An attack against message authentication in the ERTMS train to trackside communication protocols

Tom Chothia; Mihai Ordean; Joeri De Ruiter; Richard James Thomas

doi:10.1145/3052973.3053027

An attack against message authentication in the ERTMS train to trackside communication protocols

Tom Chothia, Mihai Ordean, Joeri De Ruiter, Richard James Thomas

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Citations (Scopus)

367 Downloads (Pure)

Abstract

This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves.
Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1\% chance of being able to take control of a train.

Original language	English
Title of host publication	ASIA CCS '17
Subtitle of host publication	Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
Place of Publication	New York, NY, USA
Publisher	Association for Computing Machinery
Pages	743-756
ISBN (Print)	978145034944
DOIs	https://doi.org/10.1145/3052973.3053027
Publication status	Published - 2 Apr 2017
Event	ASIA CCS '17 - Abu Dhabi, United Arab Emirates Duration: 2 Apr 2017 → 6 Apr 2017

Conference

Conference	ASIA CCS '17
Country/Territory	United Arab Emirates
City	Abu Dhabi
Period	2/04/17 → 6/04/17

Access to Document

10.1145/3052973.3053027Licence: None: All rights reserved

asiaccs_paper
Eligibility for repository: Checked on 10/4/2017
Accepted author manuscript, 1.32 MBLicence: None: All rights reserved

https://doi.org/10.1145/3052973.3053027Licence: None: All rights reserved

SCEPTICS: A SystematiC Evaluation Process for Threats to Industrial Control Systems
Roberts, C., Chothia, T., Ryan, M. & Zhang, X.
Engineering & Physical Science Research Council
1/10/14 → 31/12/17
Project: Research Councils

Cite this

@inproceedings{e2a45ee1b46e45039bbc5b6a3e390f1a,

title = "An attack against message authentication in the ERTMS train to trackside communication protocols",

abstract = "This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves. Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1\% chance of being able to take control of a train. ",

author = "Tom Chothia and Mihai Ordean and {De Ruiter}, Joeri and Thomas, {Richard James}",

year = "2017",

month = apr,

day = "2",

doi = "10.1145/3052973.3053027",

language = "English",

isbn = "978145034944",

pages = "743--756",

booktitle = "ASIA CCS '17",

publisher = "Association for Computing Machinery ",

note = "ASIA CCS '17 ; Conference date: 02-04-2017 Through 06-04-2017",

}

Chothia, T , Ordean, M, De Ruiter, J & Thomas, RJ 2017, An attack against message authentication in the ERTMS train to trackside communication protocols. in ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. Association for Computing Machinery , New York, NY, USA, pp. 743-756, ASIA CCS '17, Abu Dhabi, United Arab Emirates, 2/04/17. https://doi.org/10.1145/3052973.3053027

An attack against message authentication in the ERTMS train to trackside communication protocols. / Chothia, Tom ; Ordean, Mihai; De Ruiter, Joeri et al.
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery , 2017. p. 743-756.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - An attack against message authentication in the ERTMS train to trackside communication protocols

AU - Chothia, Tom

AU - Ordean, Mihai

AU - De Ruiter, Joeri

AU - Thomas, Richard James

PY - 2017/4/2

Y1 - 2017/4/2

N2 - This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves. Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1\% chance of being able to take control of a train.

AB - This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves. Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1\% chance of being able to take control of a train.

U2 - 10.1145/3052973.3053027

DO - 10.1145/3052973.3053027

M3 - Conference contribution

SN - 978145034944

SP - 743

EP - 756

BT - ASIA CCS '17

PB - Association for Computing Machinery

CY - New York, NY, USA

T2 - ASIA CCS '17

Y2 - 2 April 2017 through 6 April 2017

ER -

An attack against message authentication in the ERTMS train to trackside communication protocols

Abstract

Conference

Access to Document

Fingerprint

Projects

SCEPTICS: A SystematiC Evaluation Process for Threats to Industrial Control Systems

Cite this