A Framework for Vulnerability Detection in European Train ...SecurityandCommunicationNetworks...

Research ArticleA Framework for Vulnerability Detection in European TrainControl Railway Communications

Irene Arsuaga 1 Nerea Toledo 1 Igor Lopez 2 and Marina Aguado 1

1Department of Communication Engineering University of the Basque Country (UPVEHU) Alameda Urquijo sn48013 Bilbao Spain2Research amp Development Department Construcciones y Auxiliar de Ferrocarriles (CAF) J M Iturrioz 26 20200 Beasain Spain

Correspondence should be addressed to Nerea Toledo nereatoledoehueus

Received 17 November 2017 Accepted 22 February 2018 Published 15 May 2018

Academic Editor Prem Mahalik

Copyright copy 2018 Irene Arsuaga et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Railway systems have evolved considerably in the last years with the adoption of new communication technologies Aimingto achieve a single European railway network the European Rail Traffic Management System (ERTMS) emerged in Europe tosubstitute multiple and noninteroperable national railway communication systems This system and its security strategies weredesigned in late 1990s Recent works have identified vulnerabilities related to integrity authenticity availability and confidentialityIn the context of defining effective countermeasures to mitigate potential vulnerabilities these vulnerabilities have to be analysedIn this article we introduce a framework that attempts to challenge ERTMS security by evaluating the exploitability of thesevulnerabilities

1 Introduction

The increased needs of transportation in a common marketand the lack of interoperability between different railwayoperational styles in Europe brought up the need for acommon rail management system in Europe In the mid-1980s the railway community began to search for a com-mon European operation management for railways calledEuropean Rail TrafficManagement System (ERTMS) [1]Thissolution was created to substitute the heterogeneous nationaltrain control landscape scenario

The ERTMS communications are radio based communi-cations and thus wireless systems are used to transmit themovement authorities from the Radio Block Centre (RBC)the entity in charge of managing trains operation to thetrains Up to now the wireless communication technologyin use is the GSM-R (Global System for Mobile Railways) aspecific version of GSM devoted to railway communications

In order to guarantee the security of the communicationsthe GSM-R network has to ensure several security propertiesOn the one hand the data transmitted should be keptconfidential Moreover the data should not be changed byan attacker before arriving to the train to ensure that the

train does not receive fake movement authorities On theother hand the communication network should be alwaysavailable for the exchange of needed messages That is thenetwork has to ensure the CIA triad confidentiality integrityand availability which is a widely known model designed toguide information security policies within an organizationand represents the most crucial security properties Sincesafety is one of the most critical issues to be addressed inthe railway context in this work we focus on train movementauthorization message exchanges so our primary concern isdata integrity even if availability and confidentiality will alsobe affected

With the goal of guaranteeing data confidentiality andintegrity different encryption systems are used in the differ-ent communication layers For GSM and also for GSM-RA51 encryption system is used In addition the EuroRadioprotocol is used to ensure the authenticity and the integrity ofthe communications However it has been proved that bothprotocols have vulnerabilities [2 3]

Finally it should be taken into account that radiojamming devices could jam block or interference wirelesscommunications being able to break the availability of thenetwork

HindawiSecurity and Communication NetworksVolume 2018 Article ID 5634181 9 pageshttpsdoiorg10115520185634181

2 Security and Communication Networks

Apart from the aforementioned lack of security of GSM-R and EuroRadio it is necessary to point out the evolutionof the railway communications in the last years Althoughin recent past railway systems were close systems recentlya new trend of connecting all the elements of the railwaynetwork to the Internet is getting relevanceThis fact results inexposing railway communications to intrinsic vulnerabilitiesof Internet and thus challenging the security in thesescenarios

Due to the easiness of not fulfilling the security propertiesdefined in the CIA triad the railway context can be consid-ered a hostile environment and hence safety and security aredemanded in these networks

Many efforts have been done to provide safety in therailway scenario [4ndash6] but security is an emerging demandand even if different research efforts have also been donefor providing secure railway communications [7 8] thereare still several limitations Moreover methodologies used insafety analysis based on probabilistic hazards are not validfor it That is it is not feasible to calculate when an attackerwill detect a vulnerability andor exploit it Therefore it isnecessary to design a vulnerability detection system in orderto try to avoid the exploitation of those vulnerabilities bymeans of defining countermeasures

Our contribution focuses on presenting a frameworkthat will be able to exploit the vulnerabilities of the ERTMSsystem regarding integrity and authenticity By means of thisframework it will be possible to know if this attack can bedone in real time or not

The article is organized as follows in Section 2 wedescribe the ERTMS protocol and analyse why the railwaycontext is a hostile environment In Section 3 we analyse thework done relating to this topic We describe our frameworkin Section 4 emphasising the benefits of having a frameworkthat attacks different vulnerabilities describing it with thelimitations that it has and finally describing the process wewill follow to know if the described attack could succeed inreal time then we conclude in Section 5

