A Framework for Vulnerability Detection in European Train ...SecurityandCommunicationNetworks...
Transcript of A Framework for Vulnerability Detection in European Train ...SecurityandCommunicationNetworks...
Research ArticleA Framework for Vulnerability Detection in European TrainControl Railway Communications
Irene Arsuaga 1 Nerea Toledo 1 Igor Lopez 2 and Marina Aguado 1
1Department of Communication Engineering University of the Basque Country (UPVEHU) Alameda Urquijo sn48013 Bilbao Spain2Research amp Development Department Construcciones y Auxiliar de Ferrocarriles (CAF) J M Iturrioz 26 20200 Beasain Spain
Correspondence should be addressed to Nerea Toledo nereatoledoehueus
Received 17 November 2017 Accepted 22 February 2018 Published 15 May 2018
Academic Editor Prem Mahalik
Copyright copy 2018 Irene Arsuaga et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Railway systems have evolved considerably in the last years with the adoption of new communication technologies Aimingto achieve a single European railway network the European Rail Traffic Management System (ERTMS) emerged in Europe tosubstitute multiple and noninteroperable national railway communication systems This system and its security strategies weredesigned in late 1990s Recent works have identified vulnerabilities related to integrity authenticity availability and confidentialityIn the context of defining effective countermeasures to mitigate potential vulnerabilities these vulnerabilities have to be analysedIn this article we introduce a framework that attempts to challenge ERTMS security by evaluating the exploitability of thesevulnerabilities
1 Introduction
The increased needs of transportation in a common marketand the lack of interoperability between different railwayoperational styles in Europe brought up the need for acommon rail management system in Europe In the mid-1980s the railway community began to search for a com-mon European operation management for railways calledEuropean Rail TrafficManagement System (ERTMS) [1]Thissolution was created to substitute the heterogeneous nationaltrain control landscape scenario
The ERTMS communications are radio based communi-cations and thus wireless systems are used to transmit themovement authorities from the Radio Block Centre (RBC)the entity in charge of managing trains operation to thetrains Up to now the wireless communication technologyin use is the GSM-R (Global System for Mobile Railways) aspecific version of GSM devoted to railway communications
In order to guarantee the security of the communicationsthe GSM-R network has to ensure several security propertiesOn the one hand the data transmitted should be keptconfidential Moreover the data should not be changed byan attacker before arriving to the train to ensure that the
train does not receive fake movement authorities On theother hand the communication network should be alwaysavailable for the exchange of needed messages That is thenetwork has to ensure the CIA triad confidentiality integrityand availability which is a widely known model designed toguide information security policies within an organizationand represents the most crucial security properties Sincesafety is one of the most critical issues to be addressed inthe railway context in this work we focus on train movementauthorization message exchanges so our primary concern isdata integrity even if availability and confidentiality will alsobe affected
With the goal of guaranteeing data confidentiality andintegrity different encryption systems are used in the differ-ent communication layers For GSM and also for GSM-RA51 encryption system is used In addition the EuroRadioprotocol is used to ensure the authenticity and the integrity ofthe communications However it has been proved that bothprotocols have vulnerabilities [2 3]
Finally it should be taken into account that radiojamming devices could jam block or interference wirelesscommunications being able to break the availability of thenetwork
HindawiSecurity and Communication NetworksVolume 2018 Article ID 5634181 9 pageshttpsdoiorg10115520185634181
2 Security and Communication Networks
Apart from the aforementioned lack of security of GSM-R and EuroRadio it is necessary to point out the evolutionof the railway communications in the last years Althoughin recent past railway systems were close systems recentlya new trend of connecting all the elements of the railwaynetwork to the Internet is getting relevanceThis fact results inexposing railway communications to intrinsic vulnerabilitiesof Internet and thus challenging the security in thesescenarios
Due to the easiness of not fulfilling the security propertiesdefined in the CIA triad the railway context can be consid-ered a hostile environment and hence safety and security aredemanded in these networks
Many efforts have been done to provide safety in therailway scenario [4ndash6] but security is an emerging demandand even if different research efforts have also been donefor providing secure railway communications [7 8] thereare still several limitations Moreover methodologies used insafety analysis based on probabilistic hazards are not validfor it That is it is not feasible to calculate when an attackerwill detect a vulnerability andor exploit it Therefore it isnecessary to design a vulnerability detection system in orderto try to avoid the exploitation of those vulnerabilities bymeans of defining countermeasures
Our contribution focuses on presenting a frameworkthat will be able to exploit the vulnerabilities of the ERTMSsystem regarding integrity and authenticity By means of thisframework it will be possible to know if this attack can bedone in real time or not
The article is organized as follows in Section 2 wedescribe the ERTMS protocol and analyse why the railwaycontext is a hostile environment In Section 3 we analyse thework done relating to this topic We describe our frameworkin Section 4 emphasising the benefits of having a frameworkthat attacks different vulnerabilities describing it with thelimitations that it has and finally describing the process wewill follow to know if the described attack could succeed inreal time then we conclude in Section 5
2 Overview of ERTMS
The ERTMS is composed of two elements (1) the EuropeanTrain Control System (ETCS) for the signalling and (2) theGSM-R for the communication
21 ETCS TheETCShas a great variety of possible configura-tions in the signalling equipment used on the existing or newlines Because of this ETCS has been conceived with severalapplication levels 0 NTC (national train control) which isthe former STM (specific transmission module) 1 2 and 3Next the different ETCS levels are described
211 ETCS Level 0 ETCS level 0 covers the operation ofETCS equipped trains on lines that are not equipped withETCS or national systems On this lines lineside signals areused to givemovement authorities to the trainsThis level hasbeen defined to ensure the proper transition between ETCS
equipped and nonequipped trainsThe operation of this levelis shown in Figure 1
212 ETCS Level NTC ETCS level NTC is used to runETCS equipped trains on lines equipped with national traincontrol and speed supervision systems The train controlinformation that is generated trackside by the national traincontrol system is transmitted to the train via the communi-cation channels of the underlying national system and trans-formed onboard into information interpretable by ETCSDepending on the functionality and the configuration of thespecific national system installed onboard the ERTMSETCSonboard system may need to be interfaced to it in order toperform the transitions fromto the national system andor inorder to give access to ERTMSETCS onboard resourcesThiscan be achieved through a device called STM The operationin this level is presented in Figure 2
213 ETCS Level 1 In the application ETCS level 1 ETCSis overlaid to the traditional signalling equipment The trainposition is detected by the traditional trackside deviceswhich are linked to the interlocking through the inter-face Lineside Encoder Unit (LEU) The interlocking is thewayside equipment control Lineside signals are kept anddata is transmitted to the onboard equipment by meansof Eurobalises which are transponders placed between therails of the railways The operation of this level is shown inFigure 3
214 ETCS Level 2 In application level 2 GSM-R radiois used to exchange data between the RBC and the trainsEuroRadio protocol is implemented in these communicationchannels which is based on a 3DES cryptographic systemMovement authorities to the trains are sent via this channeland besides a continuous speed supervision is made For thiscommunication the Base Transceiver Station (BTS) of theControl Centre communicates with the onboard unit (OBU)of the onboard equipment
However the train detection is performed by the track-side equipment so it is out of the scope of ERTMSETCS Inthis level lineside signals could be suppressedThe operationis described in Figure 4
215 ETCS Level 3 Finally the operation level 3 is a radiobased train control system Movement authorities are gener-ated trackside and transmitted to the train via EuroRadio asin level 2 but in this level train position is also performedby the trackside RBC Eurobalises are just used for locationreferencing Lineside signals could be suppressed in this leveltoo The operation is described in Figure 5
22 GSM-R During the course of their standardizationactivities the UNISIG group realized that in order to ensuresecurity of the railways in GSM certain spectrum bandsneeded to be allocated However GSM could not fulfil allthe requirements needed for an efficient railway service andtherefore some specific functional features were added to theGSM specifications
