Security of RCL Wireless Railway Communications

Paul Vincent Craven

Abstract— Remote Control Locomotive (RCL) allows a trainlocomotive to be controlled remotely through radio signalsrather than require an engineer to be present aboard thetrain. This paper evaluates the security of one vendor’s RCLtechnology, specifically what would be required for a maliciousattacker to take control of such a locomotive. The paper theninvestigates possible mitigation strategies to prevent this fromhappening.

I. INTRODUCTION

“This has to be about the worst idea ever concocted.” reads

the back cover of 2600, The Hacker Quarterly [1]. The quote

has the signature of Adrian Lamo, a famous hacker who

has spent time in jail for infiltrating the security systems

of large companies [2][3]. The quote in 2600 is a caption

for a photo of a train. Next to the train is a sign that says

“Attention, Remote Control Locomotives Operate In This

Area. Locomotive Cabs May Be Unoccupied”.

Remote Control Locomotive (RCL) is a wireless system

that allows a railway engineer to control a locomotive

without having to be aboard the train. This is becoming a

popular tool for railroads to use in switchyards. The cab

of the locomotive is not always the best vantage point for

moving trains around. RCL allows an engineer a way to get

a view outside the locomotive cab.

Any wireless signal is subject to interception, jamming,

and false command interjection. With proper security con-

trols in place, these vulnerabilities can be mitigated. The

question is, have any of these been implemented for RCL?

II. BACKGROUND ON RCL

Industrial operations like steel mills have used RCL for

several years [4]. In these cases, the train can go into areas

that are hazardous, while the human operator stays a safe

distance away. RCL in the switchyard has been used in

Canada for over a decade [5]. Adoption of RCL in U.S.

switchyards has been slower.

In an RCL operation, there is an Operator Control Unit

(OCU) and a Locomotive Control Unit (LCU). The OCU

is a belt-pack device worn by the engineer. The LCU is

unit that receives the OCU commands and is located in the

locomotive.

In switchyards locomotive operators in the cab may not

have a good vantage point to view the cars that they are

moving around the yard. This lack of visibility requires the

engineers to have a set of employees who communicate with

Paul Craven is a lecturer at Simpson College in Indianola, Iowa. He hasthirteen years of professional development experience. He has a M.S. incomputer science from the University of Missouri-Rolla and is currently pur-suing a Ph.D. from the University of Idaho. craven@simpson.edu

the operator via a series of hand signals. Having an extra

person in the command chain increases the risk of error.

RCL allows a person to stand outside of the locomotive

cab and to control the switching operations from a better

vantage point. The RCL controls are also easier to operate

than a locomotive’s controls.

RCL also allows multiple people to take turns controlling

a train. One person might be at the front of a long train, the

other at the back; the person at the front of the train can start

the train moving towards the person at the back of the train.

Thus, the train is “pitched” by the front person to the rear

person who “catches” it. Either operator can stop the train

in an emergency.

A. Differences between RCL operation and cab operation

RCL controls are simplified compared to the controls in

the cab of the locomotive. Employees who control the trains

don’t have to be trained as an engineer who can drive the

train using the cab controls.

Some RCL units add a speed control. This control allows

the operator to set the speed of the train, and the LCU’s elec-

tronics automatically adjust the throttle to maintain speed.

Most locomotives do not have this option when operating

from the cab; the engineer controls the throttle manually.

An RCL-qualified person can sit in the cab of the train and

still operate via RCL, as long as he or she does not touch

the cab controls.

Labor relations delayed adoption of RCL. The Brother-

hood of Locomotive Engineers took the FRA to court to try

an prevent the deployment of RCL. Safety is usually the

concern that is raised over RCL operations. Other reasons

may include the fact that fewer people are needed in RCL

switchyards, and that the RCL operators do not need the

same level of training as locomotive engineers.

B. Manufacturers of RCL Equipment

Currently there are four major suppliers of RCL equip-

ment [6].

Canac Remote Control Technologies, Inc. is a Canadian

company that was one of the first manufacturers of RCL

equipment. Their product is called BELTPACK [7].

Cattron-Theimeg has several products: they have the Ac-

cuSpeed, MP 96 RCL, QC (Quick Connect), and the TH-

EC/LO [8]. In addition, they recently acquired Canac Remote

Control Technologies, Inc. [9]. Just recently, Union Pacific

ordered 113 RCL units from Cattron-Theimeg to add to over

the 500 units they already have in use [10].

