[HN Gopher] A cheap radio hack disrupted Poland's railway system ___________________________________________________________________ A cheap radio hack disrupted Poland's railway system Author : xrayarx Score : 92 points Date : 2023-08-29 03:49 UTC (19 hours ago) (HTM) web link (www.wired.com) (TXT) w3m dump (www.wired.com) | toomuchtodo wrote: | Previous: https://news.ycombinator.com/item?id=37288856 | oatmeal1 wrote: | The world is astoundingly safe that these sorts of thing don't | happen all the time. Anyone who could light a cigarette could | start wildfires all over California and many other places during | the summer. Anyone who can buy a GPS jammer could disrupt one of | the busiest airports in the world. With all the misanthropes out | there you'd think chaos would happen more often. Glad it doesn't. | lxgr wrote: | > Anyone who can buy a GPS jammer could disrupt one of the | busiest airports in the world. | | Fortunately, that one is not quite the case - the aviation | industry is incredibly safety-conscious and does not allow | relying on GPS exclusively. | | For both en-route navigation and landing, every plane will have | at least one fallback system available (usually ground-based | radionavigation aides such as VORs or DMEs or inertial | navigation systems, which is also what was used for navigation | during ocean crossings before there was GPS), and in fact, | these other systems are seeing more use than you might assume: | https://www.thedrive.com/the-war-zone/17987/usaf-is-jamming-... | jjwiseman wrote: | GPS interference can, and has disrupted airports. The | incident last year in Dallas where there was 24 hours of | significant GPS interference of unknown origin disrupted | operations. And while GPS is not safety critical, the | interference degraded the operation of many different systems | that provide additional layers of safety. | | https://www.gpsworld.com/what-happened-to-gps-in-denver/ | The advisory also said the Wide Area Augmentation System | (WAAS) and Ground-Based Augmentation System (GBAS), | both designed to make navigation with GPS more precise, | as well as the ADS-B collision avoidance and traffic | management system, would be unreliable. Pilots | reported other systems affected such as transponders that | help radar controllers keep track of aircraft, traffic | alert and collision avoidance (TCAS) equipment, | autopilots, electronic flight bags and terrain warning | systems. | | https://www.bloomberg.com/news/articles/2022-10-18/faa- | warns... Flights into the Dallas area are | being forced to take older, cumbersome routes and a | runway at Dallas-Fort Worth International Airport was | temporarily closed after aviation authorities said GPS | signals there aren't reliable. | | https://rntfnd.org/2022/10/18/faa-warns-airline-pilots-as- | gp... Stanford researchers have determined | that the interference event lasted 24 hours, though it | took the air traffic system another 20 hours to reset | and recover. | | From another incident: | | https://www.gpsworld.com/nasa-report-passenger-aircraft- | near... A report filed with NASA's Aviation | Safety Reporting System and published in June outlines | how a passenger aircraft flew off course during a | period of GPS jamming and nearly crashed into a | mountain. Fortunately, an alert radar controller intervened, | and the accident was averted. | toomuchtodo wrote: | Landing is moving away from ILS towards GBAS (TLDR computed | corrections for high precision local positioning in 4D space | within ~30km of the install), provided over unencrypted VHF. | | https://www.faa.gov/about/office_org/headquarters_offices/at. | .. | | https://gssc.esa.int/navipedia/index.php/GBAS_Fundamentals | | https://aerospace.honeywell.com/us/en/products-and- | services/... | lxgr wrote: | Unencrypted does not mean that the plane avionics will just | accept any input without performing plausibility checks. | | Even for "plain" (i.e. unaugmented) GPS, there's | countermeasures, starting from simple physical ones (e.g. | directional antennas leveraging the fact that GPS | satellites are usually located above the airplane and not | below or inside it), up to complicated logical filters | checking all inputs for plausibility and rejecting | suspicious signals and resulting position fixes. | | Galileo even supports message authentication, which thwarts | everything other than (very sophisticated) real-time signal | relaying attacks: | https://berthub.eu/articles/posts/galileos-authentication- | al... | toomuchtodo wrote: | Subverting the positioning is different than denying the | capability entirely through a higher power transmitter. | If you require precise positioning to land and don't have | it, kinda moot whether you're faking messages or | overpowering. During VFR, not a concern. During IFR, low | viz, etc, that is where capability loss is potentially | material. | | https://www.cnet.com/culture/truck-driver-has-gps-jammer- | acc... | | (aware of military receivers that can receive jam | resistant signal, but that is not what commercial | applications have access to) | lxgr wrote: | True, which is why almost all airports have multiple | different types of approaches, including ILS (which is | directional and very high power transmitters in a | specific location to jam). | | The possibility of a large-scale GPS outage or jamming | event is definitely a threat scenario that's being | considered by aviation safety agencies. For example, | here's the FAA's approach for en-route navigation | redundancy, which includes maintaining enough VORs to | ensure that there's at least one within every 100 | nautical miles: https://www.faa.gov/about/office_org/head | quarters_offices/at... | | Yes, denying augmented GPS capabilities will probably | impact operational efficiency significantly, but it | shouldn't endanger safety. | bobthepanda wrote: | A lot of wildfires are caused by fires that are improperly | extinguished, which can be cigarettes. Sometimes it's even | fireworks. | | July 4th consistently has the highest amount of human-caused | wildfire. https://www.reuters.com/graphics/USA- | JULY4/FIREWORKS/klvygax... | praptak wrote: | Up until a point anyone with a knife could hijack a plane and | fly it into a building. | noman-land wrote: | Ceramic and plastic knives exist and could easily be smuggled | aboard an airplane. I think the key insight is that most | people don't want to do mass harm and instead just want to | live in peaceful freedom and do their own thing. | baud147258 wrote: | now the pilots have learned that if there's a person with a | knife aboard the plane, they won't open the cockpit doors | to avoid a potential hijacking and more casualties. And | passengers know that if hijackers take control of the | plane, the hijacker might crash it somewhere instead of | holding the passengers and crew hostage, like it was done | with plane hijackings before 9/11 and might fight back. | | So with the example of the 9/11 attacks, the situation has | changed enough that a plane hijacking with a knife is much | more unlikely | epilys wrote: | There was a time you could just walk around with a radio | receiver and spy on everyone's phonecalls (IMEI stingray). Iirc | it's not possible/that easy anymore with LTE. | livueta wrote: | AFAIK you can still do passive IMSI sniffing, which isn't | full content but is quite interesting metadata. | Scoundreller wrote: | Yeah, I'm going to need a write up/video on this... | | (Not saying you're lying, I just want to learn more!) | sidewndr46 wrote: | stingrays just force the device down to 2G and capture that | Scoundreller wrote: | Do/could SIM cards prevent this downgrade if 2G isn't | provided by your local provider anymore? | | I know my Canadian SIM card somehow hides US providers from | network scans, possibly with some geo or if/then rules (but | visible from my EU SIM that tries its darnedest to latch | onto the US networks and avoid the Canadian ones at all | costs) | sneak wrote: | The TSA misses huge percentages of weapons during the passenger | hand luggage searches in repeated blind testing. | | This means that the standard movie-plot methods of hijacking | aircraft are ridiculously easy to carry out: just bring weapons | on a plane. There's only a 50% chance you get caught. | | This means approximately no one wants to hijack airliners. | imhoguy wrote: | "Never attribute to malice that which is adequately explained | by stupidity" - Hanlon's razor[0] | | Apart of some war zones or crime holes the world is quite safe | and hospitable in general if one doesn't do stupid mistakes or | really ask for problems. Every society has some form of agreed | laws which try to correct a harmful behavior against them. | | Accidental radio interference or setting fire can happen out of | simple stupitidy or incompetence. | | [0] https://en.m.wikipedia.org/wiki/Hanlon%27s_razor | fnord77 wrote: | why aren't hack sabotages seen as acts of war? | | they can do as much or more damage as, say, blowing up a bridge | hawski wrote: | Maybe they could be, but you have to catch someone doing it | first and it would have to be clear they are agents of a | foreign government. That's not easy. | at0mic22 wrote: | You don't need to our days. Just blame Putin, sure bet | nme01 wrote: | I imagine that as with any covert operation it's hard to prove | who's behind it. Blowing up a bridge is also not something that | will cause a war easily. | ajsnigrutin wrote: | Because it could be a 13yo kid doing it "for the lulz", and we | don't need to overreact. | | By changing the traffic lights you can cause a traffic collapse | in the whole city.. and a kid can do it: | | https://interestingengineering.com/innovation/the-fantasy-of... | | > Youtube user VolteGe, who says he is too young to drive, has | nevertheless created a MIRT controlled by an Arduino | microcontroller. | | ADSB spoofing can cause massive problems for the air traffic | control, and software for that is open source, works on a $200 | sdr with a touchscreen and a gui. | | FM transmitters are cheap, and remembering the "war of the | worlds", anyone can create panic for $20 | | etc. | krisoft wrote: | > why aren't hack sabotages seen as acts of war? | | There is this mistaken belief that an act of war somehow | immediately and automatically triggers war. This is not the | case. If a country wants to wage war against an other they will | find a reason. If they don't want to / it is not in their | interest to do so they won't. | | This answers your question. It is not seen as an act of