Security and Communication Networks 3
ETCS
end of track segment
Figure 1 ETCS level 0 operation [9]
ETCS
end of track segment
STM
existing national system
Optionaldepending onnationalsystem
Figure 2 ETCS level NTC operation based on [9]
ETCS
Interlocking
Eurobalise end of track segment
LEU
Figure 3 ETCS level 1 operation [9]
4 Security and Communication Networks
ETCS
OBU
BTS
Radio Block Centre
Interlocking
Eurobalise end of track segment
Optional
Figure 4 ETCS level 2 operation based on [9]
ETCS
Interlocking
Eurobalise
Radio Block Centre
trainintegrity
Figure 5 ETCS level 3 operation [9]
The frequencies allocated in Europe for GSM-R areclose to the GSM 900 band of the public operators A4MHz spectrum with 19 frequencies is available for thesecommunications
In order to guarantee the confidentiality of the networkthe A51 stream cipher is used in GSM (and GSM-R)networks A stream cipher is a symmetric key cipher whereplain-text digits are combined with a key stream
23 Integrity and Authenticity in ERTMS From the secondlevel ETCS integrity and authenticity in ERTMS are accom-plished with two different security mechanisms A51 forGSM-R and EuroRadio for ETCS This is the target level ofour framework
Regarding A51 even if at the beginning the encryptionsystem was kept in secret it became public knowledgethrough leaks and reverse engineering [2] A number of
Security and Communication Networks 5
serious weaknesses in the cipher were identified [10] Hencerainbow tables able to decrypt encrypted messages are avail-able on the Internet
On the other hand the EuroRadio protocol uses 3DESkeys to encrypt the messages [11] The keys used in the com-munications (KTRANS K-KMC KMAC and KSMAC) arecreated by the KMC entity with the exception of the sessionkey KSMAC The KTRANS and K-KMC keys are transportkeys used to ensure the safe distribution of the KMAC keysfrom the KMC to ERTMS entities This distribution is madeoff-line this means it requires personnel to manually deliverthe messages
The KMAC key is used in the session establishmentprocess to negotiate the KSMAC session key between ERTMSentities Three messages are exchanged between the ERTMSentities in this phase for the authentication of both entitiesand the key generation In thesemessages119877
119860and119877
119861random
numbers are sent which are used for computing the KSMACkey together with the KMAC key Considering KSMAC =119870119878= 1198701198781 1198701198782 1198701198783 the three 64-bit DES keys 119870
1198781 1198701198782 and
1198701198783are calculated according to the following formulas
1198701198781= MAC (119877
119860
119871 | 119877119861
119871 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119871 | 119877119861
119871)))
1198701198782= MAC (119877
119860
119877 | 119877119861
119877 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119877 | 119877119861
119877)))
1198701198783= MAC (119877
119860
119871 | 119877119861
119871 1198701015840119860119861)
= DES (1198701DESminus1 (119870
2DES (119870
3 119877119860
119871 | 119877119861
119871)))
(1)
where 119871 means left and 119877 means right and therefore 119877119860=
119877119860
119871 | 119877119860
119877 and 119877119861= 119877119861
119871 | 119877119861
119877The calling entity (119861) creates a 119877
119861random number and
sends it to the called entity (119860) in plain text Consequentlythe 119860 entity creates a 119877
119860random number and computes the
KSMAC key with both random numbers and the KMACAfterwards the 119860 entity sends the created 119877
119860random
number and a CBC-MAC code computed with the KSMACand both random numbers to the 119861 entity Finally the 119861entity computes the KSMAC key and verifies that it is correctcreating also a CBC-MAC with it which is sent to the 119860entity for the complete authentication Random numbers areexchanged in plain text and thus an attacker could savethem
3 Related Work
A lot of research and innovation projects are being completedwith the funds of the European Union regarding the cyber-security in railways Some of those projects are described in[12]
Different analyses of the ERTMS protocolrsquos security havealso been done These analyses have pointed out vulner-abilities that the ERTMS cryptographic mechanisms haveA high-level security analysis of ERTMS is made in [13]
but does not present the vulnerabilities of the EuroRadioprotocol that will be exploited with this framework Differentvulnerabilities of the EuroRadio protocol are pointed outin [3] by performing an analysis of it with the ProVeriftool These vulnerabilities include for instance the abilityof including high-priority messages or deletion of messagessince the session establishment process does not use time-stamps and therefore these messages could be replicated Inthis case once the session is established the train does notverify the identity of the RBC anymore so a vulnerability thatcould be exploited exists
Additionally [14] pointed out that since the distribu-tion of the KMAC key is made off-line and this requirespersonnel to manually deliver the keys from the KMC tothe ERTMS entities many operators decide to simplify theprocess by using the same KMAC for large train fleetsamplifying the risk of having an attack Therefore if theattack is performed during the session establishment processand the same key is shared between different parties thewhole system could be compromised an attacker couldtake the identity of many trains in other session establish-ments
On the other hand [15] pointed out the ability ofmaking akey collision attack to DES and [16] described how a Related-Key Attack (RKA) can be done in ERTMS A method fordoing these two attacks in ERTMS networks is presented in[17] and concludes that the EuroRadio protocol is not secureif large amounts of data and therefore long session lengthsare used Thus the Meet-in-the-Middle attack presented inthis article could be more feasible
However all of these analyses present vulnerabilities ofthe protocols used in ERTMS but do not describe howthese vulnerabilities could be exploited in order to later findcountermeasures for those vulnerabilities This paper willcontribute by presenting a framework that describes how anattack could be performed and figuring out if it is feasible todo it in real time
4 Proposed Method forVulnerability Detection
In this section we present our framework and themethod forvulnerability detection describing also its limitations Finallythe process we will follow to know if an attack could besuccessful in real time is described
41 Description of the Framework and Limitations The sce-nario that this framework will consider is shown in Figure 6The train is used to connect to the Control Centre in orderto receive movement authorities but first the train sends aposition report to the Control Centre
In the scenario that we are considering we force the trainto connect to the malicious Control Centre instead of thereal one but before doing this we calculate the keys used inthe communication between the train and the RBC with theattacker presented in Figure 7
Once we have gotten the keys and forced the train toconnect to our malicious Control Centre the position report
6 Security and Communication Networks
TrainControl Center
USRP ndash MaliciousControl Center
Figure 6 Scenario
RBC(industrial PC) OpenBTS
SIPAuthServe SMQueue Asterix
USRP Modem
SIM Card
OBU(industrial PC)
TDT-SDR
Malicious Control Centre
Train
Attacker(eavesdropping)
RBC
Control Centre
Figure 7 Framework
that the train sends will arrive to the malicious Control Cen-tre This position report is encrypted by different encryptionsystems in different levels but in this point we have alreadyobtained the keys used in the communication and thereforewe are able to decrypt the message Accordingly we are ableto change the position report and send it to the real ControlCentre by taking the identity of the trainTheControl Centrereceives the fake message and creates a movement authoritydepending on the position report which is sent to the train
The framework we have considered is described in Fig-ure 7 It is composed of the malicious Control Centre thetrain an attacker that will eavesdrop and the real ControlCentre
Themalicious Control Centre is formed by the false RBCwhich will be an industrial PC the OpenBTS (Open BaseTransceiver Station) software [18] which is composed of the
SIPAuthServe SMQueue and Asterix servers and the USRPN210 Software Defined Radio (SDR) [19]
The OpenBTS is a software-based GSM access pointallowing standard GSM-compatible mobile phones to beused as SIP endpoints in Voice over IP (VoIP) networksThe software controls the transceiver makes calls and sendsSMSs The SIPAuthServe is the server that processes SIPregister requests that OpenBTS generates when a handsetattempts to join the GSM network It supports three types ofauthentication
(i) AUTH type 2 unauthenticated The handset is con-nected to the OpenBTS network but it does not existin the register server
(ii) AUTH type 1 cached authentication The handset isconnected to the network and it does exist in the
Security and Communication Networks 7
register server but a simple encryptionmethod basedon TMSI is used
(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870
119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network
The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]
The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability
The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network
Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and
therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages
As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP
42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level
The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested
Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows
We build a list containing the pair (1198681 1198701) for everypossible value of119870
1 256 for DES The 119868
1values will be gotten
by brute force 1198681= DES(119870
1 1198751)
On the other hand we will obtain 1198682values by performing
1198682= DESminus1(119870
2 1198621) This operation is performed until the 119868
2
value matches a 1198681value that is stored in the table
In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875
1 1198621) and calculate 119862 = DES(119870
1DES(119870
2 1198752)) If
C and1198622are equal it means the we have find the correct keys
In triple-DES systemswhere there are three different keysthe ciphers work following the next relation
119862 = DES (1198701DESminus1 (1198702DES (119870
3 119875))) (2)
For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870
2 119875) =
DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681
The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations
Afterwards if we are able to calculate the three keys weare going to obtain119870
119878= (1198701198781 1198701198782 1198701198783) we need to calculate
the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not
In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains
The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Security and Communication Networks
Apart from the aforementioned lack of security of GSM-R and EuroRadio it is necessary to point out the evolutionof the railway communications in the last years Althoughin recent past railway systems were close systems recentlya new trend of connecting all the elements of the railwaynetwork to the Internet is getting relevanceThis fact results inexposing railway communications to intrinsic vulnerabilitiesof Internet and thus challenging the security in thesescenarios
Due to the easiness of not fulfilling the security propertiesdefined in the CIA triad the railway context can be consid-ered a hostile environment and hence safety and security aredemanded in these networks
Many efforts have been done to provide safety in therailway scenario [4ndash6] but security is an emerging demandand even if different research efforts have also been donefor providing secure railway communications [7 8] thereare still several limitations Moreover methodologies used insafety analysis based on probabilistic hazards are not validfor it That is it is not feasible to calculate when an attackerwill detect a vulnerability andor exploit it Therefore it isnecessary to design a vulnerability detection system in orderto try to avoid the exploitation of those vulnerabilities bymeans of defining countermeasures
Our contribution focuses on presenting a frameworkthat will be able to exploit the vulnerabilities of the ERTMSsystem regarding integrity and authenticity By means of thisframework it will be possible to know if this attack can bedone in real time or not
The article is organized as follows in Section 2 wedescribe the ERTMS protocol and analyse why the railwaycontext is a hostile environment In Section 3 we analyse thework done relating to this topic We describe our frameworkin Section 4 emphasising the benefits of having a frameworkthat attacks different vulnerabilities describing it with thelimitations that it has and finally describing the process wewill follow to know if the described attack could succeed inreal time then we conclude in Section 5
2 Overview of ERTMS
The ERTMS is composed of two elements (1) the EuropeanTrain Control System (ETCS) for the signalling and (2) theGSM-R for the communication
21 ETCS TheETCShas a great variety of possible configura-tions in the signalling equipment used on the existing or newlines Because of this ETCS has been conceived with severalapplication levels 0 NTC (national train control) which isthe former STM (specific transmission module) 1 2 and 3Next the different ETCS levels are described
211 ETCS Level 0 ETCS level 0 covers the operation ofETCS equipped trains on lines that are not equipped withETCS or national systems On this lines lineside signals areused to givemovement authorities to the trainsThis level hasbeen defined to ensure the proper transition between ETCS
equipped and nonequipped trainsThe operation of this levelis shown in Figure 1
212 ETCS Level NTC ETCS level NTC is used to runETCS equipped trains on lines equipped with national traincontrol and speed supervision systems The train controlinformation that is generated trackside by the national traincontrol system is transmitted to the train via the communi-cation channels of the underlying national system and trans-formed onboard into information interpretable by ETCSDepending on the functionality and the configuration of thespecific national system installed onboard the ERTMSETCSonboard system may need to be interfaced to it in order toperform the transitions fromto the national system andor inorder to give access to ERTMSETCS onboard resourcesThiscan be achieved through a device called STM The operationin this level is presented in Figure 2
213 ETCS Level 1 In the application ETCS level 1 ETCSis overlaid to the traditional signalling equipment The trainposition is detected by the traditional trackside deviceswhich are linked to the interlocking through the inter-face Lineside Encoder Unit (LEU) The interlocking is thewayside equipment control Lineside signals are kept anddata is transmitted to the onboard equipment by meansof Eurobalises which are transponders placed between therails of the railways The operation of this level is shown inFigure 3
214 ETCS Level 2 In application level 2 GSM-R radiois used to exchange data between the RBC and the trainsEuroRadio protocol is implemented in these communicationchannels which is based on a 3DES cryptographic systemMovement authorities to the trains are sent via this channeland besides a continuous speed supervision is made For thiscommunication the Base Transceiver Station (BTS) of theControl Centre communicates with the onboard unit (OBU)of the onboard equipment
However the train detection is performed by the track-side equipment so it is out of the scope of ERTMSETCS Inthis level lineside signals could be suppressedThe operationis described in Figure 4
215 ETCS Level 3 Finally the operation level 3 is a radiobased train control system Movement authorities are gener-ated trackside and transmitted to the train via EuroRadio asin level 2 but in this level train position is also performedby the trackside RBC Eurobalises are just used for locationreferencing Lineside signals could be suppressed in this leveltoo The operation is described in Figure 5
22 GSM-R During the course of their standardizationactivities the UNISIG group realized that in order to ensuresecurity of the railways in GSM certain spectrum bandsneeded to be allocated However GSM could not fulfil allthe requirements needed for an efficient railway service andtherefore some specific functional features were added to theGSM specifications
Security and Communication Networks 3
ETCS
end of track segment
Figure 1 ETCS level 0 operation [9]
ETCS
end of track segment
STM
existing national system
Optionaldepending onnationalsystem
Figure 2 ETCS level NTC operation based on [9]
ETCS
Interlocking
Eurobalise end of track segment
LEU
Figure 3 ETCS level 1 operation [9]
4 Security and Communication Networks
ETCS
OBU
BTS
Radio Block Centre
Interlocking
Eurobalise end of track segment
Optional
Figure 4 ETCS level 2 operation based on [9]
ETCS
Interlocking
Eurobalise
Radio Block Centre
trainintegrity
Figure 5 ETCS level 3 operation [9]
The frequencies allocated in Europe for GSM-R areclose to the GSM 900 band of the public operators A4MHz spectrum with 19 frequencies is available for thesecommunications
In order to guarantee the confidentiality of the networkthe A51 stream cipher is used in GSM (and GSM-R)networks A stream cipher is a symmetric key cipher whereplain-text digits are combined with a key stream
23 Integrity and Authenticity in ERTMS From the secondlevel ETCS integrity and authenticity in ERTMS are accom-plished with two different security mechanisms A51 forGSM-R and EuroRadio for ETCS This is the target level ofour framework
Regarding A51 even if at the beginning the encryptionsystem was kept in secret it became public knowledgethrough leaks and reverse engineering [2] A number of
Security and Communication Networks 5
serious weaknesses in the cipher were identified [10] Hencerainbow tables able to decrypt encrypted messages are avail-able on the Internet
On the other hand the EuroRadio protocol uses 3DESkeys to encrypt the messages [11] The keys used in the com-munications (KTRANS K-KMC KMAC and KSMAC) arecreated by the KMC entity with the exception of the sessionkey KSMAC The KTRANS and K-KMC keys are transportkeys used to ensure the safe distribution of the KMAC keysfrom the KMC to ERTMS entities This distribution is madeoff-line this means it requires personnel to manually deliverthe messages
The KMAC key is used in the session establishmentprocess to negotiate the KSMAC session key between ERTMSentities Three messages are exchanged between the ERTMSentities in this phase for the authentication of both entitiesand the key generation In thesemessages119877
119860and119877
119861random
numbers are sent which are used for computing the KSMACkey together with the KMAC key Considering KSMAC =119870119878= 1198701198781 1198701198782 1198701198783 the three 64-bit DES keys 119870
