Russian Hackers Warn EU Trains Are Vulnerable to Hijack

Operational high-speed lines in Europe 2015.

A group of Russian hackers have exposed gaping holes in computer systems that control train networks across Europe, claiming its vulnerabilities could lead to attackers causing devastating derailments or hijacking.

Bugs in outdated systems, and human programming errors, have been identified as alarming weak points by a trio of industrial control specialist hackers, who say other hackers could exploit things such as control braking systems – or could even hijack a train.

The Register explains overlooked bugs in device drivers can be exploited by clever hackers: "If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train," said Sergey Gordeychik, who helped discover the flaw.

Along with Gordeychik, Aleksandr Timorin, and Gleb Gritsai were integral to the discovery and also frustrated over simple vulnerabilities as a result of decades-old control systems. They unveiled their findings at the December Chaos Communications Congress in Hamburg in the hope vendors will fix it. However, they did not share any explicit details on vulnerabilities or rail vendor names and which countries they operate in over fear it would allow encourage attacks.

Mind the hack
Should hackers be able to infiltrate the antiquated operator's control system they may struggle to use it anyway as some require special training, but the article explains there is plenty of documentation that can be found online to allow hackers to access programmable logic controllers and servers.

With many rail operators using a connected system of trains, ticket systems and stations it poses a high-risk threat to safety as well as untold chaos that could follow should this be exploited by malicious hackers.

"The first threat is to safety, or cyber-physical ... the second is economic threats to impact efficiency and revenue, and the third is threats reliability," said Gordeychik.

The three hackers have released their findings to vulnerable vendors to force them to not use easily cracked hard-coded or default passwords to their systems. They say operators, who still remain nameless, are now aware of the worrying weaknesses and are working to fix the issues.

IB Times: http://bit.ly/1Srnxqt

« Amazon’s Data Centers Are Located in US Spy Country
Anonymous Want Revenge For Saudi Executions »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Webroot

Webroot

Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals around the globe.

Redbud

Redbud

Redbud is a specialist search and recruitment firm for Information Security professionals.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

Riskified

Riskified

Riskified is a leading eCommerce fraud-prevention company, trusted by hundreds of global brands – from luxury fashion houses and retail chains, to gift card and ticket marketplaces.

Intelligent Waves

Intelligent Waves

Intelligent Waves holds and manages contracts to provide an array of intelligence, operational, communications and IT support to the USG in austere, forward-deployed, hazardous duty environments.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

Seavus Accelerator

Seavus Accelerator

Seavus Accelerator's goal is to create an enabling and stimulating environment for start-ups growth and provide continuous high quality acceleration and investment support.

drie

drie

drie is an end-to-end cloud services company based in Bahrain, Dubai and London. We enable businesses to adopt, scale on and build for cloud.

Security Management Partners (SMP)

Security Management Partners (SMP)

Security Management Partners (SMP) is a trusted partner to financial services, healthcare and businesses that need to manage their information, securely.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

BATM Advanced Communications

BATM Advanced Communications

BATM Advanced Communications is a leading provider of real-time technologies for networking and cyber security solutions.

Istari

Istari

ISTARI is a new kind of cyber risk management company. We’re an agile collective of best-in-class capabilities and experts, who build ongoing partnerships with clients.

DC Two

DC Two

DC Two are a locally operated and supported Australian data centre, offering a suite of vertically integrated services covering every part of the data centre and cloud technology stack.

Ceeyu

Ceeyu

Ceeyu is an all-in-one cybersecurity ratings and third party risk management platform.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.

Vernetzen

Vernetzen

Vernetzen is an industrial network and cybersecurity innovator focused on delivering practical solutions to connect and secure industry across the globe.