GE Transportation Systems has an RCL device called

LOCOTROL. GE says that it has been in operation for 18

Proceedings of the2005 IEEE Conference on Control ApplicationsToronto, Canada, August 28-31, 2005

TA5.2

0-7803-9354-6/05/$20.00 ©2005 IEEE 711

years, and that they also state they have 30 years experience

with LOCOTROL [11]. Initially LOCOTROL was used

to in the locomotive cab to allow an engineer to control

helper locomotives placed in the middle of the train. Later,

LOCOTROL was used by a controller on the ground to

control the whole train remotely. GE also says they have

5000 systems in use world-wide.

Control Chief is an American company that makes Plug

and Go, another RCL unit. They specialize in several differ-

ent radio remote control products for industrial applications.

C. What RCL can control

The RCL controls a subset of operations available to an

engineer in the cab of a locomotive. The training for RCL

is different, and an operator does not need to be qualified to

run a train from the cab to use an RCL device.

According to the Notice of Safety Advisory 2001-1 [12],

these are the things that an RCL device must be able to

control.

• Directional control

• Graduated throttle or speed control

• Graduated locomotive brakes

• Train brakes

• Horn

• Bell

• Sand control

• Headlight control

• Emergency air brake

• Generator field switch

• Indication of wheel slip

The field generator switch prevents power from going

to the wheels. Modern trains have a diesel generator that

provides power to electric motors that turn the train’s axels.

By turning the field generator switch off, the locomotive is in

a neutral setting with no power going to the electric motors.

Speed control is similar to the cruise control in a car.

Rather than set a locomotive’s throttle, the operator specifies

the speed at which the train should move. The throttle is

adjusted as needed.

III. RECORDING RCL SIGNALS

In order to see about the security of the RCL, the author

decided to record some sample RCL signals. The first step

was to find a railroad yard that regularly used RCL. Shortline

Yard in Des Moines, Iowa is known to use RCL often during

their switching operations. Signs are posted around the yard

giving a warning that locomotives may be operated by remote

control, and that there may not be anybody in the cab of

the train. The Shortline Yard is usually busy, increasing the

chance of intercepting good RCL signals. RCL locomotives

at that railyard can be identified by a yellow flashing beacon

on the locomotive and an extra antenna on the cab roof.

When a locomotive is close, an observer can also notice that

there is no one in the cab.

RCL implementations vary from manufacturer to manu-

facturer, and can even be set up differently depending on

the site. Recordings and observations taken from this site

may not apply to other sites. The RCL units used at the

Short Line Yard appear to be Cattron-Theimeg’s AccuSpeed

product. The author was unable to obtain a close look, but

the OCUs had the same control layout as the photos that are

on Cattron-Theimeg’s web site [13], and were the same lime

green color. No other RCL unit sold appears to be similar in

color or layout.

From the brochure on their site, one can find out some

additional information about the AccuSpeed. The AccuSpeed

offers two-way data exchange between the OCU and LCU.

It can use a radio repeater; the repeater will receive signals

on one frequency and retransmit them on another. This

capability extends the range of the units. AccuSpeed also

utilizes a GPS receiver to get accurate time. This accuracy

of receiving time allows multiple units to share the same

frequency by synchronizing when they transmit.

The second step in intercepting the signals was to find

which radio frequencies were being used. Two categories of

signals were searched for: 802.11 signals and FM signals

that could be picked up by a scanner. Research indicated

that one likely place to find RCL in use was in the 450 MHz

band [14]). There was also the possibility that communica-

tions could be done using 802.11 wireless networking [15],

220 MHz, or 900 MHz bands.

To search for the signals, a scanner and notebook computer

running Netstumbler [16] software were brought to to Short-

line Yard in August 2004. No wireless access points could

be identified that were attributable to the railroad yard.

Scanning of the 450 MHz band around Shortline Yard

turned up a digital signals that had characteristics pointing

to it being an RCL signal. The signals were at 457.775 MHz

and 452.775 MHz. The signals were likely to be RCL signals

for the following reasons:

• The signals were paired 5 MHz apart. Scanner fre-

quency charts for other areas show a pattern of placing

the frequencies 5 MHz apart [17].

• There appear to be multiple transmissions from different

sources that are interleaved during that one second

period. This finding fits with RCL allowing multiple

radios to share the same frequency.

• Antennas on top of the train near the RCL beacon where

the approximate length for the 400 MHz band.

• The signal strength dropped off rapidly outside the area

of Shortline Yard.

• A simple attenuated receiver was created by listening to

the 457.775 MHz frequency on a handheld radio with

the antenna removed. The signal strength would be full

only when an RCL train moved within 75 yards of the

radio.

