author photo
By Chris Roberts
Mon | Mar 6, 2017 | 2:53 PM PST

Recently, I’ve been asked to talk to a bunch of brass, demonstrate breaking nuclear things, and carry on hacking intermodal locomotives. Typically, these would be separate activities, all nice and segmented. However, I’m feeling lazy, so we are going to have some fun and see if we can get a three-for-one deal. Bear with me.

  1. The brass in question is the National Guard’s 1, 2 and 3 stars that have their annual cyber get-together. I’m honored to be talking with them, and the remit was simple: bring us some scary reality. Which brings us to the next point.
  2. The nuclear stuff is in the UK. I’m fortunate to be opening the security conference for international things that glow in the dark. What better way to open the whole thing than by simply demonstrating how we could break the system and melt most of the UK? For the purposes of our scenario, we’ll pick on the US Department of Energy.
  3. The aforementioned glowing piles of weird metals sometimes have to travel. They either travel to waste sites, or in the form of replenishment rods (there are others reasons, but let’s stick with those), and that stuff’s messy so it typically goes by rail.

So, if we can come up with a nice plan to hack the train that is carrying the nuclear waste (say to a well signposted and Wiki-documented waste facility in your state), cause it to either crash, malfunction or headlong into something else volatile (ammonium, petroleum, liquefied gas, etc.), then we might have the state governor calling on the National Guard to come and mop up.

So, how do we do this? Let’s break it down:

1. Intelligence gathering or reconnaissance. In this case, we focus on three elements:

  1. The locomotive
  2. The signaling systems
  3. The actual routes being taken for all volatile shipments

2. Initial point of compromise:

  1. The railways, those dusty/crusty/archaic entities that still operate in the 1900s
  2. The locomotives, which follow the simple principle of “if it’s not broken don’t fix it”
  3. The signaling architectures, which are built by the principle of “thousands of engineers in the field therefore make their life simple.” Defaults Rock!

3. Establish foothold and escalate privileges:

  1. Set of lock picks, a single board computer with an SSD and some fairly simple code; OR a laptop and a trusty Cat 5 cable
  2. Some off-the-shelf scanning tools, a quick fuzzing program to bypass any passwords you can’t guess in the first 60 seconds
  3. A working knowledge of switching gear and how to manipulate the various settings/controls and other options (remember, we ARE trying to cause a nasty mess of metals, gases, etc.)
  4. Velcro, don’t forget the Velcro—you can sit there while things crash together, but sometimes it IS better to be a LONG way away when things go critical (literally)
4. Additional reconnaissance:
  1. Understand the interaction between the locomotive AND the signaling systems; if you get this JUST right you can theoretically manipulate all sorts of things, including taking control of your own full-scale rail set, complete with signals and road crossings.
  2. You are going to need a timetable for whatever elements you want to introduce into your chemistry set (formerly known as the State of Idaho or Nevada). Once you have those you can identify what signals, what locomotives, what architectures, and what electronic overrides have to be circumvented.
  3. You are going to have to understand the remote-control architectures of both the locomotive and signaling systems, how to interact with them, and how to bypass them.
5. Completion:
  1. Remember that damn math question from school? “Two trains each leave the station at 09:00, one traveling east at 40 mph and the other traveling west at 30 mph. Which one gets to point C first?” We’ve modified it.
  2. Locomotive 1 and 2 are now approaching each other at a combined speed of over 100 mph (we removed various limiters and controls on the diesel SCADA architecture). The signals in both directions have been set to fail GREEN, and for good measure we’ve also raised the level crossings in the various paths of the locomotives (the one we really want is the crossing through the middle of town).
  3. Both locomotives are being fed information from “our” signaling box, which is the mid-point in the equation. Both locomotives are being fed information from “our” head office, and both locomotives are on the same piece of track.

You get the picture. It doesn’t end well for either the locomotive or the crossing area we chose to dump chemicals and nuclear waste containers in.

In essence, we’ve manufactured a scenario that is arguably quite possible using nothing more than simple intelligence gathered from open sourced material combined with some basic knowledge of signaling and locomotive architectures. The end result is a glowing mess of radioactive gloop somewhere in the middle of a reasonably densely populated part of the United States.

By the way, we did it all with a laptop, a Raspberry, and about 20 minutes in front of a signaling box. You don’t need to be a “well-funded terrorist organization” to do this stuff. The question now is, when will we wake up and realize that?

Sleep well, people. I hope you have an Incident Plan to cover this one.