2 Overview of ERTMS

The ERTMS is composed of two elements (1) the EuropeanTrain Control System (ETCS) for the signalling and (2) theGSM-R for the communication

21 ETCS TheETCShas a great variety of possible configura-tions in the signalling equipment used on the existing or newlines Because of this ETCS has been conceived with severalapplication levels 0 NTC (national train control) which isthe former STM (specific transmission module) 1 2 and 3Next the different ETCS levels are described

211 ETCS Level 0 ETCS level 0 covers the operation ofETCS equipped trains on lines that are not equipped withETCS or national systems On this lines lineside signals areused to givemovement authorities to the trainsThis level hasbeen defined to ensure the proper transition between ETCS

equipped and nonequipped trainsThe operation of this levelis shown in Figure 1

212 ETCS Level NTC ETCS level NTC is used to runETCS equipped trains on lines equipped with national traincontrol and speed supervision systems The train controlinformation that is generated trackside by the national traincontrol system is transmitted to the train via the communi-cation channels of the underlying national system and trans-formed onboard into information interpretable by ETCSDepending on the functionality and the configuration of thespecific national system installed onboard the ERTMSETCSonboard system may need to be interfaced to it in order toperform the transitions fromto the national system andor inorder to give access to ERTMSETCS onboard resourcesThiscan be achieved through a device called STM The operationin this level is presented in Figure 2

213 ETCS Level 1 In the application ETCS level 1 ETCSis overlaid to the traditional signalling equipment The trainposition is detected by the traditional trackside deviceswhich are linked to the interlocking through the inter-face Lineside Encoder Unit (LEU) The interlocking is thewayside equipment control Lineside signals are kept anddata is transmitted to the onboard equipment by meansof Eurobalises which are transponders placed between therails of the railways The operation of this level is shown inFigure 3

214 ETCS Level 2 In application level 2 GSM-R radiois used to exchange data between the RBC and the trainsEuroRadio protocol is implemented in these communicationchannels which is based on a 3DES cryptographic systemMovement authorities to the trains are sent via this channeland besides a continuous speed supervision is made For thiscommunication the Base Transceiver Station (BTS) of theControl Centre communicates with the onboard unit (OBU)of the onboard equipment

However the train detection is performed by the track-side equipment so it is out of the scope of ERTMSETCS Inthis level lineside signals could be suppressedThe operationis described in Figure 4

215 ETCS Level 3 Finally the operation level 3 is a radiobased train control system Movement authorities are gener-ated trackside and transmitted to the train via EuroRadio asin level 2 but in this level train position is also performedby the trackside RBC Eurobalises are just used for locationreferencing Lineside signals could be suppressed in this leveltoo The operation is described in Figure 5

22 GSM-R During the course of their standardizationactivities the UNISIG group realized that in order to ensuresecurity of the railways in GSM certain spectrum bandsneeded to be allocated However GSM could not fulfil allthe requirements needed for an efficient railway service andtherefore some specific functional features were added to theGSM specifications

Security and Communication Networks 3

ETCS

end of track segment

Figure 1 ETCS level 0 operation [9]

ETCS


STM

existing national system

Optionaldepending onnationalsystem

Figure 2 ETCS level NTC operation based on [9]

ETCS

Interlocking

Eurobalise end of track segment

LEU



ETCS

OBU

BTS

Radio Block Centre

Interlocking


Optional

Figure 4 ETCS level 2 operation based on [9]

ETCS

Interlocking

Eurobalise

Radio Block Centre

trainintegrity


The frequencies allocated in Europe for GSM-R areclose to the GSM 900 band of the public operators A4MHz spectrum with 19 frequencies is available for thesecommunications

In order to guarantee the confidentiality of the networkthe A51 stream cipher is used in GSM (and GSM-R)networks A stream cipher is a symmetric key cipher whereplain-text digits are combined with a key stream

23 Integrity and Authenticity in ERTMS From the secondlevel ETCS integrity and authenticity in ERTMS are accom-plished with two different security mechanisms A51 forGSM-R and EuroRadio for ETCS This is the target level ofour framework

Regarding A51 even if at the beginning the encryptionsystem was kept in secret it became public knowledgethrough leaks and reverse engineering [2] A number of


serious weaknesses in the cipher were identified [10] Hencerainbow tables able to decrypt encrypted messages are avail-able on the Internet

On the other hand the EuroRadio protocol uses 3DESkeys to encrypt the messages [11] The keys used in the com-munications (KTRANS K-KMC KMAC and KSMAC) arecreated by the KMC entity with the exception of the sessionkey KSMAC The KTRANS and K-KMC keys are transportkeys used to ensure the safe distribution of the KMAC keysfrom the KMC to ERTMS entities This distribution is madeoff-line this means it requires personnel to manually deliverthe messages

