Abusing the Train Communication NetworkWhat could have derailed the Northeast Regional #188?

~$> whoami

By day

• Moshe Zioni

• Disguised as ’s Security Research manager.

• Getting paid for doing what I love for some reason. Don’t tell them.

By night

• I’m Batman!

• @dalmoz_

• Messing things up, literally.

Down the track:

• Exposition - The derailment case

• Loco breakdown - components

• Computer and Brains , influential elements

• The train bus – intro and attack.

• Attack vectors

• AMTRAK environment and infrastructural additions/modifications

• Concluded attack surface

• Q&A

Friendly Disclaimer

• For educational purposes only.

• NOT A RAIL ACCIDENT EXPERT

• I’m not implying that I’m refuting any conclusions done by court or NTSB.

• I’m not related/employed to/by Amtrak, or Amtrak employees, in any way.

• No intention to insult Siemens/Amtrak engineers. Humor is just a delivery mechanism.

Philadelphia May 12, 2015

Northeast Regional #188

- Due to over-speeding 102-106mph (~164-171kph)

- 4th deg. curve,max. speed 50mph

- Results in 8 fatal casualties and most of the passengers injured (200+).

- NTSB appointed a team to investigate, filed a report earlier this month.

Cause?

Vector of attack?

•One thing is definite – the derailment’s cause wasn’t due to changes in signaling OR railroad switch system (interlocking).

•What can achieve control over locomotive speed?

Amtrak Cities Sprinter (ACS) - 64- Design by Siemens Mobility based on EuroSprinter

(2001) and Vectron (2010) models

- Manufactured by Siemens, Florida 2012-2014

- Deployed on Northeast and Keystone corridors

- Electric locomotive, no diesel combo

- Automation system: Siemens’ SIBAS 32

- There are thousands of ACS-64-like locomotives around the world. Mainly, in Europe.

ACS-64 internalsTraction and Brakes

TCU

Console

ATP/PTC

Console

Air-BrakingBelise

CCU

Driver console

Air Braking

Siemens Sitet®?!

Signaling

Side views

Throttle

Fun and Profit at Train Communication Network land

Multifunction Vehicle Bus - MVB

- Field bus protocol, designed to be fail-safe.

- Single Master – Many Slaves

- Central Control Unit (CCU) – Master node, sending all other nodes polling requests.

- Traction Control Unit (TCU) – one of many slave nodes, controlled over MVB in order to adjust state (e.g. speed).

WTB Node WTB NodeMVB GATEWAY MVB GATEWAY

• Traction• Brakes (except Air-Brakes)

• Seat Reservation• Air conditioning, HVAC• Door control• Information Display• PA• …

Multifunction Vehicle Bus - MVB

- Different physical-layer interfaces: - ESD, RS485, short distance- EMD, Coupled, medium distance- Fiber – for long distances- Very common to see repeaters in use

- Each device is basically a node, identified by ID number(s) (up to 4095 total)

- Not all MVB created equal – there are more privileged then others …

MVB – Principle of Operation

- Addresses can be polled for status or response that will feed others on the bus.

- Example –- Master polling the throttle lever -> - The lever answers “increase speed” ->- answer read by Traction System -> - Execute!

Multifunction Vehicle Bus - MVB

Multifunction Vehicle Bus - MVB

Our reaction, pretty much

Our reaction, pretty much

MVB Protocol security weaknesses

• No authentication

• Traffic not encrypted

• No built-in screening process. Promiscuous.

•“Single Master” … YES. annnnnd NO

Forging requests should be easy, right?

• Straight-forward injections proved to be non-deterministic in nature.

• Very sensitive to timing, delays, sync.

• “Clock” is on Master side.

• Slaves respond only on polling.

• Different stacks (vendors) behaved differently.

• So – we need more power!

Then - A wild vulnerability appeared!

Hijacking Mastership – Act 0

Listen and enumerate devices on the bus.Select an unoccupied ID.

CCU (Master) ID: 1 ID: 2

Hijacking Mastership – Act 1

Await status poll scan – and identify yourselfBA bit set to 1

CCU (Master) ID: 1 ID: 2ID: 1337BA bit = 1

Hijacking Mastership – Act 2

Master: are you open to mastership now?Attacker: YES!! ME! ME! ME! (ACT bit = 1)

CCU (Master) ID: 1 ID: 2ID: 1337ACT bit = 1

Hijacking Mastership – Act 2

Enjoy your Mastership!(normally, up to 256 x 1024 ms)

CCU ID: 1 ID: 2ID: 1337BA bit = 1(Master)

So, What can an attacker do now?

INFECTION VECTORS – PHYSICAL DOMAIN- Most ‘accessible’ location is the electronics cabinet.

Resides at the end of each Amfleet Business/Couch.

- MVB extended locations (e.g. lighting, reservation, A/C, Doors)

- Supply chain compromise – 70+ factories where involved in assembling the ACS-64.

- ACS-64s were on public displays and out-of-base tours, like in Veterans’ day and National Train day.

- And… just ask for a cab ride!

Notice No. 70

Extended attack surface?

WARNING: HIGHLY SPECULATIVE

Let’s be cliché about not air-gapping

“…the equipment is connected to the Central Control Unit(CCU) or ‘brain.’ The brain itself is located inside the train…access points are what send the brain’s communicationsthroughout the train and allow a customer to connect tothe Internet”

Seriously guys, let’s air-gap it!

Positive Train Control

External comms.:GSM-R & RF

Internally –Connected through MVB/Ethernet.

The only thing, except the driver, that should ‘command’ the TCU.

Oooh, what’s that??

“Utilizing existing [PTC] infrastructure is critical to the success of the project … Certainly on the Northeast Corridor this is absolutely key to the initiative … Amtrak is very excited about the possibilities that this could offer”

Wrapping up

• MVB is old, should be treated as legacy and dangerous.

• Use alternative networks (ECN, TRDP)

• Air gapping should be strictly enforced.

• Test your systems!

Thank You!

@dalmoz_

External links