
• Use alternative networks (ECN, TRDP)
• Air gapping should be strictly enforced.
• Test your systems!