As displayed during Hack-in-Paris 2016

1. Abusing the Train
Communication Network
What could have derailed the Northeast
Regional #188?

2. ~$> whoami
By day
• Moshe Zioni
• Disguised as ’s
Security Research
manager.
• Getting paid for doing
what I love for some
reason. Don’t tell them.
By night
• I’m Batman!
• @dalmoz_
• Messing things up,
literally.

3. Down the track:
• Exposition - The derailment case
• Loco breakdown - components
• Computer and Brains , influential elements
• The train bus – intro and attack.
• Attack vectors
• AMTRAK environment and infrastructural additions/modifications
• Concluded attack surface
• Q&A

4. Friendly Disclaimer
• For educational purposes only.
• NOT A RAIL ACCIDENT EXPERT
• I’m not implying that I’m refuting any
conclusions done by court or NTSB.
• I’m not related/employed to/by
Amtrak, or Amtrak employees, in any
way.
• No intention to insult Siemens/Amtrak
engineers. Humor is just a delivery
mechanism.

5. Philadelphia
May 12, 2015
Northeast
Regional #188
- Due to over-speeding
102-106mph (~164-171kph)
- 4th deg. curve,
max. speed 50mph
- Results in 8 fatal casualties
and most of the
passengers injured (200+).
- NTSB appointed a team to
investigate, filed a report
earlier this month.

6. Cause?

10. Vector of attack?
•One thing is definite – the derailment’s
cause wasn’t due to changes in signaling
OR railroad switch system (interlocking).
•What can achieve control over locomotive
speed?

11. Amtrak Cities Sprinter (ACS) - 64
- Design by Siemens Mobility based on EuroSprinter
(2001) and Vectron (2010) models
- Manufactured by Siemens, Florida 2012-2014
- Deployed on Northeast and Keystone corridors
- Electric locomotive, no diesel combo
- Automation system:
Siemens’ SIBAS 32
- There are thousands of ACS-64-like
locomotives around the world. Mainly,
in Europe.

12. ACS-64 internals
Traction and Brakes
TCU
Console
ATP/PTC
Console
Air-Braking
Belise
CCU

13. Driver console
Air Braking
Siemens
Sitet®
?!
Signaling
Side views
Throttle

14. Fun and Profit at Train
Communication Network
land

15. Multifunction Vehicle Bus - MVB
- Field bus protocol, designed to be fail-safe.
- Single Master – Many Slaves
- Central Control Unit (CCU) – Master node,
sending all other nodes polling requests.
- Traction Control Unit (TCU) – one of many
slave nodes, controlled over MVB in order to
adjust state (e.g. speed).

16. WTB Node WTB Node
MVB GATEWAY MVB GATEWAY
• Traction
• Brakes (except Air-Brakes)
• Seat Reservation
• Air conditioning, HVAC
• Door control
• Information Display
• PA
• …

17. Multifunction Vehicle Bus - MVB
- Different physical-layer interfaces:
- ESD, RS485, short distance
- EMD, Coupled, medium distance
- Fiber – for long distances
- Very common to see repeaters in use
- Each device is basically a node, identified by ID number(s)
(up to 4095 total)
- Not all MVB created equal – there are more privileged then others
…

18. MVB – Principle of Operation
- Addresses can be polled for status or response that will feed
others on the bus.
- Example –
- Master polling the throttle lever ->
- The lever answers “increase speed” ->
- answer read by Traction System ->
- Execute!

19. Multifunction Vehicle Bus - MVB

20. Multifunction Vehicle Bus - MVB

21. Our reaction, pretty much

22. Our reaction, pretty much

23. MVB Protocol security weaknesses
• No authentication
• Traffic not encrypted
• No built-in screening process. Promiscuous.
•“Single Master” … YES. annnnnd NO

24. Forging requests should be easy,
right?
• Straight-forward injections proved to be non-
deterministic in nature.
• Very sensitive to timing, delays, sync.
• “Clock” is on Master side.
• Slaves respond only on polling.
• Different stacks (vendors) behaved differently.
• So – we need more power!

25. Then - A wild vulnerability appeared!

26. Hijacking Mastership – Act 0
Listen and enumerate devices on the bus.
Select an unoccupied ID.
CCU (Master) ID: 1 ID: 2

27. Hijacking Mastership – Act 1
Await status poll scan – and identify yourself
BA bit set to 1
CCU (Master) ID: 1 ID: 2
ID: 1337
BA bit = 1

28. Hijacking Mastership – Act 2
Master: are you open to mastership now?
Attacker: YES!! ME! ME! ME! (ACT bit = 1)
CCU (Master) ID: 1 ID: 2
ID: 1337
ACT bit = 1

29. Hijacking Mastership – Act 2
Enjoy your Mastership!
(normally, up to 256 x 1024 ms)
CCU ID: 1 ID: 2
ID: 1337
BA bit = 1
(Master)

30. So, What can an
attacker do now?

31. INFECTION VECTORS – PHYSICAL DOMAIN
- Most ‘accessible’ location is the electronics cabinet.
Resides at the end of each Amfleet Business/Couch.
- MVB extended locations (e.g. lighting, reservation, A/C,
Doors)
- Supply chain compromise – 70+ factories where
involved in assembling the ACS-64.
- ACS-64s were on public displays and out-of-base tours,
like in Veterans’ day and National Train day.
- And… just ask for a cab ride!

32. Notice No. 70

33. Extended attack surface?
WARNING: HIGHLY SPECULATIVE

34. Let’s be cliché about
not air-gapping

38. “…the equipment is connected to the Central Control Unit
(CCU) or ‘brain.’ The brain itself is located inside the train
…access points are what send the brain’s communications
throughout the train and allow a customer to connect to
the Internet”

40. Seriously guys, let’s
air-gap it!

42. Positive Train Control
External comms.:
GSM-R & RF
Internally –
Connected through
MVB/Ethernet.
The only thing, except the
driver, that should
‘command’ the TCU.

43. Oooh, what’s
that??

44. “Utilizing existing [PTC] infrastructure is critical to the success of
the project … Certainly on the Northeast Corridor this is
absolutely key to the initiative … Amtrak is very excited about
the possibilities that this could offer”

45. Wrapping up
• MVB is old, should be treated as legacy and
dangerous.
• Use alternative networks (ECN, TRDP)
• Air gapping should be strictly enforced.
• Test your systems!

46. Thank You!
@dalmoz_

47. External links