Signal recording was done with a Yaesu 8500 ham radio.

Initial attempts at recording the signals was done by con-

necting the audio output of the radio to the line input of

a notebook computer. This did not work well because the

audio circuitry in the radio would not only distort the digital

signal, but it would insert entirely new wave forms.

The ham radio was then modified by the author to pull the

signal ahead of the audio processing circuitry. The signal

712

itself comes out as a square wave; the audio circuitry can

not handle this signal because of its DC component, and the

signal becomes unrecognizably distorted.

The modification for this radio was done by connecting a

shielded 1/8 inch jack to pin 9 of the discriminator chip

(MC3361). A list of common discriminator chips can be

found on the web [18]. Care must be taken when soldering

to the surface mounted chip. The pins are small and close

together. Output from the radio was run into the line-level

audio input on an IBM ThinkPad T23. The recordings were

saved to disk as raw WAV files. The signals are sampled at

44.1 KHz.

IV. DECODING RCL SIGNALS

Once the signals are recorded they need to be analyzed, so

a custom program was created to do this. The first step was

to view the signal and try to figure out how it was encoded.

A sample signal can be seen in Figure 1. In this image,

each pixel represents one audio sample, about 1/44100th of

a second.

The sine wave in the beginning of the signal is apparently

for synchronization. The custom RCL decoder program was

coded to look for this, and it colors that part of the signal

red. The synchronization wave period is between 220 and

221 pixels across which translates to about 0.5 ms. So, the

synchronization frequency is 2000 Hz.

After the synchronization, the signal goes through a “start

of data” phase. The signal is held at the zero line, held in

the negative, then held in the positive. The RCL decoder

program recognizes this and colors that wave section green.

This is the only place we see the signal held at zero during

the data transmission.

After the “start of data” section, comes the actual data

itself. The RCL decoder program colors this blue. Somehow,

digital 1’s and 0’s are encoded onto this part of the signal.

From looking at the signal, there seem to be two possibil-

ities. The first would be to associate a positive value with a

bit setting (such as one), and negative for the other. Another

possibility would be to have a transition represent a bit value,

and no transition setting be the other bit value.

Having signal transitions between positive and negative

determine the bit value is common, and seems to fit well

with the signal we see here. This would give this RCL signal

a data rate of 4000 bits per second. The RCL decoder was

written around the assumption that a transition represents a

1, and no transition represents a 0. This was because received

signals had long strings of the same bits, and it was more

likely these were zeros, and not ones. Figure 2 shows the

signal with lines marking regular time intervals. The time

intervals line up well with the transitions that exist in the

signal.

The RCL decoder program can record the signals to disk

in a WAV file format, or it will allow the previously recorded

signals to be viewed in a GUI interface. It will also decode

live or previously recorded signals. Assuming that ones were

represented by a signal polarity change, and that zeros were

encoded by having no polarity change, we attempted to

decode these signals.

This allowed for an easy comparison between the signals

to see if they were repeated, and to see what patterns showed

up. Even if the encoding of ones and zeros onto the signal

was different, we could still see the patterns that exist in the

transmitted signals.

Table I shows the tabulation of packets received on Feb-

ruary 1, 2005 at Shortline Yard in Des Moines, Iowa. The

frequency was 452.775 MHz, and the time span was from

11:50 am until 12:58 pm. The left column shows the data

packet, while the right column shows the number of times the

packet was received during the sample period. There were a

total of 6,000 packets successfully received. The ones shown

in the table were the most commonly received ones.

The data part of the packets appear to be 48 bits long with

some type of 12 bit CRC or similar at the end for a total of

60 bits. This is apparent in packets where one bit changes in

the first 48. This will always cause the last 12 bits to shuffle

their settings.

TABLE I

STATS ON RECEIVED RCL AT 457.775 MHZ

Data Count9D93 005F 9000 015 3019D92 E003 2400 03F 359D92 E003 17C0 051 409D92 E003 16B0 07A 309D92 83F3 74C0 007 379D92 8173 7700 051 1119D92 8173 7580 048 419D92 80F3 2400 036 309D91 8173 2400 035 399D90 005F 9000 001 2199793 D800 6001 564 399681 EC28 3000 780 1559681 EC00 3000 DE0 499680 AC28 3000 403 909680 AC28 3000 401 2129680 AC28 0000 A60 397E45 63C1 80A7 680 422F93 A003 1400 02A 1342F93 0039 032D 027 5762F91 81B3 2400 00D 352F91 8173 2400 037 1122F90 C173 7400 019 802F90 C173 2400 03A 1622F90 C15B 7400 006 302F90 C15B 2400 025 962F90 A003 7400 007 332F90 A003 1400 03E 342F90 0039 032D 033 4122E26 032F 267B 028 922E25 C006 F000 041 812E25 C006 E800 0E5 852E25 02E6 F000 07D 452E25 02E6 5000 03B 442E25 0006 5000 01B 312E23 C006 E806 69A 302E23 C006 E800 0CC 482E23 02E6 5000 012 652E20 032F 267B 001 300

