Upload
doanthu
View
222
Download
6
Embed Size (px)
Citation preview
Security of RCL Wireless Railway Communications
Paul Vincent Craven
Abstract— Remote Control Locomotive (RCL) allows a trainlocomotive to be controlled remotely through radio signalsrather than require an engineer to be present aboard thetrain. This paper evaluates the security of one vendor’s RCLtechnology, specifically what would be required for a maliciousattacker to take control of such a locomotive. The paper theninvestigates possible mitigation strategies to prevent this fromhappening.
I. INTRODUCTION
“This has to be about the worst idea ever concocted.” reads
the back cover of 2600, The Hacker Quarterly [1]. The quote
has the signature of Adrian Lamo, a famous hacker who
has spent time in jail for infiltrating the security systems
of large companies [2][3]. The quote in 2600 is a caption
for a photo of a train. Next to the train is a sign that says
“Attention, Remote Control Locomotives Operate In This
Area. Locomotive Cabs May Be Unoccupied”.
Remote Control Locomotive (RCL) is a wireless system
that allows a railway engineer to control a locomotive
without having to be aboard the train. This is becoming a
popular tool for railroads to use in switchyards. The cab
of the locomotive is not always the best vantage point for
moving trains around. RCL allows an engineer a way to get
a view outside the locomotive cab.
Any wireless signal is subject to interception, jamming,
and false command interjection. With proper security con-
trols in place, these vulnerabilities can be mitigated. The
question is, have any of these been implemented for RCL?
II. BACKGROUND ON RCL
Industrial operations like steel mills have used RCL for
several years [4]. In these cases, the train can go into areas
that are hazardous, while the human operator stays a safe
distance away. RCL in the switchyard has been used in
Canada for over a decade [5]. Adoption of RCL in U.S.
switchyards has been slower.
In an RCL operation, there is an Operator Control Unit
(OCU) and a Locomotive Control Unit (LCU). The OCU
is a belt-pack device worn by the engineer. The LCU is
unit that receives the OCU commands and is located in the
locomotive.
In switchyards locomotive operators in the cab may not
have a good vantage point to view the cars that they are
moving around the yard. This lack of visibility requires the
engineers to have a set of employees who communicate with
Paul Craven is a lecturer at Simpson College in Indianola, Iowa. He hasthirteen years of professional development experience. He has a M.S. incomputer science from the University of Missouri-Rolla and is currently pur-suing a Ph.D. from the University of Idaho. [email protected]
the operator via a series of hand signals. Having an extra
person in the command chain increases the risk of error.
RCL allows a person to stand outside of the locomotive
cab and to control the switching operations from a better
vantage point. The RCL controls are also easier to operate
than a locomotive’s controls.
RCL also allows multiple people to take turns controlling
a train. One person might be at the front of a long train, the
other at the back; the person at the front of the train can start
the train moving towards the person at the back of the train.
Thus, the train is “pitched” by the front person to the rear
person who “catches” it. Either operator can stop the train
in an emergency.
A. Differences between RCL operation and cab operation
RCL controls are simplified compared to the controls in
the cab of the locomotive. Employees who control the trains
don’t have to be trained as an engineer who can drive the
train using the cab controls.
Some RCL units add a speed control. This control allows
the operator to set the speed of the train, and the LCU’s elec-
tronics automatically adjust the throttle to maintain speed.
Most locomotives do not have this option when operating
from the cab; the engineer controls the throttle manually.
An RCL-qualified person can sit in the cab of the train and
still operate via RCL, as long as he or she does not touch
the cab controls.
Labor relations delayed adoption of RCL. The Brother-
hood of Locomotive Engineers took the FRA to court to try
an prevent the deployment of RCL. Safety is usually the
concern that is raised over RCL operations. Other reasons
may include the fact that fewer people are needed in RCL
switchyards, and that the RCL operators do not need the
same level of training as locomotive engineers.
B. Manufacturers of RCL Equipment
Currently there are four major suppliers of RCL equip-
ment [6].
Canac Remote Control Technologies, Inc. is a Canadian
company that was one of the first manufacturers of RCL
equipment. Their product is called BELTPACK [7].
Cattron-Theimeg has several products: they have the Ac-
cuSpeed, MP 96 RCL, QC (Quick Connect), and the TH-
EC/LO [8]. In addition, they recently acquired Canac Remote
Control Technologies, Inc. [9]. Just recently, Union Pacific
ordered 113 RCL units from Cattron-Theimeg to add to over
the 500 units they already have in use [10].
