Polish teenager derails trams using TV remote

Maybe you thought we were being paranoid about security in our post last Thursday about Boeing’s unholy union of user Internet access with networks for control and navigation aboard the new 787 Dreamliner.  Nobody could really hack one of these networks, now could they?

As if presaging things to come, a teenager in Łódź, Poland managed to hack the infrared controls of the local tram system and rewired a TV remote control to issue commands to modify track settings.  He then proceeded to play with the tram system “like any other schoolboy might a giant train set,” switching track points at will and causing derailments that resulted in twelve injuries.  Fortunately, no one was killed.

Teachers describe the 14-year-old as ‘a model pupil and an electronics “genius”‘, but I don’t think this prank owes as much to genius as it does to stupidity.  Once again we encounter a control system, responsible for passenger safety, in which considerations for security have been grossly ignored.

The teen supposedly trespassed at tram depots in order to gather information and equipment that he used in building his infrared control.  So first of all, who was watching the depot?  It might have been just as easy for someone to plant an explosive on a tram.

Second, how could a system like this use IR for controlling track points?  What were they thinking?

Admittedly, the computer networks aboard the Boeing 787 are probably much less hackable than the aging chewing-gum-and-baling-wire infrared tram controls of a Polish municipality’s tram system.  But the lesson remains the same:  if a system can be cracked, it probably will be.  Where public safety is involved, don’t assume that no one will bother.





17 Responses to Polish teenager derails trams using TV remote

  1. Chip, weren’t there multiple injuries caused by this penetration of the tram system?

    Also, its not that they were using IR that was so bad, but they also apparently neglected to enforce strong authentication on the signals.

  2. In that IR signals are like any other signals, authentication can be easily added. It could request the code from a smart card for instance, before granting access to the function of say, a track switch.

    Don’t IR mouses have to be tied or authenticated to a system to prevent interference from other IR mouses?

    • It depends on the model and brand.. Logitech has a technology named “SecureConnect” on some of their wireless mouse / Keyboard combo..

      From logitech’s website:

      “With Logitech´s new SecureConnect™ technology, the cordless keyboard, mouse, and Bluetooth 2.0 EDR micro-receiver are all pre-synchronized and pre-paired during manufacturing. They´re ready to go, right out of the box, with a secure link and without the hassle of a manual connection process. With SecureConnect technology, encryption is also completely pre-configured — it is no longer necessary to enter a passkey to connect the components of the Bluetooth desktop. People simply plug in the Bluetooth micro-receiver and begin working.”

      But that’s for a Bluetooth signal.. The same principle could be applied to an IR one..

  3. Chip, weren't there multiple injuries caused by this penetration of the tram system?

    Also, its not that they were using IR that was so bad, but they also apparently neglected to enforce strong authentication on the signals.

  4. In that IR signals are like any other signals, authentication can be easily added. It could request the code from a smart card for instance, before granting access to the function of say, a track switch.

    Don't IR mouses have to be tied or authenticated to a system to prevent interference from other IR mouses?

    • It depends on the model and brand.. Logitech has a technology named "SecureConnect" on some of their wireless mouse / Keyboard combo..

      From logitech's website:

      "With Logitech´s new SecureConnect™ technology, the cordless keyboard, mouse, and Bluetooth 2.0 EDR micro-receiver are all pre-synchronized and pre-paired during manufacturing. They´re ready to go, right out of the box, with a secure link and without the hassle of a manual connection process. With SecureConnect technology, encryption is also completely pre-configured — it is no longer necessary to enter a passkey to connect the components of the Bluetooth desktop. People simply plug in the Bluetooth micro-receiver and begin working."

      But that's for a Bluetooth signal.. The same principle could be applied to an IR one..

  5. “Admittedly, the computer networks aboard the Boeing 787 are probably much less hackable than the aging chewing-gum-and-baling-wire infrared tram controls”

    As soon as you say something is less hackable or forbid you say un-hackable you just told a big fat lie you would wish you never said (at least if you were the dude in charge of such a system). I don’t know about other people but when I hear that something cannot be done or is very difficult to accomplish it works as a catalyst for me, making me want to accomplish it even more.

    Not to mention all of people who would want to pull it off to get famous and be the first person who managed to do it.

    If I were Boeing I would add the required extra layers of security, hire a bunch of electronics wizards and let them have a go at it for 2 months. If they can’t beat it in that time I’m quite sure no one will for a long time. As no one has the money to fly that thing that many times that it equals 2 moths fly time to gather info and actually start cracking the system.

    • I didn’t say it was unhackable, just less hackable. I agree with you that it makes a tempting prize for someone looking for cracker cred.

  6. "Admittedly, the computer networks aboard the Boeing 787 are probably much less hackable than the aging chewing-gum-and-baling-wire infrared tram controls"

    As soon as you say something is less hackable or forbid you say un-hackable you just told a big fat lie you would wish you never said (at least if you were the dude in charge of such a system). I don't know about other people but when I hear that something cannot be done or is very difficult to accomplish it works as a catalyst for me, making me want to accomplish it even more.

    Not to mention all of people who would want to pull it off to get famous and be the first person who managed to do it.

    If I were Boeing I would add the required extra layers of security, hire a bunch of electronics wizards and let them have a go at it for 2 months. If they can't beat it in that time I'm quite sure no one will for a long time. As no one has the money to fly that thing that many times that it equals 2 moths fly time to gather info and actually start cracking the system.

    • I didn't say it was unhackable, just less hackable. I agree with you that it makes a tempting prize for someone looking for cracker cred.

  7. Pingback: Cyborg legs monitor each other’s movements via Bluetooth