1198781 1198701198782 and
1198701198783are calculated according to the following formulas
1198701198781= MAC (119877
119860
119871 | 119877119861
119871 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119871 | 119877119861
119871)))
1198701198782= MAC (119877
119860
119877 | 119877119861
119877 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119877 | 119877119861
119877)))
1198701198783= MAC (119877
119860
119871 | 119877119861
119871 1198701015840119860119861)
= DES (1198701DESminus1 (119870
2DES (119870
3 119877119860
119871 | 119877119861
119871)))
(1)
where 119871 means left and 119877 means right and therefore 119877119860=
119877119860
119871 | 119877119860
119877 and 119877119861= 119877119861
119871 | 119877119861
119877The calling entity (119861) creates a 119877
119861random number and
sends it to the called entity (119860) in plain text Consequentlythe 119860 entity creates a 119877
119860random number and computes the
KSMAC key with both random numbers and the KMACAfterwards the 119860 entity sends the created 119877
119860random
number and a CBC-MAC code computed with the KSMACand both random numbers to the 119861 entity Finally the 119861entity computes the KSMAC key and verifies that it is correctcreating also a CBC-MAC with it which is sent to the 119860entity for the complete authentication Random numbers areexchanged in plain text and thus an attacker could savethem
3 Related Work
A lot of research and innovation projects are being completedwith the funds of the European Union regarding the cyber-security in railways Some of those projects are described in[12]
Different analyses of the ERTMS protocolrsquos security havealso been done These analyses have pointed out vulner-abilities that the ERTMS cryptographic mechanisms haveA high-level security analysis of ERTMS is made in [13]
but does not present the vulnerabilities of the EuroRadioprotocol that will be exploited with this framework Differentvulnerabilities of the EuroRadio protocol are pointed outin [3] by performing an analysis of it with the ProVeriftool These vulnerabilities include for instance the abilityof including high-priority messages or deletion of messagessince the session establishment process does not use time-stamps and therefore these messages could be replicated Inthis case once the session is established the train does notverify the identity of the RBC anymore so a vulnerability thatcould be exploited exists
Additionally [14] pointed out that since the distribu-tion of the KMAC key is made off-line and this requirespersonnel to manually deliver the keys from the KMC tothe ERTMS entities many operators decide to simplify theprocess by using the same KMAC for large train fleetsamplifying the risk of having an attack Therefore if theattack is performed during the session establishment processand the same key is shared between different parties thewhole system could be compromised an attacker couldtake the identity of many trains in other session establish-ments
On the other hand [15] pointed out the ability ofmaking akey collision attack to DES and [16] described how a Related-Key Attack (RKA) can be done in ERTMS A method fordoing these two attacks in ERTMS networks is presented in[17] and concludes that the EuroRadio protocol is not secureif large amounts of data and therefore long session lengthsare used Thus the Meet-in-the-Middle attack presented inthis article could be more feasible
However all of these analyses present vulnerabilities ofthe protocols used in ERTMS but do not describe howthese vulnerabilities could be exploited in order to later findcountermeasures for those vulnerabilities This paper willcontribute by presenting a framework that describes how anattack could be performed and figuring out if it is feasible todo it in real time
4 Proposed Method forVulnerability Detection
In this section we present our framework and themethod forvulnerability detection describing also its limitations Finallythe process we will follow to know if an attack could besuccessful in real time is described
41 Description of the Framework and Limitations The sce-nario that this framework will consider is shown in Figure 6The train is used to connect to the Control Centre in orderto receive movement authorities but first the train sends aposition report to the Control Centre
In the scenario that we are considering we force the trainto connect to the malicious Control Centre instead of thereal one but before doing this we calculate the keys used inthe communication between the train and the RBC with theattacker presented in Figure 7
Once we have gotten the keys and forced the train toconnect to our malicious Control Centre the position report
6 Security and Communication Networks
TrainControl Center
USRP ndash MaliciousControl Center
Figure 6 Scenario
RBC(industrial PC) OpenBTS
SIPAuthServe SMQueue Asterix
USRP Modem
SIM Card
OBU(industrial PC)
TDT-SDR
Malicious Control Centre
Train
Attacker(eavesdropping)
RBC
Control Centre
Figure 7 Framework
that the train sends will arrive to the malicious Control Cen-tre This position report is encrypted by different encryptionsystems in different levels but in this point we have alreadyobtained the keys used in the communication and thereforewe are able to decrypt the message Accordingly we are ableto change the position report and send it to the real ControlCentre by taking the identity of the trainTheControl Centrereceives the fake message and creates a movement authoritydepending on the position report which is sent to the train
The framework we have considered is described in Fig-ure 7 It is composed of the malicious Control Centre thetrain an attacker that will eavesdrop and the real ControlCentre
Themalicious Control Centre is formed by the false RBCwhich will be an industrial PC the OpenBTS (Open BaseTransceiver Station) software [18] which is composed of the
SIPAuthServe SMQueue and Asterix servers and the USRPN210 Software Defined Radio (SDR) [19]
The OpenBTS is a software-based GSM access pointallowing standard GSM-compatible mobile phones to beused as SIP endpoints in Voice over IP (VoIP) networksThe software controls the transceiver makes calls and sendsSMSs The SIPAuthServe is the server that processes SIPregister requests that OpenBTS generates when a handsetattempts to join the GSM network It supports three types ofauthentication
(i) AUTH type 2 unauthenticated The handset is con-nected to the OpenBTS network but it does not existin the register server
(ii) AUTH type 1 cached authentication The handset isconnected to the network and it does exist in the
Security and Communication Networks 7
register server but a simple encryptionmethod basedon TMSI is used
(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870
119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network
The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]
The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability
The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network
Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and
therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages
As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP
42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level
The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested
Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows
We build a list containing the pair (1198681 1198701) for everypossible value of119870
1 256 for DES The 119868
1values will be gotten
by brute force 1198681= DES(119870
1 1198751)
On the other hand we will obtain 1198682values by performing
1198682= DESminus1(119870
2 1198621) This operation is performed until the 119868
2
value matches a 1198681value that is stored in the table
In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875
1 1198621) and calculate 119862 = DES(119870
1DES(119870
2 1198752)) If
C and1198622are equal it means the we have find the correct keys
In triple-DES systemswhere there are three different keysthe ciphers work following the next relation
119862 = DES (1198701DESminus1 (1198702DES (119870
3 119875))) (2)
For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870
2 119875) =
DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681
The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations
Afterwards if we are able to calculate the three keys weare going to obtain119870
119878= (1198701198781 1198701198782 1198701198783) we need to calculate
the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not
In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains
The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 3
ETCS
end of track segment
Figure 1 ETCS level 0 operation [9]
ETCS
end of track segment
STM
existing national system
Optionaldepending onnationalsystem
Figure 2 ETCS level NTC operation based on [9]
ETCS
Interlocking
Eurobalise end of track segment
LEU
Figure 3 ETCS level 1 operation [9]
4 Security and Communication Networks
ETCS
OBU
BTS
Radio Block Centre
Interlocking
Eurobalise end of track segment
Optional
Figure 4 ETCS level 2 operation based on [9]
ETCS
Interlocking
Eurobalise
Radio Block Centre
trainintegrity
Figure 5 ETCS level 3 operation [9]
The frequencies allocated in Europe for GSM-R areclose to the GSM 900 band of the public operators A4MHz spectrum with 19 frequencies is available for thesecommunications
In order to guarantee the confidentiality of the networkthe A51 stream cipher is used in GSM (and GSM-R)networks A stream cipher is a symmetric key cipher whereplain-text digits are combined with a key stream