GE Transportation Systems has an RCL device called
LOCOTROL. GE says that it has been in operation for 18
Proceedings of the2005 IEEE Conference on Control ApplicationsToronto, Canada, August 28-31, 2005
TA5.2
0-7803-9354-6/05/$20.00 ©2005 IEEE 711
years, and that they also state they have 30 years experience
with LOCOTROL [11]. Initially LOCOTROL was used
to in the locomotive cab to allow an engineer to control
helper locomotives placed in the middle of the train. Later,
LOCOTROL was used by a controller on the ground to
control the whole train remotely. GE also says they have
5000 systems in use world-wide.
Control Chief is an American company that makes Plug
and Go, another RCL unit. They specialize in several differ-
ent radio remote control products for industrial applications.
C. What RCL can control
The RCL controls a subset of operations available to an
engineer in the cab of a locomotive. The training for RCL
is different, and an operator does not need to be qualified to
run a train from the cab to use an RCL device.
According to the Notice of Safety Advisory 2001-1 [12],
these are the things that an RCL device must be able to
control.
• Directional control
• Graduated throttle or speed control
• Graduated locomotive brakes
• Train brakes
• Horn
• Bell
• Sand control
• Headlight control
• Emergency air brake
• Generator field switch
• Indication of wheel slip
The field generator switch prevents power from going
to the wheels. Modern trains have a diesel generator that
provides power to electric motors that turn the train’s axels.
By turning the field generator switch off, the locomotive is in
a neutral setting with no power going to the electric motors.
Speed control is similar to the cruise control in a car.
Rather than set a locomotive’s throttle, the operator specifies
the speed at which the train should move. The throttle is
adjusted as needed.
III. RECORDING RCL SIGNALS
In order to see about the security of the RCL, the author
decided to record some sample RCL signals. The first step
was to find a railroad yard that regularly used RCL. Shortline
Yard in Des Moines, Iowa is known to use RCL often during
their switching operations. Signs are posted around the yard
giving a warning that locomotives may be operated by remote
control, and that there may not be anybody in the cab of
the train. The Shortline Yard is usually busy, increasing the
chance of intercepting good RCL signals. RCL locomotives
at that railyard can be identified by a yellow flashing beacon
on the locomotive and an extra antenna on the cab roof.
When a locomotive is close, an observer can also notice that
there is no one in the cab.
RCL implementations vary from manufacturer to manu-
facturer, and can even be set up differently depending on
the site. Recordings and observations taken from this site
may not apply to other sites. The RCL units used at the
Short Line Yard appear to be Cattron-Theimeg’s AccuSpeed
product. The author was unable to obtain a close look, but
the OCUs had the same control layout as the photos that are
on Cattron-Theimeg’s web site [13], and were the same lime
green color. No other RCL unit sold appears to be similar in
color or layout.
From the brochure on their site, one can find out some
additional information about the AccuSpeed. The AccuSpeed
offers two-way data exchange between the OCU and LCU.
It can use a radio repeater; the repeater will receive signals
on one frequency and retransmit them on another. This
capability extends the range of the units. AccuSpeed also
utilizes a GPS receiver to get accurate time. This accuracy
of receiving time allows multiple units to share the same
frequency by synchronizing when they transmit.
The second step in intercepting the signals was to find
which radio frequencies were being used. Two categories of
signals were searched for: 802.11 signals and FM signals
that could be picked up by a scanner. Research indicated
that one likely place to find RCL in use was in the 450 MHz
band [14]). There was also the possibility that communica-
tions could be done using 802.11 wireless networking [15],
220 MHz, or 900 MHz bands.
To search for the signals, a scanner and notebook computer
running Netstumbler [16] software were brought to to Short-
line Yard in August 2004. No wireless access points could
be identified that were attributable to the railroad yard.
Scanning of the 450 MHz band around Shortline Yard
turned up a digital signals that had characteristics pointing
to it being an RCL signal. The signals were at 457.775 MHz
and 452.775 MHz. The signals were likely to be RCL signals
for the following reasons:
• The signals were paired 5 MHz apart. Scanner fre-
quency charts for other areas show a pattern of placing
the frequencies 5 MHz apart [17].
• There appear to be multiple transmissions from different
sources that are interleaved during that one second
period. This finding fits with RCL allowing multiple
radios to share the same frequency.
• Antennas on top of the train near the RCL beacon where
the approximate length for the 400 MHz band.
• The signal strength dropped off rapidly outside the area
of Shortline Yard.
• A simple attenuated receiver was created by listening to
the 457.775 MHz frequency on a handheld radio with
the antenna removed. The signal strength would be full
only when an RCL train moved within 75 yards of the
radio.