war | because the country in question (Poland) wouldn't benefit from | seeing it as an act of war at this moment in time. | RIMR wrote: | It's also fundamentally irrational to define malicious non- | state actions as acts of war. | | As an example, if someone from Canada were to come to the US | and blow up a government building, no matter how severe the | damage and human loss, we wouldn't dare consider that an act | of war by Canada, unless evidence existed that the Canadian | government or military were involved somehow. | | Likewise, Poland has no interest in defining malicious | actions by a Russian national or Russian Imperialism | supporter as an act of war by Russia without clear evidence | that The Russian state was directly involved. | | Getting back to the original point though, I see no reason | not to define attacks against infrastructure, regardless of | who was responsible, foreign or domestic, or their motives, | as acts of terrorism. | xnzakg wrote: | https://archive.is/vXAEb | Animats wrote: | This is a problem. You don't want an emergency stop signal to be | ignored because somebody didn't update their encryption keys. And | it's very useful for railroad workers to be provided with | handhelds that can send an emergency stop signal. Here's one used | in the US.[1] This is for yard operations, where there's slow- | speed (the US limit is 20mph) traffic going in various directions | without full signal control. Outside the "yard limit", signals | control, and speeds are higher. | | If you have no idea what a railroad yard working environment is | like, here's a Union Pacific recruiting video.[2] They're up- | front about what you're getting into; the intro shows someone at | 5:48 AM in a snowstorm in a railyard in Chicago. | | [1] https://railserve.biz/react-safety-device/ | | [2] https://www.youtube.com/watch?v=lMViWazEYoc | praptak wrote: | This hack is publicly known since at least 2010, here's a police | note about the earliest case I found (in Polish): | https://policja.pl/pol/aktualnosci/56015,quotRadioamatorquot... | toss1 wrote: | >>Because the trains use a radio system that lacks encryption or | authentication for those commands, Olejnik says, anyone with as | little as $30 of off-the-shelf radio equipment can broadcast the | command to a Polish train--sending a series of three acoustic | tones at a 150.100 megahertz frequency--and trigger their | emergency stop function. | | Goes without saying here that this needs to be fixed ASAP. | | >>The railway agency wrote that "there is no threat to rail | passengers. The result of this event is only difficulties in the | running of trains." | | There is no threat to rail passengers, unless a passenger train | does not know about a stopped train ahead of it on the tracks, | e.g., a cargo train go stopped by the hack, but the passenger | train 10min behind it did not and continues to rush onward | towards the stopped cargo train. IDK if Poland's control system | would reliably detects these conditions, but if it does not with | 100% reliability, this is a real threat. | hawski wrote: | AFAIK semaphores would not allow for another train to go where | a train is already. | AnimalMuppet wrote: | Railway signaling works based on whether something _is there_ , | not based on whether it _should be there_. If the freight train | stops, then the signals for the passenger train will tell it | that it cannot proceed. | | I don't know anything specific about Poland's rail signaling, | but they _can 't_ have messed that up. It's written in blood. | mschuster91 wrote: | > There is no threat to rail passengers, unless a passenger | train does not know about a stopped train ahead of it on the | tracks, e.g., a cargo train go stopped by the hack, but the | passenger train 10min behind it did not and continues to rush | onward towards the stopped cargo train. | | Almost everywhere in Europe uses actual signalling blocks | backed by axle counters and DC detection circuits between the | rails of a track, or by physical key/token based interlocks to | detect if a train can safely enter the block. The way the US | does it (especially detecting if a train has not been separated | along the way by using a caboose/end-of-train beacon) may cost | less money, but would be viable to such issues. | smilespray wrote: | Could you effectively perform this hack from a satellite or an | aircraft? 150 MHz should propagate quite a distance given line of | sight. | toomuchtodo wrote: | https://en.wikipedia.org/wiki/Sporadic_E_propagation | | Even without drones, aircraft, or spot beams on satellites, you | might be able to do this with ionospheric bounce or | tropospheric ducting. 150Mhz is on the top of 2 meter HAM | radio. | ajsnigrutin wrote: | Why would you need a satellite for that? A $25 baofeng radio | from aliexpress can transmit on those frequencies, and with | minimal care (not bragging about it), you can do it from pretty | much everywhere with a lot of trains around. The frequency is | mentioned in the article, the only info missing is the tones, | and i'm pretty sure there is some tech manual somewhere on the | "polish internet" that mentions those exact tones. ___________________________________________________________________ (page generated 2023-08-29 23:00 UTC)