32c3 A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hardcoded industrial control system credentials to kick vendors into action.
Industrial control specialist hackers Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai did not describe the bugs in detail, since that would allow others to replicate the attacks nor reveal the names of the affected rail operators.
Flaws affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.
There are also possible paths between trains’ operational systems and passenger entertainment systems, they say.
Overlooked bugs in device drivers, even in apparently-benign applications, can also be exploited by clever attackers into more powerful vectors: “If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train,” Gordeychik says.
In place of vulnerability details they showed the December Chaos Communications Congress in Hamburg a blank screen.