Signal recording was done with a Yaesu 8500 ham radio.
Initial attempts at recording the signals was done by con-
necting the audio output of the radio to the line input of
a notebook computer. This did not work well because the
audio circuitry in the radio would not only distort the digital
signal, but it would insert entirely new wave forms.
The ham radio was then modified by the author to pull the
signal ahead of the audio processing circuitry. The signal
712
itself comes out as a square wave; the audio circuitry can
not handle this signal because of its DC component, and the
signal becomes unrecognizably distorted.
The modification for this radio was done by connecting a
shielded 1/8 inch jack to pin 9 of the discriminator chip
(MC3361). A list of common discriminator chips can be
found on the web [18]. Care must be taken when soldering
to the surface mounted chip. The pins are small and close
together. Output from the radio was run into the line-level
audio input on an IBM ThinkPad T23. The recordings were
saved to disk as raw WAV files. The signals are sampled at
44.1 KHz.
IV. DECODING RCL SIGNALS
Once the signals are recorded they need to be analyzed, so
a custom program was created to do this. The first step was
to view the signal and try to figure out how it was encoded.
A sample signal can be seen in Figure 1. In this image,
each pixel represents one audio sample, about 1/44100th of
a second.
The sine wave in the beginning of the signal is apparently
for synchronization. The custom RCL decoder program was
coded to look for this, and it colors that part of the signal
red. The synchronization wave period is between 220 and
221 pixels across which translates to about 0.5 ms. So, the
synchronization frequency is 2000 Hz.
After the synchronization, the signal goes through a “start
of data” phase. The signal is held at the zero line, held in
the negative, then held in the positive. The RCL decoder
program recognizes this and colors that wave section green.
This is the only place we see the signal held at zero during
the data transmission.
After the “start of data” section, comes the actual data
itself. The RCL decoder program colors this blue. Somehow,
digital 1’s and 0’s are encoded onto this part of the signal.
From looking at the signal, there seem to be two possibil-
ities. The first would be to associate a positive value with a
bit setting (such as one), and negative for the other. Another
possibility would be to have a transition represent a bit value,
and no transition setting be the other bit value.
Having signal transitions between positive and negative
determine the bit value is common, and seems to fit well
with the signal we see here. This would give this RCL signal
a data rate of 4000 bits per second. The RCL decoder was
written around the assumption that a transition represents a
1, and no transition represents a 0. This was because received
signals had long strings of the same bits, and it was more
likely these were zeros, and not ones. Figure 2 shows the
signal with lines marking regular time intervals. The time
intervals line up well with the transitions that exist in the
signal.
The RCL decoder program can record the signals to disk
in a WAV file format, or it will allow the previously recorded
signals to be viewed in a GUI interface. It will also decode
live or previously recorded signals. Assuming that ones were
represented by a signal polarity change, and that zeros were
encoded by having no polarity change, we attempted to
decode these signals.
This allowed for an easy comparison between the signals
to see if they were repeated, and to see what patterns showed
up. Even if the encoding of ones and zeros onto the signal
was different, we could still see the patterns that exist in the
transmitted signals.
Table I shows the tabulation of packets received on Feb-
ruary 1, 2005 at Shortline Yard in Des Moines, Iowa. The
frequency was 452.775 MHz, and the time span was from
11:50 am until 12:58 pm. The left column shows the data
packet, while the right column shows the number of times the
packet was received during the sample period. There were a
total of 6,000 packets successfully received. The ones shown
in the table were the most commonly received ones.
The data part of the packets appear to be 48 bits long with
some type of 12 bit CRC or similar at the end for a total of
60 bits. This is apparent in packets where one bit changes in
the first 48. This will always cause the last 12 bits to shuffle
their settings.
