[HN Gopher] A cheap radio hack disrupted Poland's railway system
___________________________________________________________________
A cheap radio hack disrupted Poland's railway system
Author : xrayarx
Score : 92 points
Date : 2023-08-29 03:49 UTC (19 hours ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| toomuchtodo wrote:
| Previous: https://news.ycombinator.com/item?id=37288856
| oatmeal1 wrote:
| The world is astoundingly safe that these sorts of thing don't
| happen all the time. Anyone who could light a cigarette could
| start wildfires all over California and many other places during
| the summer. Anyone who can buy a GPS jammer could disrupt one of
| the busiest airports in the world. With all the misanthropes out
| there you'd think chaos would happen more often. Glad it doesn't.
| lxgr wrote:
| > Anyone who can buy a GPS jammer could disrupt one of the
| busiest airports in the world.
|
| Fortunately, that one is not quite the case - the aviation
| industry is incredibly safety-conscious and does not allow
| relying on GPS exclusively.
|
| For both en-route navigation and landing, every plane will have
| at least one fallback system available (usually ground-based
| radionavigation aides such as VORs or DMEs or inertial
| navigation systems, which is also what was used for navigation
| during ocean crossings before there was GPS), and in fact,
| these other systems are seeing more use than you might assume:
| https://www.thedrive.com/the-war-zone/17987/usaf-is-jamming-...
| jjwiseman wrote:
| GPS interference can, and has disrupted airports. The
| incident last year in Dallas where there was 24 hours of
| significant GPS interference of unknown origin disrupted
| operations. And while GPS is not safety critical, the
| interference degraded the operation of many different systems
| that provide additional layers of safety.
|
| https://www.gpsworld.com/what-happened-to-gps-in-denver/
| The advisory also said the Wide Area Augmentation System
| (WAAS) and Ground-Based Augmentation System (GBAS),
| both designed to make navigation with GPS more precise,
| as well as the ADS-B collision avoidance and traffic
| management system, would be unreliable. Pilots
| reported other systems affected such as transponders that
| help radar controllers keep track of aircraft, traffic
| alert and collision avoidance (TCAS) equipment,
| autopilots, electronic flight bags and terrain warning
| systems.
|
| https://www.bloomberg.com/news/articles/2022-10-18/faa-
| warns... Flights into the Dallas area are
| being forced to take older, cumbersome routes and a
| runway at Dallas-Fort Worth International Airport was
| temporarily closed after aviation authorities said GPS
| signals there aren't reliable.
|
| https://rntfnd.org/2022/10/18/faa-warns-airline-pilots-as-
| gp... Stanford researchers have determined
| that the interference event lasted 24 hours, though it
| took the air traffic system another 20 hours to reset
| and recover.
|
| From another incident:
|
| https://www.gpsworld.com/nasa-report-passenger-aircraft-
| near... A report filed with NASA's Aviation
| Safety Reporting System and published in June outlines
| how a passenger aircraft flew off course during a
| period of GPS jamming and nearly crashed into a
| mountain. Fortunately, an alert radar controller intervened,
| and the accident was averted.
| toomuchtodo wrote:
| Landing is moving away from ILS towards GBAS (TLDR computed
| corrections for high precision local positioning in 4D space
| within ~30km of the install), provided over unencrypted VHF.
|
| https://www.faa.gov/about/office_org/headquarters_offices/at.
| ..
|
| https://gssc.esa.int/navipedia/index.php/GBAS_Fundamentals
|
| https://aerospace.honeywell.com/us/en/products-and-
| services/...
| lxgr wrote:
| Unencrypted does not mean that the plane avionics will just
| accept any input without performing plausibility checks.
|
| Even for "plain" (i.e. unaugmented) GPS, there's
| countermeasures, starting from simple physical ones (e.g.
| directional antennas leveraging the fact that GPS
| satellites are usually located above the airplane and not
| below or inside it), up to complicated logical filters
| checking all inputs for plausibility and rejecting
| suspicious signals and resulting position fixes.
|
| Galileo even supports message authentication, which thwarts
| everything other than (very sophisticated) real-time signal
| relaying attacks:
| https://berthub.eu/articles/posts/galileos-authentication-
| al...
| toomuchtodo wrote:
| Subverting the positioning is different than denying the
| capability entirely through a higher power transmitter.
| If you require precise positioning to land and don't have
| it, kinda moot whether you're faking messages or
| overpowering. During VFR, not a concern. During IFR, low
| viz, etc, that is where capability loss is potentially
| material.
|
| https://www.cnet.com/culture/truck-driver-has-gps-jammer-
| acc...
|
| (aware of military receivers that can receive jam
| resistant signal, but that is not what commercial
| applications have access to)
| lxgr wrote:
| True, which is why almost all airports have multiple
| different types of approaches, including ILS (which is
| directional and very high power transmitters in a
| specific location to jam).
