11 January 2008
The Register reports that a Polish teenager has been charged with hacking the Lodz tram network. Apparently, he built a device that will move the points (more commonly referred to as switch tracks in the US), sending the trams onto the wrong tracks. There were four derailments and twelve resultant injuries.
The device is described in the original article as a modified TV remote control. Presumably, this means that the points are normally controlled by IR signals; what he did was learn the coding and perhaps the light frequency and amplitude needed. This makes a lot of sense; it lets tram drivers control where their trains go, rather than relying on an automated system or some such. Indeed, the article notes "a city tram driver tried to steer his vehicle to the right, but found himself helpless to stop it swerving to the left instead."
Using IR signals to control traffic is reasonable common. In many parts of the world, emergency vehicles can use a device known as a MIRT (Mobile Infrared Transmitter) to turn lights green. Not surprisingly, these have been hacked; there are even plans available to build your own. Newer MIRT receivers use a more sophisticated encoding. In at least one system, emitters can be programmed to transmit a specific code number; that value is set by thumbwheels in the vehicle. It isn't clear to me how the receiver value is changed; it doesn't seem to be hard-coded in the device, so perhaps it can be downloaded and hence changed on a daily basis.
There are several lessons here. The first is that security through obscurity simply doesn't work for SCADA systems, whether it's a tram, a traffic light, or a sewage plant.
A second lesson is that security problems can have real-world consequences, such as injuries.
Finally, even though automated systems can have problems, the mere availability of a manual control doesn't always protect you.