TABLE I
STATS ON RECEIVED RCL AT 457.775 MHZ
Data Count9D93 005F 9000 015 3019D92 E003 2400 03F 359D92 E003 17C0 051 409D92 E003 16B0 07A 309D92 83F3 74C0 007 379D92 8173 7700 051 1119D92 8173 7580 048 419D92 80F3 2400 036 309D91 8173 2400 035 399D90 005F 9000 001 2199793 D800 6001 564 399681 EC28 3000 780 1559681 EC00 3000 DE0 499680 AC28 3000 403 909680 AC28 3000 401 2129680 AC28 0000 A60 397E45 63C1 80A7 680 422F93 A003 1400 02A 1342F93 0039 032D 027 5762F91 81B3 2400 00D 352F91 8173 2400 037 1122F90 C173 7400 019 802F90 C173 2400 03A 1622F90 C15B 7400 006 302F90 C15B 2400 025 962F90 A003 7400 007 332F90 A003 1400 03E 342F90 0039 032D 033 4122E26 032F 267B 028 922E25 C006 F000 041 812E25 C006 E800 0E5 852E25 02E6 F000 07D 452E25 02E6 5000 03B 442E25 0006 5000 01B 312E23 C006 E806 69A 302E23 C006 E800 0CC 482E23 02E6 5000 012 652E20 032F 267B 001 300
713
Fig. 1. RCL signal captured on December 11, 2004 at Short Line Yard in Des Moines, Iowa
Fig. 2. RCL signal captured on December 11, 2004 at Short Line Yard in Des Moines, Iowa
V. ANALYSIS OF SECURITY
There does not appear to be any encryption on the packets.
If there were any encryption, there would not be so many
packets that differ by only one bit. Even if the packets were
encrypted, the fact that they same ones are repeated over and
over again would be a vulnerability. A malicious user could
figure out what an encrypted packet causes the locomotive
to do. He or she could then replay encrypted packets once
the function of the packet had been determined. Decryption
would not be needed. With a few hours of coordinated
video and data reception, it would be possible that a person
could reverse-engineer the AccuSpeed’s RCL protocol. Once
reverse engineered, a hostile person would only need a way
of creating false codes and a radio to transmit them.
Creating the malicious signal to be transmitted to the
locomotive could easily be done with any standard computer.
The baud rate is slow enough that the audio outputs of a
computer should be able to replicate the signal. Radios that
transmit in the 450 MHz range are not hard to come by.
While they may need to be modified for data use, this would
not be a difficult thing to do. A high powered radio with an
efficient antenna should be powerful enough to override the
beltpack radio at a distance.
In a worst case scenario, an attacker could sit in an parked
car overlooking the rail yard. When a train carrying haz-
ardous materials was being moved in the yard, the attacker
could take over operation of the train. The train could be
crashed into a set of cars that were carrying liquid propane
or something similar. If done in an urban area, this could
cause many casualties. The crime would also be very difficult
to trace back to the attackers since they had not physically
entered the yard.
VI. RECOMMENDED CHANGES
Replacing all the RCL hardware units in use today with a
new, secure product is not practical. A better choice would
be to find a way to modify the existing units at a marginal
cost.
The short messages that are transmitted by the RCL de-
vices pose some challenges in what can practically be done.
RCL only uses about 60 bits for transmission. Cryptographic
block ciphers are done in powers of two, the closest being 64
bits. Cryptographic block ciphers of 64 bits are short enough
to be brute force decoded. That is, a set of computers can go
through all possible combination of keys to see which fits.
Increasing the size of the packet to 128 bits for a 128 bit
block cipher would significantly increase security; however,
it would affect the timing of a system that expects packet
transmissions to be synchronized through a GPS clock and
only last 60 bits.
Two packets with the same data, encrypted with the same
key, would result in the exact same encrypted packets.
An attacker could exploit this result by retransmitting an
encrypted packet. Placing a timestamp on the packets would
keep the results changing and allow the devices to discard
old packets. Unfortunately, adding a timestamp would sig-
nificantly lengthen the packets and significantly change how
the timing of this system works.
The real-time nature of the RCL protocol is not going to
support replaying old packets. So the encryption needs to
support continuing if a packet is lost. This makes having
one long cipher stream an impractical solution. Each packet
needs to be independently able to be decoded.
Despite these challenges, an effective means of commu-
nication can be accomplished. Some RCL devices, such
as Cattron Theimeg’s AccuSpeed, have GPS clocks. This
attribute can be used to help increase the security of the
RCL devices. For example, RSA’s SecurID uses a shared
secret along with a synchronized clock to produce series
of seemingly unrelated numbers through a hash algorithm.
Both sides know the shared secret and the clock. They
can compare the hash result as a one-time password for
verification. Even with the knowledge of many one-time
passwords, it is difficult to derive the shared key. SecurID
has some known vulnerabilities [19], [20], but it is still
a generally accepted secure way to generate one time use
passwords.
714
RCL could do something similar; a shared secret could be
combined with the GPS timestamp. Both the LCU and OCU
would know these values. They could be run through a SHA-
1 secure hash function. This would generate a seemingly
random 160 bit number. The 60 bit packet could be XOR’d
with the first 60 bits of the hash. The CRC should XOR’d
with the hash. If it were not XOR’d with the hash, an attacker
could send random packets with the correct CRC just to see
what happened. This is obviously not desired. Including the
CRC in the hash does allow a person to receive a packet,
then attempt to find the shared secret with the known clock
and hash function. Checking the CRC will give the attacker
an idea if he or she guessed correctly. But, if the shared
secret is at least 256 bits, it would take the potential attacker
a very long time to guess.
