Polish Railways Fall Victim To Cheap Radio Attack

Poland’s railways have recently come under a form of electronic attack, as reported by Wired. The attack has widely been called a “cyber-attack” in the mainstream media, but the incident was altogether a more simple affair pursued via good old analog radio.

The attacks were simple in nature. As outlined in an EU technical document, Poland’s railways use a RADIOSTOP system based on analog radio signals at around 150 MHz. Transmitting a basic tone sequence will trigger any duly equipped trains receiving the signal to engage emergency braking. It’s implemented as part of the PKP radio system on the Polish railway network.

The attacks brought approximately 20 trains to a standstill, according to the BBC, with services restored within hours. There was no major safety risk in the event, something made clear in a statement from Polish rail authorities. Regardless, the attacks frustrated logistics across the rail network.

It’s believed the perpetrators of the attack were supporters of the Russian war effort, as the stop signals were also joined by broadcasts of the Russian national anthem and a speech from Russian President Vladimir Putin. The attacks have some significance to the invasion of Ukraine, as Poland has been a hub for crucial weapons deliveries supporting the defence of Ukraine.

The concern is that any unsophisticated individual could achieve the same results with cheap off-the-shelf equipment under $100. The emergency stop feature is completely insecure, which has been public knowledge for some time. Unlike an emergency brake on a passenger train, which requires proximity to actuate, the RADIOSTOP feature can be triggered at will from any remote location within transmission range. That makes catching perpetrators more difficult.

Poland’s railways will receive an upgrade to more secure cellular technology by 2025, with the 150 MHz system retained only for shunting duties and other edge cases.  Interestingly, it will use GSM-R for connectivity, which is a big deal in Europe.

Until then, the vulnerability will remain as long as the 150MHz RADIOSTOP feature is enabled. Polish radio authorities may have their work cut out chasing down illegal transmitters in the meantime to prevent repeat attacks. It’s not the only way to bring a railway to a stop, but it’s unfortunately an easy and effective one.

[Thanks to Charles for the tip!]

41 thoughts on “Polish Railways Fall Victim To Cheap Radio Attack

  1. Is “cyber” restricted to digital-only? Coming from the Greek for “steersman” and even later referring more to manipulation of machines or robotic systems more than anything, this would be a classical cyberattack. Something which would happen in Ghost in the Shell.

  2. The Dutch traffic light priority system is also public knowledge (technical details can be found online) and rely on simple, unencrypted signalling. However, it is not possible to completely disrupt traffic signals “italian job”-style, it’s just a request for a green light (or white in case of public transport-only lights) from a certain direction to a certain direction.

      1. hmm… what a nonsense, I live in the Netherlands for all my life, have been driving around for a very long time, but never encountered NAZI-style traffic stops. And as far as I know equipment to control traffic lights isn’t something they are looking for either as these things just aren’t a thing, so there is no reason to look for them.

        @ shod: My I ask why exactly did you smoke/drink or inject before you wrote your comment?

    1. As this is HaD…

      My hack for traffic light priority. If you are in a queue at lights don’t run up to the back of it.
      Instead loiter over the sensor loop furthest from the set of lights. The lights then “think” there’s a long queue in your lane. They then change quicker, plus stay green for longer, so you also have a better chance of getting through on that phase.

      1. Won’t work on the newest lights. They knoe how many cars are in the line. Newest systems can even recognize individual vehicles and follow their route over different traffic lights to map traffic patterns.

  3. PKP, which stands for Polskie Koleje Państwowe, or Polish National Railways, was supposed to switch to digital communications 10-15 years ago. They never did it because PKP consists of 40-ish different organizations and no one really coordinates them. In 2022 they were building tracks in the city of Łódź, from two sides – due to stupidity and lack of coordination they managed not to meet in the middle.
    As for RADIOSTOP incident, when I learned about this system some 15-20 years ago, I actually was wondering, how hard it would be to build my own transmitter. At that time teemagers figured out they can derail trams by switching the rail switches. The switches were operated by tram driver with simple IR remote. IIRC, with RC-5 code.

    1. Did the teenagers trigger the switch to change while the tram was travelling over it?
      My grandmother’s car used unencrypted IR for the central locking. It’s concerning that checking google people are still buying and selling the modules for replacement.

      1. They switched it when first set of tram wheels passed the switch. This caused either set to leave the track…

        It’s weird for me that people use such insecure signaling systems, while there are dedicated ICs for one-way encrypted communications. These are common in many older car keyfobs and are dirt cheap. With cheap RF modules one could easily implement a challenge-response system…

    2. “PKP, which stands for Polskie Koleje Państwowe, or Polish National Railways, was supposed to switch to digital communications 10-15 years ago. They never did it because PKP consists of 40-ish different organizations and no one really coordinates them.”

      Maybe this will put a fire under them.

