An attack against message authentication in the ERTMS train to trackside communication protocols

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Colleges, School and Institutes

External organisations

  • Radboud Univ Nijmegen


This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves.
Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1\% chance of being able to take control of a train.


Original languageEnglish
Title of host publicationASIA CCS '17
Subtitle of host publicationProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
Publication statusPublished - 2 Apr 2017
EventASIA CCS '17 - Abu Dhabi, United Arab Emirates
Duration: 2 Apr 20176 Apr 2017


ConferenceASIA CCS '17
CountryUnited Arab Emirates
CityAbu Dhabi