VII. CONCLUSION
The Cattron-Theimeg Accuspeed studied at Shortline Yard
in Des Moines, Iowa does not appear to be secure. It would
not be difficult for a malicious person to cause the loss of
life and property using RCL vulnerabilities. As shown in
this paper, improved security using only software updates is
possible. Because malicious use of RCL could result in loss
of life and significant financial liability, the cost of creating
a more secure solution is worthwhile.
The author recommends a study into the security of RCL
units by all vendors, not just the one studied in this paper.
Other units may not have been developed for use in a hostile
environment. Electronic threats are now common, and there
is no reason to believe that the rail industry will be immune
to them.
Given that several wireless protocols with the rail industry
appear to be insecure [21] [22] [23], it would also be prudent
for the Federal Rail Association to fund an independent
security group to analyze existing and future wireless com-
munications.
REFERENCES
[1] Adrian Lamo, “The back cover photo,” 2600, Spring 2005.[2] Keven Poulsen, “Lamo’s adventures in worldcom,” Security Focus,
December 2001.[3] ——, “Adrian Lamo charged with computer crimes,” Security Focus,
September 2003.[4] Federal Railroad Administration, “Interim report - safety of remote
control locomotive operations,” May 2004.[5] Federal Railroad Association, “FRA policy on remote control loco-
motives history, background and current status,” March 2003.[6] ——, “Facts about remote control technology,” March 2003. [Online].
Available: http://www.aar.org/Pubcommon/Documents/factsPLCT.pdf[7] CANAC, “CANAC beltpack,” February 2005. [Online]. Available:
http://www.canac.com/beltpack.html[8] Cattron-Theimg, “Railapps,” February 2005. [Online]. Available:
http://www.cattron-theimeg.com/csa/railapps.html[9] ——, “Cattron group, inc. acquires beltpack and canac remote control
technologies,” October 2004. [Online]. Available: http://www.cattron-theimeg.com/news/news-beltpack-acquire.htm
[10] M. Luczak, “The power of remote control,” RailwayAge, February2005.
[11] GE, “Product summary - GE transportation systems LOCOTROLremote controlled locotomotive (RCL),” February 2005.
[12] Federal Railroad Association, “Notice of safety advisory 2001-01,”Federal Register, vol. 66, no. 31, p. 10340, February 2001.
[13] Cattron-Theimg, “Accuspeed product literature,” February2005. [Online]. Available: http://www.cattron-theimeg.com/pdf-specs/AccuSpeed.pdf
[14] American Railway Engineering & Maintenance of Way Association,“Remote control locomotive technology.” [Online]. Available:www.arema.org/comm/c16/C16PUB1.HTM
[15] B. Brewin, “Sidebar: Remote-control train expected to boost efficiencyand safety,” Computerworld, January 2004.
[16] M. Milner, “Netstumbler v0.4.0 release notes,” April 2004. [Online].Available: www.stumbler.net/readme/readme 0 4 0.html
[17] G. Hahn. [Online]. Available: www.kb9ukd.com/ ghahn/rr.htm[18] L. B. Bill Cheek, “Bill cheek’s scanner data decoding
frequently asked questions file,” May 2000. [Online]. Available:www.radioreference.com/digital/discrim.txt
[19] Mudge and Kingpin, “Initial cryptanalysis of the rsa securid algo-rithm,” @stake, January 2001.
[20] I.C. Wiener, “Sample securid token emulator with tokensecret import,” Bugtraq, December 2000. [Online]. Available:archives.neohapsis.com/archives/bugtraq/2000-12/0428.html
[21] P. Author, “A brief look at railroad communication vulnerabilities,”ITSC 2004 7th International IEEE Conference on Intelligent Trans-portation Systems, October 2004.
[22] ——, “Security of railway EOT systems,” ASME/IEEE Joint RailConference, March 2005.
[23] ——, “Security of ATCS wireless railway communications,”ASME/IEEE Joint Rail Conference, March 2005.
[24] Association of American Railroads. [Online]. Available:www.aar.org/Pubcommon/Documents/mythsRCL.pdf
[25] Cattron-Theimg. (2005, February) Cattron-theimeg inc. mp96 rcl. [On-line]. Available: www.cattron-theimeg.com/UK/MP96 RCL uk.html
715