Russian Hackers Warn EU Trains Are Vulnerable to Hijack

Operational high-speed lines in Europe 2015.

A group of Russian hackers have exposed gaping holes in computer systems that control train networks across Europe, claiming its vulnerabilities could lead to attackers causing devastating derailments or hijacking.

Bugs in outdated systems, and human programming errors, have been identified as alarming weak points by a trio of industrial control specialist hackers, who say other hackers could exploit things such as control braking systems – or could even hijack a train.

The Register explains overlooked bugs in device drivers can be exploited by clever hackers: "If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train," said Sergey Gordeychik, who helped discover the flaw.

Along with Gordeychik, Aleksandr Timorin, and Gleb Gritsai were integral to the discovery and also frustrated over simple vulnerabilities as a result of decades-old control systems. They unveiled their findings at the December Chaos Communications Congress in Hamburg in the hope vendors will fix it. However, they did not share any explicit details on vulnerabilities or rail vendor names and which countries they operate in over fear it would allow encourage attacks.

Mind the hack
Should hackers be able to infiltrate the antiquated operator's control system they may struggle to use it anyway as some require special training, but the article explains there is plenty of documentation that can be found online to allow hackers to access programmable logic controllers and servers.

With many rail operators using a connected system of trains, ticket systems and stations it poses a high-risk threat to safety as well as untold chaos that could follow should this be exploited by malicious hackers.

"The first threat is to safety, or cyber-physical ... the second is economic threats to impact efficiency and revenue, and the third is threats reliability," said Gordeychik.

The three hackers have released their findings to vulnerable vendors to force them to not use easily cracked hard-coded or default passwords to their systems. They say operators, who still remain nameless, are now aware of the worrying weaknesses and are working to fix the issues.

IB Times: http://bit.ly/1Srnxqt

« Amazon’s Data Centers Are Located in US Spy Country
Anonymous Want Revenge For Saudi Executions »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

TUV Sud

TUV Sud

TÜV SÜD is a leading technical service organisation. We specialize in testing, certification, auditing, training, and advisory services for different industries.

Aviva

Aviva

Aviva provides Cyber Liability cover for small to mid-market customers to help combat the threat of data and privacy breach.

Aves Netsec

Aves Netsec

Aves is a deceptive security system for enterprises who want to capture, observe and mitigate bad actors in their internal network.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

HoxHunt

HoxHunt

HoxHunt is an automated cyber training program that transforms the way your employees react and respond to the growing amount of phishing emails.

Netsafe

Netsafe

Netsafe is an independent, non-profit New Zealand organisation focused on online safety. We help people stay safe online by providing online safety education, advice and support.

Mitre ATT&CK

Mitre ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

Pentera Security

Pentera Security

Pentera (formerly Pcysys) is focused on the inside threat. Our automated penetration-testing platform mimics the hacker's attack - automating the discovery of vulnerabilities.

Rubrik

Rubrik

Rubrik helps enterprises achieve data control to drive business resiliency, cloud mobility, and regulatory compliance.

Dawgen Global

Dawgen Global

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region providing a range of services including Risk Management and Information Systems Assurance.

TriCIS

TriCIS

TriCIS design and engineer highly secure integrated solutions that meet the highest government and military security standards, providing information assurance to organisations across the globe.

Skyhigh Security

Skyhigh Security

Skyhigh Security enables your remote workforce while addressing your cloud, web, data, and network security needs.

Silverse

Silverse

At Silverse, we specialize in building a comprehensive cybersecurity journey, anchored by our extensive experience, industry expertise, and an ecosystem of trusted partners.

SIGLA Group

SIGLA Group

SIGLA Group specialize in the design and development of IT and OT solutions, from analysis to design, from implementation to commissioning, as well as consultancy, training and assistance.

Capzul

Capzul

Capzul are transforming the network security landscape with a new approach; creating virtually impenetrable networks, precluding cybercriminal attacks on your network ecosystem.

SECQAI

SECQAI

At SECQAI we create dual-use hardware and software to enable the future of computing.