The KMAC key is used in the session establishmentprocess to negotiate the KSMAC session key between ERTMSentities Three messages are exchanged between the ERTMSentities in this phase for the authentication of both entitiesand the key generation In thesemessages119877

119860and119877

119861random

numbers are sent which are used for computing the KSMACkey together with the KMAC key Considering KSMAC =119870119878= 1198701198781 1198701198782 1198701198783 the three 64-bit DES keys 119870

1198781 1198701198782 and

1198701198783are calculated according to the following formulas

1198701198781= MAC (119877

119860

119871 | 119877119861

119871 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119871 | 119877119861

119871)))

1198701198782= MAC (119877

119860

119877 | 119877119861

119877 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119877 | 119877119861

119877)))

1198701198783= MAC (119877

119860

119871 | 119877119861

119871 1198701015840119860119861)

= DES (1198701DESminus1 (119870

2DES (119870

3 119877119860

119871 | 119877119861

119871)))

(1)

where 119871 means left and 119877 means right and therefore 119877119860=

119877119860

119871 | 119877119860

119877 and 119877119861= 119877119861

119871 | 119877119861

119877The calling entity (119861) creates a 119877

119861random number and

sends it to the called entity (119860) in plain text Consequentlythe 119860 entity creates a 119877

119860random number and computes the

KSMAC key with both random numbers and the KMACAfterwards the 119860 entity sends the created 119877

119860random

number and a CBC-MAC code computed with the KSMACand both random numbers to the 119861 entity Finally the 119861entity computes the KSMAC key and verifies that it is correctcreating also a CBC-MAC with it which is sent to the 119860entity for the complete authentication Random numbers areexchanged in plain text and thus an attacker could savethem

3 Related Work

A lot of research and innovation projects are being completedwith the funds of the European Union regarding the cyber-security in railways Some of those projects are described in[12]

Different analyses of the ERTMS protocolrsquos security havealso been done These analyses have pointed out vulner-abilities that the ERTMS cryptographic mechanisms haveA high-level security analysis of ERTMS is made in [13]

but does not present the vulnerabilities of the EuroRadioprotocol that will be exploited with this framework Differentvulnerabilities of the EuroRadio protocol are pointed outin [3] by performing an analysis of it with the ProVeriftool These vulnerabilities include for instance the abilityof including high-priority messages or deletion of messagessince the session establishment process does not use time-stamps and therefore these messages could be replicated Inthis case once the session is established the train does notverify the identity of the RBC anymore so a vulnerability thatcould be exploited exists

Additionally [14] pointed out that since the distribu-tion of the KMAC key is made off-line and this requirespersonnel to manually deliver the keys from the KMC tothe ERTMS entities many operators decide to simplify theprocess by using the same KMAC for large train fleetsamplifying the risk of having an attack Therefore if theattack is performed during the session establishment processand the same key is shared between different parties thewhole system could be compromised an attacker couldtake the identity of many trains in other session establish-ments

On the other hand [15] pointed out the ability ofmaking akey collision attack to DES and [16] described how a Related-Key Attack (RKA) can be done in ERTMS A method fordoing these two attacks in ERTMS networks is presented in[17] and concludes that the EuroRadio protocol is not secureif large amounts of data and therefore long session lengthsare used Thus the Meet-in-the-Middle attack presented inthis article could be more feasible

However all of these analyses present vulnerabilities ofthe protocols used in ERTMS but do not describe howthese vulnerabilities could be exploited in order to later findcountermeasures for those vulnerabilities This paper willcontribute by presenting a framework that describes how anattack could be performed and figuring out if it is feasible todo it in real time

4 Proposed Method forVulnerability Detection

In this section we present our framework and themethod forvulnerability detection describing also its limitations Finallythe process we will follow to know if an attack could besuccessful in real time is described

41 Description of the Framework and Limitations The sce-nario that this framework will consider is shown in Figure 6The train is used to connect to the Control Centre in orderto receive movement authorities but first the train sends aposition report to the Control Centre

In the scenario that we are considering we force the trainto connect to the malicious Control Centre instead of thereal one but before doing this we calculate the keys used inthe communication between the train and the RBC with theattacker presented in Figure 7

Once we have gotten the keys and forced the train toconnect to our malicious Control Centre the position report


TrainControl Center

USRP ndash MaliciousControl Center

Figure 6 Scenario

RBC(industrial PC) OpenBTS

SIPAuthServe SMQueue Asterix

USRP Modem

SIM Card

OBU(industrial PC)

TDT-SDR

Malicious Control Centre

Train

Attacker(eavesdropping)