713

Fig. 1. RCL signal captured on December 11, 2004 at Short Line Yard in Des Moines, Iowa

Fig. 2. RCL signal captured on December 11, 2004 at Short Line Yard in Des Moines, Iowa

V. ANALYSIS OF SECURITY

There does not appear to be any encryption on the packets.

If there were any encryption, there would not be so many

packets that differ by only one bit. Even if the packets were

encrypted, the fact that they same ones are repeated over and

over again would be a vulnerability. A malicious user could

figure out what an encrypted packet causes the locomotive

to do. He or she could then replay encrypted packets once

the function of the packet had been determined. Decryption

would not be needed. With a few hours of coordinated

video and data reception, it would be possible that a person

could reverse-engineer the AccuSpeed’s RCL protocol. Once

reverse engineered, a hostile person would only need a way

of creating false codes and a radio to transmit them.

Creating the malicious signal to be transmitted to the

locomotive could easily be done with any standard computer.

The baud rate is slow enough that the audio outputs of a

computer should be able to replicate the signal. Radios that

transmit in the 450 MHz range are not hard to come by.

While they may need to be modified for data use, this would

not be a difficult thing to do. A high powered radio with an

efficient antenna should be powerful enough to override the

beltpack radio at a distance.

In a worst case scenario, an attacker could sit in an parked

car overlooking the rail yard. When a train carrying haz-

ardous materials was being moved in the yard, the attacker

could take over operation of the train. The train could be

crashed into a set of cars that were carrying liquid propane

or something similar. If done in an urban area, this could

cause many casualties. The crime would also be very difficult

to trace back to the attackers since they had not physically

entered the yard.

VI. RECOMMENDED CHANGES

Replacing all the RCL hardware units in use today with a

new, secure product is not practical. A better choice would

be to find a way to modify the existing units at a marginal

cost.

The short messages that are transmitted by the RCL de-

vices pose some challenges in what can practically be done.

RCL only uses about 60 bits for transmission. Cryptographic

block ciphers are done in powers of two, the closest being 64

bits. Cryptographic block ciphers of 64 bits are short enough

to be brute force decoded. That is, a set of computers can go

through all possible combination of keys to see which fits.

Increasing the size of the packet to 128 bits for a 128 bit

block cipher would significantly increase security; however,

it would affect the timing of a system that expects packet

transmissions to be synchronized through a GPS clock and

only last 60 bits.

Two packets with the same data, encrypted with the same

key, would result in the exact same encrypted packets.

An attacker could exploit this result by retransmitting an

encrypted packet. Placing a timestamp on the packets would

keep the results changing and allow the devices to discard

old packets. Unfortunately, adding a timestamp would sig-

nificantly lengthen the packets and significantly change how

the timing of this system works.

The real-time nature of the RCL protocol is not going to

support replaying old packets. So the encryption needs to

support continuing if a packet is lost. This makes having

one long cipher stream an impractical solution. Each packet

needs to be independently able to be decoded.

Despite these challenges, an effective means of commu-

nication can be accomplished. Some RCL devices, such

as Cattron Theimeg’s AccuSpeed, have GPS clocks. This

attribute can be used to help increase the security of the

RCL devices. For example, RSA’s SecurID uses a shared

secret along with a synchronized clock to produce series

of seemingly unrelated numbers through a hash algorithm.

Both sides know the shared secret and the clock. They

can compare the hash result as a one-time password for

verification. Even with the knowledge of many one-time

passwords, it is difficult to derive the shared key. SecurID

has some known vulnerabilities [19], [20], but it is still

a generally accepted secure way to generate one time use

passwords.

714

RCL could do something similar; a shared secret could be

combined with the GPS timestamp. Both the LCU and OCU

would know these values. They could be run through a SHA-

1 secure hash function. This would generate a seemingly

random 160 bit number. The 60 bit packet could be XOR’d

with the first 60 bits of the hash. The CRC should XOR’d

with the hash. If it were not XOR’d with the hash, an attacker

could send random packets with the correct CRC just to see

what happened. This is obviously not desired. Including the

CRC in the hash does allow a person to receive a packet,

then attempt to find the shared secret with the known clock

and hash function. Checking the CRC will give the attacker

an idea if he or she guessed correctly. But, if the shared

secret is at least 256 bits, it would take the potential attacker

a very long time to guess.

VII. CONCLUSION

The Cattron-Theimeg Accuspeed studied at Shortline Yard

in Des Moines, Iowa does not appear to be secure. It would

not be difficult for a malicious person to cause the loss of

life and property using RCL vulnerabilities. As shown in

this paper, improved security using only software updates is

possible. Because malicious use of RCL could result in loss

of life and significant financial liability, the cost of creating

a more secure solution is worthwhile.

The author recommends a study into the security of RCL

units by all vendors, not just the one studied in this paper.

Other units may not have been developed for use in a hostile

environment. Electronic threats are now common, and there

is no reason to believe that the rail industry will be immune

to them.

Given that several wireless protocols with the rail industry

appear to be insecure [21] [22] [23], it would also be prudent

for the Federal Rail Association to fund an independent

security group to analyze existing and future wireless com-

munications.

REFERENCES

[1] Adrian Lamo, “The back cover photo,” 2600, Spring 2005.[2] Keven Poulsen, “Lamo’s adventures in worldcom,” Security Focus,

December 2001.[3] ——, “Adrian Lamo charged with computer crimes,” Security Focus,

September 2003.[4] Federal Railroad Administration, “Interim report - safety of remote

control locomotive operations,” May 2004.[5] Federal Railroad Association, “FRA policy on remote control loco-

motives history, background and current status,” March 2003.[6] ——, “Facts about remote control technology,” March 2003. [Online].

Available: http://www.aar.org/Pubcommon/Documents/factsPLCT.pdf[7] CANAC, “CANAC beltpack,” February 2005. [Online]. Available:

http://www.canac.com/beltpack.html[8] Cattron-Theimg, “Railapps,” February 2005. [Online]. Available:

http://www.cattron-theimeg.com/csa/railapps.html[9] ——, “Cattron group, inc. acquires beltpack and canac remote control

technologies,” October 2004. [Online]. Available: http://www.cattron-theimeg.com/news/news-beltpack-acquire.htm

[10] M. Luczak, “The power of remote control,” RailwayAge, February2005.

[11] GE, “Product summary - GE transportation systems LOCOTROLremote controlled locotomotive (RCL),” February 2005.

[12] Federal Railroad Association, “Notice of safety advisory 2001-01,”Federal Register, vol. 66, no. 31, p. 10340, February 2001.

[13] Cattron-Theimg, “Accuspeed product literature,” February2005. [Online]. Available: http://www.cattron-theimeg.com/pdf-specs/AccuSpeed.pdf

[14] American Railway Engineering & Maintenance of Way Association,“Remote control locomotive technology.” [Online]. Available:www.arema.org/comm/c16/C16PUB1.HTM

[15] B. Brewin, “Sidebar: Remote-control train expected to boost efficiencyand safety,” Computerworld, January 2004.

[16] M. Milner, “Netstumbler v0.4.0 release notes,” April 2004. [Online].Available: www.stumbler.net/readme/readme 0 4 0.html

[17] G. Hahn. [Online]. Available: www.kb9ukd.com/ ghahn/rr.htm[18] L. B. Bill Cheek, “Bill cheek’s scanner data decoding

frequently asked questions file,” May 2000. [Online]. Available:www.radioreference.com/digital/discrim.txt

[19] Mudge and Kingpin, “Initial cryptanalysis of the rsa securid algo-rithm,” @stake, January 2001.

[20] I.C. Wiener, “Sample securid token emulator with tokensecret import,” Bugtraq, December 2000. [Online]. Available:archives.neohapsis.com/archives/bugtraq/2000-12/0428.html

[21] P. Author, “A brief look at railroad communication vulnerabilities,”ITSC 2004 7th International IEEE Conference on Intelligent Trans-portation Systems, October 2004.

[22] ——, “Security of railway EOT systems,” ASME/IEEE Joint RailConference, March 2005.

[23] ——, “Security of ATCS wireless railway communications,”ASME/IEEE Joint Rail Conference, March 2005.

[24] Association of American Railroads. [Online]. Available:www.aar.org/Pubcommon/Documents/mythsRCL.pdf

[25] Cattron-Theimg. (2005, February) Cattron-theimeg inc. mp96 rcl. [On-line]. Available: www.cattron-theimeg.com/UK/MP96 RCL uk.html

715