Saturday, January 12, 2008

14 year old hacks train - Security by Obscurity Fails

If you haven't seen this story yet then you'll be in for a surprise. A 14 year old boy in Poland hacked into the train control system and was able to take control of the train junctions. Several trains derailed causing numerous injuries, but luckily nothing worse.

Based on the information in the articles, the boy's "hack" was simply building a device that could send the correct signals to the train track control system. The device was created from a TV remote control and communicated with the train controls over infra-red.

The obvious problem here is that there wasn't any actual security implemented. I imagine that the designers of the train control system figured that most people wouldn't try, or be able, to create such a device, therefore they would be secure. However, this is the problem with security by obscurity, the item (in this case the ability to control the train system) is only secure when people don't know how to access it. So if these remote controls suddenly went on sale at your local grocery, everyone could control the trains. This is precisely why you can't rely on obscurity; just hoping that people don't figure out how to access your system. Instead, implement strong authentication to access the control system and use an encrypted stream of communication. There are a variety of options. The bottom line is that a securiy threat analysis has to be performed and security has to be implemented. We can't just keep hoping that nothing bad will happen and ignore fundamental security practices.

-Michael Coates