RBC

Control Centre

Figure 7 Framework

that the train sends will arrive to the malicious Control Cen-tre This position report is encrypted by different encryptionsystems in different levels but in this point we have alreadyobtained the keys used in the communication and thereforewe are able to decrypt the message Accordingly we are ableto change the position report and send it to the real ControlCentre by taking the identity of the trainTheControl Centrereceives the fake message and creates a movement authoritydepending on the position report which is sent to the train

The framework we have considered is described in Fig-ure 7 It is composed of the malicious Control Centre thetrain an attacker that will eavesdrop and the real ControlCentre

Themalicious Control Centre is formed by the false RBCwhich will be an industrial PC the OpenBTS (Open BaseTransceiver Station) software [18] which is composed of the

SIPAuthServe SMQueue and Asterix servers and the USRPN210 Software Defined Radio (SDR) [19]

The OpenBTS is a software-based GSM access pointallowing standard GSM-compatible mobile phones to beused as SIP endpoints in Voice over IP (VoIP) networksThe software controls the transceiver makes calls and sendsSMSs The SIPAuthServe is the server that processes SIPregister requests that OpenBTS generates when a handsetattempts to join the GSM network It supports three types ofauthentication

(i) AUTH type 2 unauthenticated The handset is con-nected to the OpenBTS network but it does not existin the register server

(ii) AUTH type 1 cached authentication The handset isconnected to the network and it does exist in the


register server but a simple encryptionmethod basedon TMSI is used

(iii) AUTH type 0 full authentication The SIM card isfull authenticated in OpenBTS and therefore 119870

119894 keyis provided to the authentication server and usedfor the encryption The 119870119894 is a 128-bit value usedto authenticate the SIMs on a GSM mobile networkEach SIM holds a unique and secret Ki assigned bythe operatorThis authentication method uses properGSM encryption over the network

The other servers in OpenBTS are SMQueue and Aster-isk as it has been pointed out before While the SMQueueprocesses SIP message requests that OpenBTS generateswhen a handset sends an SMS Asterisk is a VoIP switchresponsible for handling SIP INVITE requests establishingthe individual logs of the call and connecting them together[20]

The hardware part of the OpenBTS software is a SDRUSRP N210 in our case with two GSM antennas to createthe network USRPN210 has been chosen because it supportsGSM-R networks and provides high-bandwidth and a high-dynamic range processing capability

The train in the framework will be simulated with a PCa Modem and a programmable SIM card A programmableSIM card [21] is needed because it is necessary to know the119870119894key of the SIM card in order to get the full authentication inOpenBTS and use a GSM encryption over the network TheModem will be used for being able to connect the PC to theGSM network

Finally the attacker that will perform the eavesdroppingattack in Figure 7 will be supplied by a TDT-SDR It is a SDRthat captures the traffic in the GSM network together withthe Universal Radio Hacker (URH) software With this SDRwe will be able to investigate the wireless protocol and withthe rainbow tables we will be able to get the A51 keys usedin the communication between the train and the real ControlCentre Thus since the SIM card we use has a programmable119870119894 we will be able to configure the same A51 key and

therefore once we force the train to connect to the maliciousControl Centre we will be able to decrypt the sent messages

As mentioned before our framework is composed ofOpenBTS and USRP N210 and therefore since we use theOpenBTS software we are able just to create GSM-R andGPRS networks In the case railway networks evolve to LTE(Long Term Evolution) network we could use OpenLTEopen source project [22] but this project cannot be used inthe hardware USRP N210 because of clock incompatibilityreasons Therefore a sample rate conversion on the hostwould have to be done in the USRP

42 Specification of the Procedure The flow chart that thisattack follows is described in Figure 8 As can be seen afterinstalling the framework we are able to get the data fromthe train to the real Control Centre This traffic is cipheredby A51 Since we have the rainbow tables in the attackerperforming the eavesdropping attack we are able to decryptthe messages on GSM level

The attack in the EuroRadio protocol will be performedagainst the DES KSMAC key and will be a Meet-in-the-Middle attack In this attack all possible keys are tested

Since all the messages that are exchanged between thetrain and the RBC in ERTMS are defined in [11] we assumethat we are able to obtain a known plain-text and a cipher-textpair (1198751 1198621) The Meet-in-the-Middle (MTM) attack with inciphers like 119862 = DES(1198701DES(1198702 119875)) works as follows

We build a list containing the pair (1198681 1198701) for everypossible value of119870

1 256 for DES The 119868

1values will be gotten

by brute force 1198681= DES(119870

1 1198751)

On the other hand we will obtain 1198682values by performing

1198682= DESminus1(119870

2 1198621) This operation is performed until the 119868

2

value matches a 1198681value that is stored in the table

In order to be sure that the computed keys are correct itis possible to obtain another known plain-text and a cipher-text pair (119875

1 1198621) and calculate 119862 = DES(119870

1DES(119870

2 1198752)) If

C and1198622are equal it means the we have find the correct keys

In triple-DES systemswhere there are three different keysthe ciphers work following the next relation

