Russian Hackers Warn EU Trains Are Vulnerable to Hijack

Uploaded on 2016-01-21 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

Operational high-speed lines in Europe 2015.

A group of Russian hackers have exposed gaping holes in computer systems that control train networks across Europe, claiming its vulnerabilities could lead to attackers causing devastating derailments or hijacking.

Bugs in outdated systems, and human programming errors, have been identified as alarming weak points by a trio of industrial control specialist hackers, who say other hackers could exploit things such as control braking systems – or could even hijack a train.

The Register explains overlooked bugs in device drivers can be exploited by clever hackers: "If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train," said Sergey Gordeychik, who helped discover the flaw.

Along with Gordeychik, Aleksandr Timorin, and Gleb Gritsai were integral to the discovery and also frustrated over simple vulnerabilities as a result of decades-old control systems. They unveiled their findings at the December Chaos Communications Congress in Hamburg in the hope vendors will fix it. However, they did not share any explicit details on vulnerabilities or rail vendor names and which countries they operate in over fear it would allow encourage attacks.

Mind the hack
Should hackers be able to infiltrate the antiquated operator's control system they may struggle to use it anyway as some require special training, but the article explains there is plenty of documentation that can be found online to allow hackers to access programmable logic controllers and servers.

With many rail operators using a connected system of trains, ticket systems and stations it poses a high-risk threat to safety as well as untold chaos that could follow should this be exploited by malicious hackers.

"The first threat is to safety, or cyber-physical ... the second is economic threats to impact efficiency and revenue, and the third is threats reliability," said Gordeychik.

The three hackers have released their findings to vulnerable vendors to force them to not use easily cracked hard-coded or default passwords to their systems. They say operators, who still remain nameless, are now aware of the worrying weaknesses and are working to fix the issues.

IB Times: http://bit.ly/1Srnxqt

« Amazon’s Data Centers Are Located in US Spy Country
Anonymous Want Revenge For Saudi Executions »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Davis Wright Tremaine (DWT)

Davis Wright Tremaine (DWT)

Davis Wright Tremaine is a full-service law firm with offices throughout the US and in Shanghai, China. Practice areas include Technology, Privacy & Security.

Jumpsec

Jumpsec

Jumpsec provides penetration testing, security assessments, social engineering testing, cyber incident response, training and consultancy services.

Brainloop

Brainloop

Brainloop's security architecture enables you to work on and distribute strictly confidential documents both within and beyond the firewall.

limes datentechnik

limes datentechnik

limes datentechnik is an authority in the fields of cryptography and data compression. The FLAM product family is an internationally accepted standard for efficient and safe handling of data.

Office of the National Security Council (UVNS) - Croatia

Office of the National Security Council (UVNS) - Croatia

UVNS coordinates, harmonizes the adoption and controls the implementation of information security measures and standards in the Republic of Croatia.

Tech Mahindra

Tech Mahindra

Tech Mahindra is a global leader in IT solutions, BPO, business consulting services & digital technologies.

Risk Ident

Risk Ident

RISK IDENT specializes in supporting enterprises in identifying and preventing criminal activity like payment fraud, account takeovers and identity theft.

CryptoSec.info

CryptoSec.info

CryptoSec.info is a web resource focused on educating the beginners in the cryptocurrency space on how to properly secure their online assets from hackers and scammers.

Open Raven

Open Raven

Open Raven is the cloud native data security platform that prevents breaches driven by modern speed and sprawl. Restore full visibility and regain control within minutes, without agents.

stackArmor

stackArmor

stackArmor specializes in compliance and security-focused solutions delivered using our Agile Cloud Transformation (ACT) methodology.

eaziSecurity

eaziSecurity

eaziSecurity has built an eco-system of technology and services that bring enterprise scale security solutions to the SME marketplace.

Ghost Security

Ghost Security

Ghost is a venture backed, product-led startup building the new standard in application security for the modern enterprise.

McAfee

McAfee

McAfee is a worldwide leader in online protection. We’re focused on protecting people, not devices. Our solutions adapt to our customers’ needs and empower them to confidently experience life online.

Nokod Security

Nokod Security

Nokod Security delivers an application security platform for low-code / no-code custom applications and Robotic Process Automation (RPA).

Lupasafe

Lupasafe

Lupasafe is an all-in-one cybersecurity platform for MSPs and SMEs. See all your cyber risks: From training to phishing, darkweb scans, continuous tech monitoring, AI insights, reporting & compliance.

CoNetrix

CoNetrix

CoNetrix is a full service computer networking, software development, and security and compliance firm built on the principles of integrity, innovation, and initiative.