SoylentNews

"dalek" writes:

Gizmodo [gizmodo.com] and Wired [wired.com], among other sources, report that Polish railways were halted on Friday and Saturday due to unauthorized radio broadcasts. Polish railroads use the broadcasting of three tones on the 151.010 MHz frequency to instruct trains to stop. This occurred in three locations around Poland. Cheap radio equipment would be sufficient to issue the stop command, though it required that whoever broadcasted the signal would need to be in close proximity to the location affected. Despite the simplicity of the attack, there probably needed to be some coordination to broadcast the signals at different places in Poland.

There is no authentication or encryption to issue the emergency stop command, though discussions [ycombinator.com] on various forums suggest that only the stop command is broadcast in this manner. A general design principle in railroad signaling systems is that the default should be to stop trains. For example, the multi-colored signaling lights commonly used in the United States and Canada that still mechanically switch between colors will default to a red stop signal [youtube.com]. Trains require long distances to stop, and defaulting to a stop signal will prevent collisions. Authorities in Poland insist that there was there was no safety risk to rail passengers, and this seems reasonable if the unauthorized broadcasts were only able to issue an emergency stop command but not to instruct trains to move.

When this topic was discussed on Slashdot, it quickly turned to politics, but I find the technical aspects of this much more interesting. In North America, lights and semaphores are common and simple signaling mechanisms that have widespread use. For example, I know from experience that the same signaling system described in the video for use in Canada is also used on many BNSF main lines in the United States. However, other systems are also in use like the Advanced Train Control System [wikipedia.org] (ATCS) and Positive Train Control [wikipedia.org] (PTC). At some locations in the US, it was possible to use a software defined radio and software like ATCSMon to track the locations of trains [rtl-sdr.com] in the area. However, railroads also generally also use unencrypted voice communications between trains and dispatchers, and these can still be monitored with a scanner.

My understanding is that ATCS was unencrypted and could be easily monitored in the locations where it was installed. Not all locations had ATCS installed, meaning that some subdivisions might have ATCS while others did not. More recently, companies like BNSF have been phasing out ATCS [trainorders.com] in favor of new systems, many of which are encrypted [trainorders.com]. I believe that ATCS was broadcast at frequencies around 900 MHz and was unencrypted, whereas PTC signals are broadcast at much lower frequencies around 200 MHz and are encrypted [trainorders.com]. Although the encryption provides a greater level of security, and presumably systems still are engineered to default to stopping trains if the signaling systems aren't functioning, these changes also make it much more difficult to track the movement of trains for anyone who doesn't have the encryption keys.

Perhaps I'm misunderstanding some aspect of the system, but is there anything that would prevent a radio-based signaling system from using public key encryption? For example, a company like BNSF would have a private key for signals from their dispatchers and trains. Any trains operating on one of BNSF's subdivisions, whether BNSF, UP, Amtrak, or any other trains could then use BNSF's public key to decrypt the signals, verify that they were actually sent by the dispatcher, and then act accordingly on the signal. Any trains operating on the subdivision could use their owner's private key to send their location, speed, and any other information. For example, an Amtrak train operating on a BNSF subdivision would use the Amtrak private key to encrypt their data, but anyone with Amtrak's public key, including the BNSF dispatcher, could verify that the data was actually sent by the Amtrak train. This seems like it would make interoperability easier because it wouldn't require sharing the private key with other train operators using BNSF's subdivisions.

Public keys could be freely shared with everyone, meaning that the public could also monitor train locations and signals but would not easily be able to spoof the signals. It would be necessary to ensure that the signaling system wouldn't be vulnerable to recording and repeating an earlier encrypted command, but it's not clear that a public key system would be inherently more vulnerable to a repetition attack. I am curious if anyone knows why a system like this isn't implemented on US railroads, which should prevent attacks like what happened in Poland, but without locking out the public from monitoring train signals.

Original Submission