119862 = DES (1198701DESminus1 (1198702DES (119870

3 119875))) (2)

For the Meet-in-the-Middle attack in triple-DESwith three different keys we define DES(119870

2 119875) =

DESminus1(1198702DES(1198703 119875)) so we just need to apply thisfor the calculation of 1198681

The calculation of 1198681 needs 2112 operations because itis a double-application of DES and on the other handthe calculation of 1198682 needs 256 operations Thus the attackrequires 2112 + 256 asymp 2112 operations

Afterwards if we are able to calculate the three keys weare going to obtain119870

119878= (1198701198781 1198701198782 1198701198783) we need to calculate

the time we need for performing the whole attack as Figure 8describes With the measured time we know whether thisattack could be performed in real time or not

In the case the attack can be performed in real time thatis if all the keys are obtained during the operation of the trainthese keys could be used to carry out different attacks thatinvolve the identity theft of the train or the RBCThe attackerfor instance could pass himself off as the RBC in order tosend false movement authorities to the train On the otherhand the attacker could also falsify the trains position controlthat is made by the RBC in ERTMS level 3 by sending falseposition information to the RBC while he impersonates thetrain All this false information created by the attacker couldinvolve the collision between different trains

The results obtainedwith the frameworkwill help in look-ing for countermeasures since the fact of acquiring the keysin real time means A51 and 3DES security mechanisms arenot strong enough for railway environments In consequencethose mechanisms should be enforced or changed in orderto continue using ERTMS systems in a secure manner Apossible countermeasure for the system could be to updatethe 3DES security mechanism to a more secure system suchas AES since AES uses larger block sizes and longer keysTherefore it will be more costly to perform the attack in realtime In fact 3DES keys length is 112 or 156 bits whereasin AES the length of the keys is variable 128 192 or 256


Start

Mount theframework

Start to get data inthe TDT-SDR

Able to decryptA51

Able to decryptEuroRadio

Able to do it inreal time

Apply the rainbowtables to decrypt

A51

Perform an attackto EuroRadio

protocol

YES

Calculate theneeded time toperform all the

attacks

YES

END

Verify if the rainbowtables are correctly

looked

Are theycorrectlylooked

Verify if the attack iscorrectly done

Is it correctlydone

NO

Verify if theframework is

correctly mounted

Is it correctlymounted

YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO

Figure 8 Flow chart of the process


bits However the use of AES should be first evaluated by theframework presented in Figure 7

5 Conclusions and Future Work

Different vulnerabilities in the security mechanisms of theERTMS system have been described in this article but evenif they are identified without an attacking framework we donot know whether they are exploitable in practice or not Inconsequence the presented framework will give informationabout the exploitability of the A51 and 3DES security mech-anisms and therefore will determine if countermeasuresshould be applied to improve the security of the system ornot Moreover the resulting information of the frameworkwill constitute the basis of the countermeasures that shouldbe applied to the system

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This research work was supported by the Spanish Gov-ernment through the SAREMSIG TEC2013-47012-C2-1-Rproject Proyectos de I+D+I Retos Investigacion 2013 andby the Cyber Security on Rails project with ConstruccionesAuxiliar de Ferrocarriles Investigacion y Desarrollo SL2015-2016

References

[1] U P Winter Compendium on ERTMS Eurail press 2009[2] M Kalenderi D Pnevmatikatos I Papaefstathiou and C

Manifavas ldquoBreaking the GSM A51 cryptography algorithmwith rainbow tables and high-end FPGAsrdquo in Proceedings of the22nd International Conference on Field Programmable Logic andApplications FPL 2012 pp 747ndash753 nor August 2012

[3] R J T Joeri de Ruiter andT Chothia ldquoA formal security analysisof ertms train to trackside protocolsrdquo Reliability Safety andSecurity of Railway Systems - Modelling Analysis Verificationand Certification pp 53ndash68 2016

[4] UIC ldquo2005 UIC Code 518 OR Testing and approval of railwayvehicles from the point of view of their dynamic behavioursafety track fatigue ride qualityrdquo

[5] A Faivre A Lapitre A Lanusse et al ldquoTwo methods formodeling and verification of safety properties of railway infras-tructuresrdquo in Proceedings of the International Conference onIndustrial Engineering and Systems Management IEEE IESM2015 pp 48ndash54 esp October 2015

[6] M Franekova K Rastocn A Janota and P Chrtiansky ldquoSafetyanalysis of cryptography mechanisms used in gsm for railwayrdquoAnnals of the Faculty of Engineering Hunedoara vol 9 no 1 p207 2011

[7] L J Valdivia I Adin S Arrizabalaga J Anorga and JMendizabal ldquoCybersecurity-The Forgotten Issue in RailwaysSecurity Can Be Woven into Safety Designsrdquo IEEE VehicularTechnology Magazine vol 13 no 1 pp 48ndash55 2018