|
| The possibility of a large-scale GPS outage or jamming
| event is definitely a threat scenario that's being
| considered by aviation safety agencies. For example,
| here's the FAA's approach for en-route navigation
| redundancy, which includes maintaining enough VORs to
| ensure that there's at least one within every 100
| nautical miles: https://www.faa.gov/about/office_org/head
| quarters_offices/at...
|
| Yes, denying augmented GPS capabilities will probably
| impact operational efficiency significantly, but it
| shouldn't endanger safety.
| bobthepanda wrote:
| A lot of wildfires are caused by fires that are improperly
| extinguished, which can be cigarettes. Sometimes it's even
| fireworks.
|
| July 4th consistently has the highest amount of human-caused
| wildfire. https://www.reuters.com/graphics/USA-
| JULY4/FIREWORKS/klvygax...
| praptak wrote:
| Up until a point anyone with a knife could hijack a plane and
| fly it into a building.
| noman-land wrote:
| Ceramic and plastic knives exist and could easily be smuggled
| aboard an airplane. I think the key insight is that most
| people don't want to do mass harm and instead just want to
| live in peaceful freedom and do their own thing.
| baud147258 wrote:
| now the pilots have learned that if there's a person with a
| knife aboard the plane, they won't open the cockpit doors
| to avoid a potential hijacking and more casualties. And
| passengers know that if hijackers take control of the
| plane, the hijacker might crash it somewhere instead of
| holding the passengers and crew hostage, like it was done
| with plane hijackings before 9/11 and might fight back.
|
| So with the example of the 9/11 attacks, the situation has
| changed enough that a plane hijacking with a knife is much
| more unlikely
| epilys wrote:
| There was a time you could just walk around with a radio
| receiver and spy on everyone's phonecalls (IMEI stingray). Iirc
| it's not possible/that easy anymore with LTE.
| livueta wrote:
| AFAIK you can still do passive IMSI sniffing, which isn't
| full content but is quite interesting metadata.
| Scoundreller wrote:
| Yeah, I'm going to need a write up/video on this...
|
| (Not saying you're lying, I just want to learn more!)
| sidewndr46 wrote:
| stingrays just force the device down to 2G and capture that
| Scoundreller wrote:
| Do/could SIM cards prevent this downgrade if 2G isn't
| provided by your local provider anymore?
|
| I know my Canadian SIM card somehow hides US providers from
| network scans, possibly with some geo or if/then rules (but
| visible from my EU SIM that tries its darnedest to latch
| onto the US networks and avoid the Canadian ones at all
| costs)
| sneak wrote:
| The TSA misses huge percentages of weapons during the passenger
| hand luggage searches in repeated blind testing.
|
| This means that the standard movie-plot methods of hijacking
| aircraft are ridiculously easy to carry out: just bring weapons
| on a plane. There's only a 50% chance you get caught.
|
| This means approximately no one wants to hijack airliners.
| imhoguy wrote:
| "Never attribute to malice that which is adequately explained
| by stupidity" - Hanlon's razor[0]
|
| Apart of some war zones or crime holes the world is quite safe
| and hospitable in general if one doesn't do stupid mistakes or
| really ask for problems. Every society has some form of agreed
| laws which try to correct a harmful behavior against them.
|
| Accidental radio interference or setting fire can happen out of
| simple stupitidy or incompetence.
|
| [0] https://en.m.wikipedia.org/wiki/Hanlon%27s_razor
| fnord77 wrote:
| why aren't hack sabotages seen as acts of war?
|
| they can do as much or more damage as, say, blowing up a bridge
| hawski wrote:
| Maybe they could be, but you have to catch someone doing it
| first and it would have to be clear they are agents of a
| foreign government. That's not easy.
| at0mic22 wrote:
| You don't need to our days. Just blame Putin, sure bet
| nme01 wrote:
| I imagine that as with any covert operation it's hard to prove
| who's behind it. Blowing up a bridge is also not something that
| will cause a war easily.
| ajsnigrutin wrote:
| Because it could be a 13yo kid doing it "for the lulz", and we
| don't need to overreact.
|
| By changing the traffic lights you can cause a traffic collapse
| in the whole city.. and a kid can do it:
|
| https://interestingengineering.com/innovation/the-fantasy-of...
|
| > Youtube user VolteGe, who says he is too young to drive, has
| nevertheless created a MIRT controlled by an Arduino
| microcontroller.
|
| ADSB spoofing can cause massive problems for the air traffic
| control, and software for that is open source, works on a $200
| sdr with a touchscreen and a gui.
|
| FM transmitters are cheap, and remembering the "war of the
| worlds", anyone can create panic for $20
|
| etc.
| krisoft wrote:
| > why aren't hack sabotages seen as acts of war?
|
| There is this mistaken belief that an act of war somehow
| immediately and automatically triggers war. This is not the
| case. If a country wants to wage war against an other they will
| find a reason. If they don't want to / it is not in their
| interest to do so they won't.