      1. Maybe after next election. But I won’t be surprised if they develop delays in getting a new system running.

        Last year I read a book about transportation exclusion in Poland. Half of the book covered PKP and it’s inner workings. From that book I learned about four kinds of filth in InterCity trains:
        1. Daily filth – this could be left alone if there is no time between runs, as it’s not a big deal yet.
        2. 2-3 day old filth – this should be cleaned.
        3. Weekly filth – this requires more serious cleaning on weekly basis.
        4. Railway filth – too old and too tough to be cleaned – leave it be.
        I think this perfectly captures the mentality of PKP management. It’s also the reason that “delayed” is the most common train in Poland.

  4. In Poland, digital broadcasting is considered encryption. For this reason, digital transmission cannot be used on the CBRadio band and most other bands. To this day, police, water, gas and other services use unencrypted radio equipment, sometimes 3 at a time, because there is no way to transmit messages between services.

    1. Sources?

      As far as I know, only radio amateurs must use unencrypted communications. They can use digital modes. The same goes for PMR. I think CB is limited to analog, but I’m not 100% sure. Polish police a few years back bought digital encrypted radio equipment, so they can use it. Army and Border Patrol use encrypted systems, at least partially. PKP wanted to go digital (GSM-R) which is encrypted for the past 10 years, but until last week they didn’t do much to actually get it. I think the trunk radio system for trucks that was used until early 2000’s was also encrypted. It was replaced by cellphones. So I’m pretty sure you’re wrong.

      Also nothing prevents people from using code words, nomenclators and obscure or constructed languages. When telegraphy became a thing, there were nomenclators for business that let companies send coded messages that not only were hard to break for normal people, but also saved on the telegram bill by replacing long words with short letter sequences. US military famously used Navajo language in WWII for fast and unbreakable communications. No one stops you from speaking Klingon or toki-pona over the radio.

  5. I read somewhere, that there are about 500 of such events yearly, so I would say that it’s more about influencing incoming elections than really doing any serious harm to the logistic system. It’s annoying, for sure, but trains stop only for few minutes at most. System has a huge hole, that’s for sure, but it’s worth mentioning that it was implemented in a hurry after severe train crash.

    1. When one train is stopped by this system either for a good reason, or because someone thinks it’s a great prank, it’s not a big deal. The most common train in Poland is the “delayed train” anyway. But when 20 trains are stopped at once, this affects the entire network. If this happens on main trunk line, the delay can spread to other countries, too. The polish railway system since 1989 was in slow decline, as the funds are limited, upper management changes after every election, and infrastructure is obsolete. Many local lines were terminated years ago. That’s the way it works in Poland, and we had to get used to it.

  6. From the linked wikipedia article on GSM-R “If the modem connection is lost, the train will automatically stop”. So jamming that signal will have exaclty the same effect as this attack.
    I have no idea how effective they are, but since you can buy phone/wifi jammers online it still sounds like “any unsophisticated individual could achieve the same results with cheap off-the-shelf equipment”.

    1. GSM-R covers a huge bunch of services. Basic service is speech with a special addendum for role based *and* location based addressing, group communication, interruptible calls etc.

      As far as I know, the idea of usage for (automated? never) train control is deprecated and replaced totally by only ETCS 2 with Eurobalise and such.

      Only non-critical things like data updates for the electronic schedule system or communication for train driver and conductors are done via GSM-R. And for security reasons, if the connection is lost, high speed modes are deactivated.

      But I’m even more clueless than usual on that. Please enlighten me.

    2. It would be quite hard to jam GSM-R. But not impossible.
      Firstly, the basestations are spaced along the tracks at regular intervals, each one has to be on a different GSM channel (same as neighbour cells). So you’d have to jam an entire bunch of channels to be effective.
      Secondly, the power levels will be quite high (33-40dBm), so jamming probably will only be effective where the train is midway or thereabouts between basestations.
      Thirdly, I would expect the train antennas to be directional aligned with the direction of the train, so produce max range when you’re far from the next basestation, but lower coupling as you pass it. So your jammer will be less effective perpendicular to the train.
      I would also expect the basestations to perform regular RSSI measurements on their inactive timeslots, which will show up any jamming pretty quickly to the network operator.

      1. In practice, there are a lot of deviations from ideal assumptions. Not just here, but in most actually-deployed systems.

        Most of the hard part of security penetration involves identifying how stuff actually happens in practice, at the time and place of interest. This isn’t limited to digital (or even technical) security penetration. A guard who is supposed to be always alert and not leave his post except after calling a substitute might actually turn out to occasionally take a restroom break without going through the delay of getting a substitute.

        A huge part of real-world engineering is to design things so that deviations from the intended ideal have a minimized effect. But that doesn’t always happen, because you can often get 90% of the quality and results for only 10% of the work, if you sweep the rest under a rug somewhere…

  7. You don’t need to promote anti-Russian beliefs in Poland. Your comment is more of a jump. Most likely – some Polish hacker did it for the lulz. Second most likely – Russian-aligned hackers did it for checking of systems “just in case”. Your version about false-flag seems like it’s not in top-5, but also mimics Russian arguments about people being anti-Russian because of prejudice “why do they hate us?”.