[8] G Hatzivasilis I Papaefstathiou and C Manifavas ldquoReal-timemanagement of railway CPS secure administration of IoT and

CPS infrastructurerdquo in Proceedings of the 6th MediterraneanConference on Embedded Computing MECO 2017 mne June2017

[9] U SUBSET-026-2 ldquoErtmsetcs system requirements specifica-tion chapter 2 basic system descriptionrdquo Tech Rep 2014

[10] C Manifavas G Hatzivasilis K Fysarakis and Y Papaefs-tathiou ldquoA survey of lightweight stream ciphers for embeddedsystemsrdquo Security and Communication Networks vol 9 no 10pp 1226ndash1246 2016

[11] U SUBSET-037 Ertmsetcs euroradio fis tech rep[12] E Masson and C Gransart ldquoCyber Security for Railways ndash

A Huge Challenge ndash Shift2Rail Perspectiverdquo in Proceedings ofthe Communication Technologies for Vehicles 12th InternationalWorkshop Nets4CarsNets4TrainsNets4Aircraft rsquo17 pp 97ndash104Toulouse France

[13] R B I Gashi R Bloomflied and R Stroud ldquoHow secure isertms Computer Safety Reliability and Security SAFECOMP2012Workshopsrdquo in Proceedings of the SAFECOMP 2012 Work-shops Sassur ASCoMS DESEC4LCCI ERCIMEWICS IWDEpp 247ndash258 Magdeburg Germany 2012

[14] I Lopez and M Aguado ldquoCyber security analysis of the Euro-pean train control systemrdquo IEEE Communications Magazinevol 53 no 10 pp 110ndash116 2015

[15] E Biham ldquoHow to forge des-encrypted messages in 228 stepsrdquoTech Rep Technion Computer Science Department 1996

[16] F Pepin and M G Vigliotti ldquoRisk assessment of the 3des inERTMSrdquo Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes inBioinformatics) Preface vol 9707 pp 79ndash92 2016

[17] T Chothia M Ordean J De Ruiter and R J Thomas ldquoAnAttack against message authentication in the ERTMS trainto trackside communication protocolsrdquo in Proceedings of the2017 ACM Asia Conference on Computer and CommunicationsSecurity ASIA CCS 2017 pp 743ndash756 are April 2017

[18] R Networks ldquoOpenbtsrdquo 2018 httpopenbtsorg[19] E Research ldquoUsrp n210rdquo 2018 httpwwwettuscomproduct

detailsUN210-KIT[20] Digium ldquoAsteriskrdquo httpwwwasteriskorg[21] Sysmocom ldquosysmousim-sjs1 sim cardrdquo 2018 httpwwwsys-

mocomdeproductssysmousim-sjs1-sim-usim[22] ldquoOpenlterdquo 2018 httpsourceforgenetpopenltewikiInstalling

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


Apart from the aforementioned lack of security of GSM-R and EuroRadio it is necessary to point out the evolutionof the railway communications in the last years Althoughin recent past railway systems were close systems recentlya new trend of connecting all the elements of the railwaynetwork to the Internet is getting relevanceThis fact results inexposing railway communications to intrinsic vulnerabilitiesof Internet and thus challenging the security in thesescenarios

Due to the easiness of not fulfilling the security propertiesdefined in the CIA triad the railway context can be consid-ered a hostile environment and hence safety and security aredemanded in these networks

Many efforts have been done to provide safety in therailway scenario [4ndash6] but security is an emerging demandand even if different research efforts have also been donefor providing secure railway communications [7 8] thereare still several limitations Moreover methodologies used insafety analysis based on probabilistic hazards are not validfor it That is it is not feasible to calculate when an attackerwill detect a vulnerability andor exploit it Therefore it isnecessary to design a vulnerability detection system in orderto try to avoid the exploitation of those vulnerabilities bymeans of defining countermeasures

Our contribution focuses on presenting a frameworkthat will be able to exploit the vulnerabilities of the ERTMSsystem regarding integrity and authenticity By means of thisframework it will be possible to know if this attack can bedone in real time or not

The article is organized as follows in Section 2 wedescribe the ERTMS protocol and analyse why the railwaycontext is a hostile environment In Section 3 we analyse thework done relating to this topic We describe our frameworkin Section 4 emphasising the benefits of having a frameworkthat attacks different vulnerabilities describing it with thelimitations that it has and finally describing the process wewill follow to know if the described attack could succeed inreal time then we conclude in Section 5

2 Overview of ERTMS

The ERTMS is composed of two elements (1) the EuropeanTrain Control System (ETCS) for the signalling and (2) theGSM-R for the communication

21 ETCS TheETCShas a great variety of possible configura-tions in the signalling equipment used on the existing or newlines Because of this ETCS has been conceived with severalapplication levels 0 NTC (national train control) which isthe former STM (specific transmission module) 1 2 and 3Next the different ETCS levels are described