|
| This answers your question. It is not seen as an act of war
| because the country in question (Poland) wouldn't benefit from
| seeing it as an act of war at this moment in time.
| RIMR wrote:
| It's also fundamentally irrational to define malicious non-
| state actions as acts of war.
|
| As an example, if someone from Canada were to come to the US
| and blow up a government building, no matter how severe the
| damage and human loss, we wouldn't dare consider that an act
| of war by Canada, unless evidence existed that the Canadian
| government or military were involved somehow.
|
| Likewise, Poland has no interest in defining malicious
| actions by a Russian national or Russian Imperialism
| supporter as an act of war by Russia without clear evidence
| that The Russian state was directly involved.
|
| Getting back to the original point though, I see no reason
| not to define attacks against infrastructure, regardless of
| who was responsible, foreign or domestic, or their motives,
| as acts of terrorism.
| xnzakg wrote:
| https://archive.is/vXAEb
| Animats wrote:
| This is a problem. You don't want an emergency stop signal to be
| ignored because somebody didn't update their encryption keys. And
| it's very useful for railroad workers to be provided with
| handhelds that can send an emergency stop signal. Here's one used
| in the US.[1] This is for yard operations, where there's slow-
| speed (the US limit is 20mph) traffic going in various directions
| without full signal control. Outside the "yard limit", signals
| control, and speeds are higher.
|
| If you have no idea what a railroad yard working environment is
| like, here's a Union Pacific recruiting video.[2] They're up-
| front about what you're getting into; the intro shows someone at
| 5:48 AM in a snowstorm in a railyard in Chicago.
|
| [1] https://railserve.biz/react-safety-device/
|
| [2] https://www.youtube.com/watch?v=lMViWazEYoc
| praptak wrote:
| This hack is publicly known since at least 2010, here's a police
| note about the earliest case I found (in Polish):
| https://policja.pl/pol/aktualnosci/56015,quotRadioamatorquot...
| toss1 wrote:
| >>Because the trains use a radio system that lacks encryption or
| authentication for those commands, Olejnik says, anyone with as
| little as $30 of off-the-shelf radio equipment can broadcast the
| command to a Polish train--sending a series of three acoustic
| tones at a 150.100 megahertz frequency--and trigger their
| emergency stop function.
|
| Goes without saying here that this needs to be fixed ASAP.
|
| >>The railway agency wrote that "there is no threat to rail
| passengers. The result of this event is only difficulties in the
| running of trains."
|
| There is no threat to rail passengers, unless a passenger train
| does not know about a stopped train ahead of it on the tracks,
| e.g., a cargo train go stopped by the hack, but the passenger
| train 10min behind it did not and continues to rush onward
| towards the stopped cargo train. IDK if Poland's control system
| would reliably detects these conditions, but if it does not with
| 100% reliability, this is a real threat.
| hawski wrote:
| AFAIK semaphores would not allow for another train to go where
| a train is already.
| AnimalMuppet wrote:
| Railway signaling works based on whether something _is there_ ,
| not based on whether it _should be there_. If the freight train
| stops, then the signals for the passenger train will tell it
| that it cannot proceed.
|
| I don't know anything specific about Poland's rail signaling,
| but they _can 't_ have messed that up. It's written in blood.
| mschuster91 wrote:
| > There is no threat to rail passengers, unless a passenger
| train does not know about a stopped train ahead of it on the
| tracks, e.g., a cargo train go stopped by the hack, but the
| passenger train 10min behind it did not and continues to rush
| onward towards the stopped cargo train.
|
| Almost everywhere in Europe uses actual signalling blocks
| backed by axle counters and DC detection circuits between the
| rails of a track, or by physical key/token based interlocks to
| detect if a train can safely enter the block. The way the US
| does it (especially detecting if a train has not been separated
| along the way by using a caboose/end-of-train beacon) may cost
| less money, but would be viable to such issues.
| smilespray wrote:
| Could you effectively perform this hack from a satellite or an
| aircraft? 150 MHz should propagate quite a distance given line of
| sight.
| toomuchtodo wrote:
| https://en.wikipedia.org/wiki/Sporadic_E_propagation
|
| Even without drones, aircraft, or spot beams on satellites, you
| might be able to do this with ionospheric bounce or
| tropospheric ducting. 150Mhz is on the top of 2 meter HAM
| radio.
| ajsnigrutin wrote:
| Why would you need a satellite for that? A $25 baofeng radio
| from aliexpress can transmit on those frequencies, and with
| minimal care (not bragging about it), you can do it from pretty
| much everywhere with a lot of trains around. The frequency is
| mentioned in the article, the only info missing is the tones,
| and i'm pretty sure there is some tech manual somewhere on the
| "polish internet" that mentions those exact tones.
___________________________________________________________________
(page generated 2023-08-29 23:00 UTC)