Rail network SCADA systems have been deemed vulnerable by Russian hackers, who published hard hardcoded industrial control system credentials.
Although the bugs found were not described in detail, Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai say they involve vulnerabilities entertainment systems, collision-avoiding interlocking platforms and mobile communication.
“If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train,” said Gordeychik. “A lot of devices work on the same channel: like engineering equipment and user systems,” Timorin added.
The use of old and outdated operating systems coupled with internet connectivity to automate and offer newer functionalities has opened up vulnerabilities that can be easily exploited, according to the hacker trio.
The team found several code vulnerabilities and authentication issues that could let someone cause serious damages. In an attempt to help fix the found vulnerabilities and push vendors into releasing patches and fixes, they published a list of hard-coded passwords to some of the systems they’ve investigated.
“We are releasing the list to force vendors to not use hardcoded and default passwords,” said Gordeychik. “The first threat is to safety, or cyber-physical – the second is economic threats to impact efficiency and revenue, and the third is threats reliability.”
While some operators have already begun fixing some of the reported issues, the hacker team is confident that the seriousness of their findings, along with publicly sharing hardcoded passwords, will spur new security updates and procedures aimed at protecting rail networks.