211 ETCS Level 0 ETCS level 0 covers the operation ofETCS equipped trains on lines that are not equipped withETCS or national systems On this lines lineside signals areused to givemovement authorities to the trainsThis level hasbeen defined to ensure the proper transition between ETCS

equipped and nonequipped trainsThe operation of this levelis shown in Figure 1

212 ETCS Level NTC ETCS level NTC is used to runETCS equipped trains on lines equipped with national traincontrol and speed supervision systems The train controlinformation that is generated trackside by the national traincontrol system is transmitted to the train via the communi-cation channels of the underlying national system and trans-formed onboard into information interpretable by ETCSDepending on the functionality and the configuration of thespecific national system installed onboard the ERTMSETCSonboard system may need to be interfaced to it in order toperform the transitions fromto the national system andor inorder to give access to ERTMSETCS onboard resourcesThiscan be achieved through a device called STM The operationin this level is presented in Figure 2

213 ETCS Level 1 In the application ETCS level 1 ETCSis overlaid to the traditional signalling equipment The trainposition is detected by the traditional trackside deviceswhich are linked to the interlocking through the inter-face Lineside Encoder Unit (LEU) The interlocking is thewayside equipment control Lineside signals are kept anddata is transmitted to the onboard equipment by meansof Eurobalises which are transponders placed between therails of the railways The operation of this level is shown inFigure 3

214 ETCS Level 2 In application level 2 GSM-R radiois used to exchange data between the RBC and the trainsEuroRadio protocol is implemented in these communicationchannels which is based on a 3DES cryptographic systemMovement authorities to the trains are sent via this channeland besides a continuous speed supervision is made For thiscommunication the Base Transceiver Station (BTS) of theControl Centre communicates with the onboard unit (OBU)of the onboard equipment

However the train detection is performed by the track-side equipment so it is out of the scope of ERTMSETCS Inthis level lineside signals could be suppressedThe operationis described in Figure 4

215 ETCS Level 3 Finally the operation level 3 is a radiobased train control system Movement authorities are gener-ated trackside and transmitted to the train via EuroRadio asin level 2 but in this level train position is also performedby the trackside RBC Eurobalises are just used for locationreferencing Lineside signals could be suppressed in this leveltoo The operation is described in Figure 5

22 GSM-R During the course of their standardizationactivities the UNISIG group realized that in order to ensuresecurity of the railways in GSM certain spectrum bandsneeded to be allocated However GSM could not fulfil allthe requirements needed for an efficient railway service andtherefore some specific functional features were added to theGSM specifications


ETCS



ETCS


STM




ETCS

Interlocking


LEU



ETCS

OBU

BTS

Radio Block Centre

Interlocking


Optional


ETCS

Interlocking

Eurobalise

Radio Block Centre

trainintegrity










119860and119877

119861random


1198781 1198701198782 and


1198701198781= MAC (119877

119860

119871 | 119877119861

119871 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119871 | 119877119861

119871)))

1198701198782= MAC (119877

119860

119877 | 119877119861

119877 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119877 | 119877119861

119877)))

1198701198783= MAC (119877

119860

119871 | 119877119861

119871 1198701015840119860119861)

= DES (1198701DESminus1 (119870

2DES (119870

3 119877119860

119871 | 119877119861

119871)))

(1)


119877119860

119871 | 119877119860

119877 and 119877119861= 119877119861

119871 | 119877119861






119860random


3 Related Work













TrainControl Center


Figure 6 Scenario



USRP Modem

SIM Card

OBU(industrial PC)

TDT-SDR


Train


RBC

Control Centre

Figure 7 Framework






















1 256 for DES The 119868



1 1198751)


1198682= DESminus1(119870


2




1DES(119870

2 1198752)) If



119862 = DES (1198701DESminus1 (1198702DES (119870

3 119875))) (2)


2 119875) =









Start

Mount theframework


Able to decryptA51




A51


protocol

YES


attacks

YES

END


looked



Is it correctlydone

NO


correctly mounted


YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



ETCS



ETCS


STM




ETCS

Interlocking


LEU



ETCS

OBU

BTS

Radio Block Centre

Interlocking


Optional


ETCS

Interlocking

Eurobalise

Radio Block Centre

trainintegrity










119860and119877

119861random


1198781 1198701198782 and


1198701198781= MAC (119877

119860

119871 | 119877119861

119871 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119871 | 119877119861

119871)))

1198701198782= MAC (119877

119860

119877 | 119877119861

119877 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119877 | 119877119861

119877)))

1198701198783= MAC (119877

119860

119871 | 119877119861

119871 1198701015840119860119861)

= DES (1198701DESminus1 (119870

2DES (119870

3 119877119860

119871 | 119877119861

119871)))

(1)


119877119860

119871 | 119877119860

119877 and 119877119861= 119877119861

119871 | 119877119861






119860random


3 Related Work













TrainControl Center


Figure 6 Scenario



USRP Modem

SIM Card

OBU(industrial PC)

TDT-SDR


Train


RBC

Control Centre

Figure 7 Framework






















1 256 for DES The 119868



1 1198751)


1198682= DESminus1(119870


2




1DES(119870

2 1198752)) If



119862 = DES (1198701DESminus1 (1198702DES (119870

3 119875))) (2)


2 119875) =









Start

Mount theframework


Able to decryptA51




A51


protocol

YES


attacks

YES

END


looked



Is it correctlydone

NO


correctly mounted


YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



ETCS

OBU

BTS

Radio Block Centre

Interlocking


Optional


ETCS

Interlocking

Eurobalise

Radio Block Centre

trainintegrity










119860and119877

119861random


1198781 1198701198782 and


1198701198781= MAC (119877

119860

119871 | 119877119861

119871 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119871 | 119877119861

119871)))

1198701198782= MAC (119877

119860

119877 | 119877119861

119877 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119877 | 119877119861

119877)))

1198701198783= MAC (119877

119860

119871 | 119877119861

119871 1198701015840119860119861)

= DES (1198701DESminus1 (119870

2DES (119870

3 119877119860

119871 | 119877119861

119871)))

(1)


119877119860

119871 | 119877119860

119877 and 119877119861= 119877119861

119871 | 119877119861






119860random


3 Related Work













TrainControl Center


Figure 6 Scenario



USRP Modem

SIM Card

OBU(industrial PC)

TDT-SDR


Train


RBC

Control Centre

Figure 7 Framework






















1 256 for DES The 119868



1 1198751)


1198682= DESminus1(119870


2




1DES(119870

2 1198752)) If



119862 = DES (1198701DESminus1 (1198702DES (119870

3 119875))) (2)


2 119875) =









Start

Mount theframework


Able to decryptA51




A51


protocol

YES


attacks

YES

END


looked



Is it correctlydone

NO


correctly mounted


YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






119860and119877

119861random


1198781 1198701198782 and


1198701198781= MAC (119877

119860

119871 | 119877119861

119871 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119871 | 119877119861

119871)))

1198701198782= MAC (119877

119860

119877 | 119877119861

119877 119870119860119861)

= DES (1198703DES

minus1 (1198702DES (1198701 119877119860119877 | 119877119861

119877)))

1198701198783= MAC (119877

119860

119871 | 119877119861

119871 1198701015840119860119861)

= DES (1198701DESminus1 (119870

2DES (119870

3 119877119860

119871 | 119877119861

119871)))

(1)


119877119860

119871 | 119877119860

119877 and 119877119861= 119877119861

119871 | 119877119861






119860random


3 Related Work













TrainControl Center


Figure 6 Scenario



USRP Modem

SIM Card

OBU(industrial PC)

TDT-SDR


Train


RBC

Control Centre

Figure 7 Framework






















1 256 for DES The 119868



1 1198751)


1198682= DESminus1(119870


2




1DES(119870

2 1198752)) If



119862 = DES (1198701DESminus1 (1198702DES (119870

3 119875))) (2)


2 119875) =









Start

Mount theframework


Able to decryptA51




A51


protocol

YES


attacks

YES

END


looked



Is it correctlydone

NO


correctly mounted


YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



TrainControl Center


Figure 6 Scenario



USRP Modem

SIM Card

OBU(industrial PC)

TDT-SDR


Train


RBC

Control Centre

Figure 7 Framework






















1 256 for DES The 119868



1 1198751)


1198682= DESminus1(119870


2




1DES(119870

2 1198752)) If



119862 = DES (1198701DESminus1 (1198702DES (119870

3 119875))) (2)


2 119875) =









Start

Mount theframework


Able to decryptA51




A51


protocol

YES


attacks

YES

END


looked



Is it correctlydone

NO


correctly mounted


YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
















1 256 for DES The 119868



1 1198751)


1198682= DESminus1(119870


2




1DES(119870

2 1198752)) If



119862 = DES (1198701DESminus1 (1198702DES (119870

3 119875))) (2)


2 119875) =









Start

Mount theframework


Able to decryptA51




A51


protocol

YES


attacks

YES

END


looked



Is it correctlydone

NO


correctly mounted


YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Start

Mount theframework


Able to decryptA51




A51


protocol

YES


attacks

YES

END


looked



Is it correctlydone

NO


correctly mounted


YES

NO

Make conclusions

YES NO

YES

NO


correctly mounted


YES

YES

NO








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


A Framework for Vulnerability Detection in European Train ...SecurityandCommunicationNetworks...

Documents

Transcript of A Framework for Vulnerability Detection in European Train ...SecurityandCommunicationNetworks...