    1. Over a week ago police arrested two people who were placing some stickers that were ads for Wagner group. There are many internet trolls that get paid for spewing anti-Ukrainian and pro-Russian propaganda in Poland and other countries. There are some right-wing nationalists, some are part of ruling coalition that are pro-Putin. So I don’t think anyone did this just “for lulz”.

      One should also take into consideration the fact that border between Poland and Belarus, where Wagner group is staying, is NOT secure, despite whatever polish government claims. It would be easy for them to cross the border with necessary radio equipment to disrupt the trains. The reason being stopping or slowing down delivery of military equipment and humanitarian help to Ukraine…

  8. I love the idea that this was done to support the Russian war effort.

    Not because I support that effort, quite the opposite. Whoever did it probably just made Poland better off in the long run by forcing the issue on a long needed security upgrade while not causing much damage in the process. That is exactly the level of counter-productive (to them) success I like to see in the Russian war effort.

    1. My worry here would be “what happens between now and the upgrade” – if these incidents are frequent enough, they may choose to disable the current safety system until the upgrades are made to avoid wide-spread service disruption. What would the consequences of that be, and perhaps is that the actual intent of the attacks?

  9. There is another form of cyber attack possible in many other train systems across the world, which most of the people discussing the radio incident are missing. Any person can stop the vulnerable train almost immediately and without using sophisticated technology.

    The vulnerability is called “emergency brakes” and is usually a lever, placed at multiple locations along the train, that are intented to be pulled in case of emergency. Activation of such system is easy, and often the “attacker” cannot be traced, especially when the train is crowded or lacking monitoring (which is still very prevalent). I think this vulnerability is comparable in seriousness to the one from this article. Although a single person can use it on one train only at a time, there are other factors that make it more concerning. It requires even less resources to carry out, number of vulnerable train systems is much higher and usually is more difficult/problematic to ignore than disabling automatic “radio-stop” braking system. Recovery from a misuse event is also usually longer and so are the caused delays.

    1. I don’t know about other places, but in the UK the emergency stop does not stop the train, it signals to the train driver that there is an emergency and that a stop is needed.

      1. https://en.wikipedia.org/wiki/Electro-pneumatic_brake_system_on_British_railway_trains

        It appears that the British passenger railways don’t use the Westinghouse brake or a close derivative. The brake system they use achieves the uncommanded/distributed emergency stop feature by using one of the trainwires as a continuity loop. If the loop is broken, every car responds as if the driver’s control was set to the “emergency” position. All brakes will be locally engaged and any traction motors will be disengaged.

        For installations with true distributed emergency brakes, the “emergency” handles in the cars serve to break the loop. For other installations, the emergency stop handles merely signal the driver. Either way, if something happens to the train such that the coupling between cars is affected, all of the cars enter the emergency stop mode.

  10. Safety systems often must allow ANYONE to activate them. If you hide the activation of a safety system behind locks, keys, encryption and the like, its utility will be severely diminished. An example of this is the emergency brake system on a subway car. It is in full view of the public. There are instructions to use it. But if you do use it, you’d better have a very good reason (perhaps there is a fire on the train).

    Likewise with a rail stop system. This system is going to be a royal pain to replace. Instead, what I suggest is that Poland continue using this system, but establish a network of direction finding receivers. If someone does activate the emergency stop tones, their approximate location will be known immediately. This location would then be supplied to first responders. If the stop signal was genuine, the first responders will know exactly where to start looking. If the stop signal were nefarious, they’ll also know exactly from where it was sent, which will help to track down the perpetrators.

    I think this business of using encryption and authentication on such applications is fraught with all sorts of opportunities for this to go very wrong. This is not some cute app. This is public safety. Keep it simple and stupid.

      1. They already know. However the aviation world depends much more heavily on distributed intelligence, so jamming a link has much less effect. And, due to how the old analog Emergency Locator Transmitter beacon system is implemented, the infrastructure can quickly localize transmissions on a map… and that often works just as well for jammers as it does for ELTs.

        The old analog 121.3 MHz ELTs are just robust transmitter beacons. The details of the old auto-map-indicator systems are actually quite interesting. More or less, automatic radio direction finding cues for the beacon as heard from multiple air traffic control receivers would deflect mirrors and create a moving-spot indicator on a map. The necessary equipment is both simple and already necessary to fulfill other aspects of the air traffic control role; it’s just an additional automatic use for the existing antennas and receivers. Later, the same information got integrated into many of the ATC radar displays. This can be used to locate an aircraft with a jammed transmitter, for example. The data isn’t usually superimposed on the ATC displays to avoid operator overload, but remains available if needed, at least for aircraft within VHF range.

        Later yet, the COSPAS-SARSAT system allowed secondary payloads on some satellites to participate, helping localize (or at least detect) beacons even when they were far from any ATC receiver.

        Modern systems also add gps self-coordinates, but remain usable for automatic and manual direction finding as well.

        It’s not harder to find an intentional jammer than it is to find a malfunctioning ELT (or a crash site), so anyone who messes around with jamming aviation frequencies has good odds of quickly facing serious civil(misuse of emergency frequencies) and criminal(willfully creating a hazard to life) penalties.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.