23 Integrity and Authenticity in ERTMS From the secondlevel ETCS integrity and authenticity in ERTMS are accom-plished with two different security mechanisms A51 forGSM-R and EuroRadio for ETCS This is the target level ofour framework
Regarding A51 even if at the beginning the encryptionsystem was kept in secret it became public knowledgethrough leaks and reverse engineering [2] A number of
Security and Communication Networks 5
serious weaknesses in the cipher were identified [10] Hencerainbow tables able to decrypt encrypted messages are avail-able on the Internet
On the other hand the EuroRadio protocol uses 3DESkeys to encrypt the messages [11] The keys used in the com-munications (KTRANS K-KMC KMAC and KSMAC) arecreated by the KMC entity with the exception of the sessionkey KSMAC The KTRANS and K-KMC keys are transportkeys used to ensure the safe distribution of the KMAC keysfrom the KMC to ERTMS entities This distribution is madeoff-line this means it requires personnel to manually deliverthe messages
The KMAC key is used in the session establishmentprocess to negotiate the KSMAC session key between ERTMSentities Three messages are exchanged between the ERTMSentities in this phase for the authentication of both entitiesand the key generation In thesemessages119877
119860and119877
119861random
numbers are sent which are used for computing the KSMACkey together with the KMAC key Considering KSMAC =119870119878= 1198701198781 1198701198782 1198701198783 the three 64-bit DES keys 119870
1198781 1198701198782 and
1198701198783are calculated according to the following formulas
1198701198781= MAC (119877
119860
119871 | 119877119861
119871 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119871 | 119877119861
119871)))
1198701198782= MAC (119877
119860
119877 | 119877119861
119877 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119877 | 119877119861
119877)))
1198701198783= MAC (119877
119860
119871 | 119877119861
119871 1198701015840119860119861)
= DES (1198701DESminus1 (119870
2DES (119870
3 119877119860
119871 | 119877119861
119871)))
(1)
where 119871 means left and 119877 means right and therefore 119877119860=
119877119860
119871 | 119877119860
119877 and 119877119861= 119877119861
119871 | 119877119861
119877The calling entity (119861) creates a 119877
119861random number and
sends it to the called entity (119860) in plain text Consequentlythe 119860 entity creates a 119877
119860random number and computes the
KSMAC key with both random numbers and the KMACAfterwards the 119860 entity sends the created 119877
119860random
number and a CBC-MAC code computed with the KSMACand both random numbers to the 119861 entity Finally the 119861entity computes the KSMAC key and verifies that it is correctcreating also a CBC-MAC with it which is sent to the 119860entity for the complete authentication Random numbers areexchanged in plain text and thus an attacker could savethem
3 Related Work
A lot of research and innovation projects are being completedwith the funds of the European Union regarding the cyber-security in railways Some of those projects are described in[12]
Different analyses of the ERTMS protocolrsquos security havealso been done These analyses have pointed out vulner-abilities that the ERTMS cryptographic mechanisms haveA high-level security analysis of ERTMS is made in [13]
but does not present the vulnerabilities of the EuroRadioprotocol that will be exploited with this framework Differentvulnerabilities of the EuroRadio protocol are pointed outin [3] by performing an analysis of it with the ProVeriftool These vulnerabilities include for instance the abilityof including high-priority messages or deletion of messagessince the session establishment process does not use time-stamps and therefore these messages could be replicated Inthis case once the session is established the train does notverify the identity of the RBC anymore so a vulnerability thatcould be exploited exists
Additionally [14] pointed out that since the distribu-tion of the KMAC key is made off-line and this requirespersonnel to manually deliver the keys from the KMC tothe ERTMS entities many operators decide to simplify theprocess by using the same KMAC for large train fleetsamplifying the risk of having an attack Therefore if theattack is performed during the session establishment processand the same key is shared between different parties thewhole system could be compromised an attacker couldtake the identity of many trains in other session establish-ments
On the other hand [15] pointed out the ability ofmaking akey collision attack to DES and [16] described how a Related-Key Attack (RKA) can be done in ERTMS A method fordoing these two attacks in ERTMS networks is presented in[17] and concludes that the EuroRadio protocol is not secureif large amounts of data and therefore long session lengthsare used Thus the Meet-in-the-Middle attack presented inthis article could be more feasible
However all of these analyses present vulnerabilities ofthe protocols used in ERTMS but do not describe howthese vulnerabilities could be exploited in order to later findcountermeasures for those vulnerabilities This paper willcontribute by presenting a framework that describes how anattack could be performed and figuring out if it is feasible todo it in real time
4 Proposed Method forVulnerability Detection
In this section we present our framework and themethod forvulnerability detection describing also its limitations Finallythe process we will follow to know if an attack could besuccessful in real time is described
41 Description of the Framework and Limitations The sce-nario that this framework will consider is shown in Figure 6The train is used to connect to the Control Centre in orderto receive movement authorities but first the train sends aposition report to the Control Centre
In the scenario that we are considering we force the trainto connect to the malicious Control Centre instead of thereal one but before doing this we calculate the keys used inthe communication between the train and the RBC with theattacker presented in Figure 7
Once we have gotten the keys and forced the train toconnect to our malicious Control Centre the position report
6 Security and Communication Networks
TrainControl Center
USRP ndash MaliciousControl Center
Figure 6 Scenario
RBC(industrial PC) OpenBTS
SIPAuthServe SMQueue Asterix
USRP Modem
SIM Card
OBU(industrial PC)
TDT-SDR
Malicious Control Centre
Train
Attacker(eavesdropping)
RBC
Control Centre
Figure 7 Framework
that the train sends will arrive to the malicious Control Cen-tre This position report is encrypted by different encryptionsystems in different levels but in this point we have alreadyobtained the keys used in the communication and thereforewe are able to decrypt the message Accordingly we are ableto change the position report and send it to the real ControlCentre by taking the identity of the trainTheControl Centrereceives the fake message and creates a movement authoritydepending on the position report which is sent to the train
The framework we have considered is described in Fig-ure 7 It is composed of the malicious Control Centre thetrain an attacker that will eavesdrop and the real ControlCentre
Themalicious Control Centre is formed by the false RBCwhich will be an industrial PC the OpenBTS (Open BaseTransceiver Station) software [18] which is composed of the
SIPAuthServe SMQueue and Asterix servers and the USRPN210 Software Defined Radio (SDR) [19]
The OpenBTS is a software-based GSM access pointallowing standard GSM-compatible mobile phones to beused as SIP endpoints in Voice over IP (VoIP) networksThe software controls the transceiver makes calls and sendsSMSs The SIPAuthServe is the server that processes SIPregister requests that OpenBTS generates when a handsetattempts to join the GSM network It supports three types ofauthentication
(i) AUTH type 2 unauthenticated The handset is con-nected to the OpenBTS network but it does not existin the register server
(ii) AUTH type 1 cached authentication The handset isconnected to the network and it does exist in the
Security and Communication Networks 7
register server but a simple encryptionmethod basedon TMSI is used
(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870
119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network
The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]
The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability
The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network
Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and
therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages
As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP
42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level
The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested
Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows
We build a list containing the pair (1198681 1198701) for everypossible value of119870
1 256 for DES The 119868
1values will be gotten
by brute force 1198681= DES(119870
1 1198751)
On the other hand we will obtain 1198682values by performing
1198682= DESminus1(119870
2 1198621) This operation is performed until the 119868
2
value matches a 1198681value that is stored in the table
In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875
1 1198621) and calculate 119862 = DES(119870
1DES(119870
2 1198752)) If
C and1198622are equal it means the we have find the correct keys
In triple-DES systemswhere there are three different keysthe ciphers work following the next relation
119862 = DES (1198701DESminus1 (1198702DES (119870
3 119875))) (2)
For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870
2 119875) =
DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681
The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations
Afterwards if we are able to calculate the three keys weare going to obtain119870
119878= (1198701198781 1198701198782 1198701198783) we need to calculate
the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not
In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains
The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Security and Communication Networks
ETCS
OBU
BTS
Radio Block Centre
Interlocking
Eurobalise end of track segment
Optional
Figure 4 ETCS level 2 operation based on [9]
ETCS
Interlocking
Eurobalise
Radio Block Centre
trainintegrity
Figure 5 ETCS level 3 operation [9]
The frequencies allocated in Europe for GSM-R areclose to the GSM 900 band of the public operators A4MHz spectrum with 19 frequencies is available for thesecommunications
In order to guarantee the confidentiality of the networkthe A51 stream cipher is used in GSM (and GSM-R)networks A stream cipher is a symmetric key cipher whereplain-text digits are combined with a key stream
23 Integrity and Authenticity in ERTMS From the secondlevel ETCS integrity and authenticity in ERTMS are accom-plished with two different security mechanisms A51 forGSM-R and EuroRadio for ETCS This is the target level ofour framework
Regarding A51 even if at the beginning the encryptionsystem was kept in secret it became public knowledgethrough leaks and reverse engineering [2] A number of
Security and Communication Networks 5
serious weaknesses in the cipher were identified [10] Hencerainbow tables able to decrypt encrypted messages are avail-able on the Internet
On the other hand the EuroRadio protocol uses 3DESkeys to encrypt the messages [11] The keys used in the com-munications (KTRANS K-KMC KMAC and KSMAC) arecreated by the KMC entity with the exception of the sessionkey KSMAC The KTRANS and K-KMC keys are transportkeys used to ensure the safe distribution of the KMAC keysfrom the KMC to ERTMS entities This distribution is madeoff-line this means it requires personnel to manually deliverthe messages
The KMAC key is used in the session establishmentprocess to negotiate the KSMAC session key between ERTMSentities Three messages are exchanged between the ERTMSentities in this phase for the authentication of both entitiesand the key generation In thesemessages119877
119860and119877
119861random
numbers are sent which are used for computing the KSMACkey together with the KMAC key Considering KSMAC =119870119878= 1198701198781 1198701198782 1198701198783 the three 64-bit DES keys 119870
1198781 1198701198782 and
1198701198783are calculated according to the following formulas
1198701198781= MAC (119877
119860
119871 | 119877119861
119871 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119871 | 119877119861
119871)))
1198701198782= MAC (119877
119860
119877 | 119877119861
119877 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119877 | 119877119861
119877)))
1198701198783= MAC (119877
119860
119871 | 119877119861
119871 1198701015840119860119861)
= DES (1198701DESminus1 (119870
2DES (119870
3 119877119860
119871 | 119877119861
119871)))
(1)
where 119871 means left and 119877 means right and therefore 119877119860=
119877119860
119871 | 119877119860
119877 and 119877119861= 119877119861
119871 | 119877119861
119877The calling entity (119861) creates a 119877
119861random number and
sends it to the called entity (119860) in plain text Consequentlythe 119860 entity creates a 119877
119860random number and computes the
KSMAC key with both random numbers and the KMACAfterwards the 119860 entity sends the created 119877
119860random
number and a CBC-MAC code computed with the KSMACand both random numbers to the 119861 entity Finally the 119861entity computes the KSMAC key and verifies that it is correctcreating also a CBC-MAC with it which is sent to the 119860entity for the complete authentication Random numbers areexchanged in plain text and thus an attacker could savethem
3 Related Work
A lot of research and innovation projects are being completedwith the funds of the European Union regarding the cyber-security in railways Some of those projects are described in[12]
Different analyses of the ERTMS protocolrsquos security havealso been done These analyses have pointed out vulner-abilities that the ERTMS cryptographic mechanisms haveA high-level security analysis of ERTMS is made in [13]
but does not present the vulnerabilities of the EuroRadioprotocol that will be exploited with this framework Differentvulnerabilities of the EuroRadio protocol are pointed outin [3] by performing an analysis of it with the ProVeriftool These vulnerabilities include for instance the abilityof including high-priority messages or deletion of messagessince the session establishment process does not use time-stamps and therefore these messages could be replicated Inthis case once the session is established the train does notverify the identity of the RBC anymore so a vulnerability thatcould be exploited exists
Additionally [14] pointed out that since the distribu-tion of the KMAC key is made off-line and this requirespersonnel to manually deliver the keys from the KMC tothe ERTMS entities many operators decide to simplify theprocess by using the same KMAC for large train fleetsamplifying the risk of having an attack Therefore if theattack is performed during the session establishment processand the same key is shared between different parties thewhole system could be compromised an attacker couldtake the identity of many trains in other session establish-ments
On the other hand [15] pointed out the ability ofmaking akey collision attack to DES and [16] described how a Related-Key Attack (RKA) can be done in ERTMS A method fordoing these two attacks in ERTMS networks is presented in[17] and concludes that the EuroRadio protocol is not secureif large amounts of data and therefore long session lengthsare used Thus the Meet-in-the-Middle attack presented inthis article could be more feasible
However all of these analyses present vulnerabilities ofthe protocols used in ERTMS but do not describe howthese vulnerabilities could be exploited in order to later findcountermeasures for those vulnerabilities This paper willcontribute by presenting a framework that describes how anattack could be performed and figuring out if it is feasible todo it in real time
4 Proposed Method forVulnerability Detection
In this section we present our framework and themethod forvulnerability detection describing also its limitations Finallythe process we will follow to know if an attack could besuccessful in real time is described
41 Description of the Framework and Limitations The sce-nario that this framework will consider is shown in Figure 6The train is used to connect to the Control Centre in orderto receive movement authorities but first the train sends aposition report to the Control Centre
In the scenario that we are considering we force the trainto connect to the malicious Control Centre instead of thereal one but before doing this we calculate the keys used inthe communication between the train and the RBC with theattacker presented in Figure 7
Once we have gotten the keys and forced the train toconnect to our malicious Control Centre the position report
6 Security and Communication Networks
TrainControl Center
USRP ndash MaliciousControl Center
Figure 6 Scenario
RBC(industrial PC) OpenBTS
SIPAuthServe SMQueue Asterix
USRP Modem
SIM Card
OBU(industrial PC)
TDT-SDR
Malicious Control Centre
Train
Attacker(eavesdropping)
RBC
Control Centre
Figure 7 Framework
that the train sends will arrive to the malicious Control Cen-tre This position report is encrypted by different encryptionsystems in different levels but in this point we have alreadyobtained the keys used in the communication and thereforewe are able to decrypt the message Accordingly we are ableto change the position report and send it to the real ControlCentre by taking the identity of the trainTheControl Centrereceives the fake message and creates a movement authoritydepending on the position report which is sent to the train
The framework we have considered is described in Fig-ure 7 It is composed of the malicious Control Centre thetrain an attacker that will eavesdrop and the real ControlCentre
Themalicious Control Centre is formed by the false RBCwhich will be an industrial PC the OpenBTS (Open BaseTransceiver Station) software [18] which is composed of the
SIPAuthServe SMQueue and Asterix servers and the USRPN210 Software Defined Radio (SDR) [19]
The OpenBTS is a software-based GSM access pointallowing standard GSM-compatible mobile phones to beused as SIP endpoints in Voice over IP (VoIP) networksThe software controls the transceiver makes calls and sendsSMSs The SIPAuthServe is the server that processes SIPregister requests that OpenBTS generates when a handsetattempts to join the GSM network It supports three types ofauthentication
(i) AUTH type 2 unauthenticated The handset is con-nected to the OpenBTS network but it does not existin the register server
(ii) AUTH type 1 cached authentication The handset isconnected to the network and it does exist in the
Security and Communication Networks 7
register server but a simple encryptionmethod basedon TMSI is used
(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870
119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network
The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]
The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability
The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network
Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and
therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages
As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP
42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level
The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested
Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows
We build a list containing the pair (1198681 1198701) for everypossible value of119870
1 256 for DES The 119868
1values will be gotten
by brute force 1198681= DES(119870
1 1198751)
On the other hand we will obtain 1198682values by performing
1198682= DESminus1(119870
2 1198621) This operation is performed until the 119868
2
value matches a 1198681value that is stored in the table
In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875
1 1198621) and calculate 119862 = DES(119870
1DES(119870
2 1198752)) If
C and1198622are equal it means the we have find the correct keys
In triple-DES systemswhere there are three different keysthe ciphers work following the next relation
119862 = DES (1198701DESminus1 (1198702DES (119870
3 119875))) (2)
For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870
2 119875) =
DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681
The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations
Afterwards if we are able to calculate the three keys weare going to obtain119870
119878= (1198701198781 1198701198782 1198701198783) we need to calculate
the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not
In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains
The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 5
serious weaknesses in the cipher were identified [10] Hencerainbow tables able to decrypt encrypted messages are avail-able on the Internet
On the other hand the EuroRadio protocol uses 3DESkeys to encrypt the messages [11] The keys used in the com-munications (KTRANS K-KMC KMAC and KSMAC) arecreated by the KMC entity with the exception of the sessionkey KSMAC The KTRANS and K-KMC keys are transportkeys used to ensure the safe distribution of the KMAC keysfrom the KMC to ERTMS entities This distribution is madeoff-line this means it requires personnel to manually deliverthe messages
The KMAC key is used in the session establishmentprocess to negotiate the KSMAC session key between ERTMSentities Three messages are exchanged between the ERTMSentities in this phase for the authentication of both entitiesand the key generation In thesemessages119877
119860and119877
119861random
numbers are sent which are used for computing the KSMACkey together with the KMAC key Considering KSMAC =119870119878= 1198701198781 1198701198782 1198701198783 the three 64-bit DES keys 119870
1198781 1198701198782 and
1198701198783are calculated according to the following formulas
1198701198781= MAC (119877
119860
119871 | 119877119861
119871 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119871 | 119877119861
119871)))
1198701198782= MAC (119877
119860
119877 | 119877119861
119877 119870119860119861)
= DES (1198703DES
minus1 (1198702DES (1198701 119877119860119877 | 119877119861
119877)))
1198701198783= MAC (119877
119860
119871 | 119877119861
119871 1198701015840119860119861)
= DES (1198701DESminus1 (119870
2DES (119870
3 119877119860
119871 | 119877119861
119871)))
(1)
where 119871 means left and 119877 means right and therefore 119877119860=
119877119860
119871 | 119877119860
119877 and 119877119861= 119877119861
119871 | 119877119861
119877The calling entity (119861) creates a 119877
119861random number and
sends it to the called entity (119860) in plain text Consequentlythe 119860 entity creates a 119877
119860random number and computes the
KSMAC key with both random numbers and the KMACAfterwards the 119860 entity sends the created 119877
119860random
number and a CBC-MAC code computed with the KSMACand both random numbers to the 119861 entity Finally the 119861entity computes the KSMAC key and verifies that it is correctcreating also a CBC-MAC with it which is sent to the 119860entity for the complete authentication Random numbers areexchanged in plain text and thus an attacker could savethem
3 Related Work
A lot of research and innovation projects are being completedwith the funds of the European Union regarding the cyber-security in railways Some of those projects are described in[12]
Different analyses of the ERTMS protocolrsquos security havealso been done These analyses have pointed out vulner-abilities that the ERTMS cryptographic mechanisms haveA high-level security analysis of ERTMS is made in [13]
but does not present the vulnerabilities of the EuroRadioprotocol that will be exploited with this framework Differentvulnerabilities of the EuroRadio protocol are pointed outin [3] by performing an analysis of it with the ProVeriftool These vulnerabilities include for instance the abilityof including high-priority messages or deletion of messagessince the session establishment process does not use time-stamps and therefore these messages could be replicated Inthis case once the session is established the train does notverify the identity of the RBC anymore so a vulnerability thatcould be exploited exists
Additionally [14] pointed out that since the distribu-tion of the KMAC key is made off-line and this requirespersonnel to manually deliver the keys from the KMC tothe ERTMS entities many operators decide to simplify theprocess by using the same KMAC for large train fleetsamplifying the risk of having an attack Therefore if theattack is performed during the session establishment processand the same key is shared between different parties thewhole system could be compromised an attacker couldtake the identity of many trains in other session establish-ments
On the other hand [15] pointed out the ability ofmaking akey collision attack to DES and [16] described how a Related-Key Attack (RKA) can be done in ERTMS A method fordoing these two attacks in ERTMS networks is presented in[17] and concludes that the EuroRadio protocol is not secureif large amounts of data and therefore long session lengthsare used Thus the Meet-in-the-Middle attack presented inthis article could be more feasible
However all of these analyses present vulnerabilities ofthe protocols used in ERTMS but do not describe howthese vulnerabilities could be exploited in order to later findcountermeasures for those vulnerabilities This paper willcontribute by presenting a framework that describes how anattack could be performed and figuring out if it is feasible todo it in real time
4 Proposed Method forVulnerability Detection
In this section we present our framework and themethod forvulnerability detection describing also its limitations Finallythe process we will follow to know if an attack could besuccessful in real time is described
41 Description of the Framework and Limitations The sce-nario that this framework will consider is shown in Figure 6The train is used to connect to the Control Centre in orderto receive movement authorities but first the train sends aposition report to the Control Centre
In the scenario that we are considering we force the trainto connect to the malicious Control Centre instead of thereal one but before doing this we calculate the keys used inthe communication between the train and the RBC with theattacker presented in Figure 7
Once we have gotten the keys and forced the train toconnect to our malicious Control Centre the position report
6 Security and Communication Networks
TrainControl Center
USRP ndash MaliciousControl Center
Figure 6 Scenario
RBC(industrial PC) OpenBTS
SIPAuthServe SMQueue Asterix
USRP Modem
SIM Card
OBU(industrial PC)
TDT-SDR
Malicious Control Centre
Train
Attacker(eavesdropping)
RBC
Control Centre
Figure 7 Framework
that the train sends will arrive to the malicious Control Cen-tre This position report is encrypted by different encryptionsystems in different levels but in this point we have alreadyobtained the keys used in the communication and thereforewe are able to decrypt the message Accordingly we are ableto change the position report and send it to the real ControlCentre by taking the identity of the trainTheControl Centrereceives the fake message and creates a movement authoritydepending on the position report which is sent to the train
The framework we have considered is described in Fig-ure 7 It is composed of the malicious Control Centre thetrain an attacker that will eavesdrop and the real ControlCentre
Themalicious Control Centre is formed by the false RBCwhich will be an industrial PC the OpenBTS (Open BaseTransceiver Station) software [18] which is composed of the
SIPAuthServe SMQueue and Asterix servers and the USRPN210 Software Defined Radio (SDR) [19]
The OpenBTS is a software-based GSM access pointallowing standard GSM-compatible mobile phones to beused as SIP endpoints in Voice over IP (VoIP) networksThe software controls the transceiver makes calls and sendsSMSs The SIPAuthServe is the server that processes SIPregister requests that OpenBTS generates when a handsetattempts to join the GSM network It supports three types ofauthentication
(i) AUTH type 2 unauthenticated The handset is con-nected to the OpenBTS network but it does not existin the register server
(ii) AUTH type 1 cached authentication The handset isconnected to the network and it does exist in the
Security and Communication Networks 7
register server but a simple encryptionmethod basedon TMSI is used
(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870
119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network
The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]
The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability
The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network
Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and
therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages
As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP
42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level
The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested
Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows
We build a list containing the pair (1198681 1198701) for everypossible value of119870
1 256 for DES The 119868
1values will be gotten
by brute force 1198681= DES(119870
1 1198751)
On the other hand we will obtain 1198682values by performing
1198682= DESminus1(119870
2 1198621) This operation is performed until the 119868
2
value matches a 1198681value that is stored in the table
In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875
1 1198621) and calculate 119862 = DES(119870
1DES(119870
2 1198752)) If
C and1198622are equal it means the we have find the correct keys
In triple-DES systemswhere there are three different keysthe ciphers work following the next relation
119862 = DES (1198701DESminus1 (1198702DES (119870
3 119875))) (2)
For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870
2 119875) =
DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681
The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations
Afterwards if we are able to calculate the three keys weare going to obtain119870
119878= (1198701198781 1198701198782 1198701198783) we need to calculate
the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not
In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains
The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Security and Communication Networks
TrainControl Center
USRP ndash MaliciousControl Center
Figure 6 Scenario
RBC(industrial PC) OpenBTS
SIPAuthServe SMQueue Asterix
USRP Modem
SIM Card
OBU(industrial PC)
TDT-SDR
Malicious Control Centre
Train
Attacker(eavesdropping)
RBC
Control Centre
Figure 7 Framework
that the train sends will arrive to the malicious Control Cen-tre This position report is encrypted by different encryptionsystems in different levels but in this point we have alreadyobtained the keys used in the communication and thereforewe are able to decrypt the message Accordingly we are ableto change the position report and send it to the real ControlCentre by taking the identity of the trainTheControl Centrereceives the fake message and creates a movement authoritydepending on the position report which is sent to the train
The framework we have considered is described in Fig-ure 7 It is composed of the malicious Control Centre thetrain an attacker that will eavesdrop and the real ControlCentre
Themalicious Control Centre is formed by the false RBCwhich will be an industrial PC the OpenBTS (Open BaseTransceiver Station) software [18] which is composed of the
SIPAuthServe SMQueue and Asterix servers and the USRPN210 Software Defined Radio (SDR) [19]
The OpenBTS is a software-based GSM access pointallowing standard GSM-compatible mobile phones to beused as SIP endpoints in Voice over IP (VoIP) networksThe software controls the transceiver makes calls and sendsSMSs The SIPAuthServe is the server that processes SIPregister requests that OpenBTS generates when a handsetattempts to join the GSM network It supports three types ofauthentication
(i) AUTH type 2 unauthenticated The handset is con-nected to the OpenBTS network but it does not existin the register server
(ii) AUTH type 1 cached authentication The handset isconnected to the network and it does exist in the
Security and Communication Networks 7
register server but a simple encryptionmethod basedon TMSI is used
(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870
119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network
The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]
The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability
The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network
Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and
therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages
As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP
42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level
The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested
Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows
We build a list containing the pair (1198681 1198701) for everypossible value of119870
1 256 for DES The 119868
1values will be gotten
by brute force 1198681= DES(119870
1 1198751)
On the other hand we will obtain 1198682values by performing
1198682= DESminus1(119870
2 1198621) This operation is performed until the 119868
2
value matches a 1198681value that is stored in the table
In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875
1 1198621) and calculate 119862 = DES(119870
1DES(119870
2 1198752)) If
C and1198622are equal it means the we have find the correct keys
In triple-DES systemswhere there are three different keysthe ciphers work following the next relation
119862 = DES (1198701DESminus1 (1198702DES (119870
3 119875))) (2)
For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870
2 119875) =
DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681
The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations
Afterwards if we are able to calculate the three keys weare going to obtain119870
119878= (1198701198781 1198701198782 1198701198783) we need to calculate
the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not
In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains
The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 7
register server but a simple encryptionmethod basedon TMSI is used
(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870
119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network
The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]
The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability
The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network
Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and
therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages
As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP
42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level
The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested
Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows
We build a list containing the pair (1198681 1198701) for everypossible value of119870
1 256 for DES The 119868
1values will be gotten
by brute force 1198681= DES(119870
1 1198751)
On the other hand we will obtain 1198682values by performing
1198682= DESminus1(119870
2 1198621) This operation is performed until the 119868
2
value matches a 1198681value that is stored in the table
In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875
1 1198621) and calculate 119862 = DES(119870
1DES(119870
2 1198752)) If
C and1198622are equal it means the we have find the correct keys
In triple-DES systemswhere there are three different keysthe ciphers work following the next relation
119862 = DES (1198701DESminus1 (1198702DES (119870
3 119875))) (2)
For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870
2 119875) =
DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681
The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations
Afterwards if we are able to calculate the three keys weare going to obtain119870
119878= (1198701198781 1198701198782 1198701198783) we need to calculate
the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not
In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains
The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Security and Communication Networks
Start
Mount theframework
Start to get data inthe TDT-SDR
Able to decryptA51
Able to decryptEuroRadio
Able to do it inreal time
Apply the rainbowtables to decrypt
A51
Perform an attackto EuroRadio
protocol
YES
Calculate theneeded time toperform all the
attacks
YES
END
Verify if the rainbowtables are correctly
looked
Are theycorrectlylooked
Verify if the attack iscorrectly done
Is it correctlydone
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
NO
Make conclusions
YES NO
YES
NO
Verify if theframework is
correctly mounted
Is it correctlymounted
YES
YES
NO
Figure 8 Flow chart of the process
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 9
bits However the use of AES should be first evaluated by theframework presented in Figure 7
5 Conclusions and Future Work
Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016
References
[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C
Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012
[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016
[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo
[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015
[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011
[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018
[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and
CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017
[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014
[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016
[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash
A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France
[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012
[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015
[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996
[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016
[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017
[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct
detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-
mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom