An attack against message authentication in the ERTMS train to trackside communication protocols
- Submitting institution
-
The University of Birmingham
- Unit of assessment
- 11 - Computer Science and Informatics
- Output identifier
- 43275522
- Type
- E - Conference contribution
- DOI
-
10.1145/3052973.3053027
- Title of conference / published proceedings
- ASIA CCS '17 : Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
- First page
- 743
- Volume
- -
- Issue
- -
- ISSN
- -
- Open access status
- -
- Month of publication
- April
- Year of publication
- 2017
- URL
-
-
- Supplementary information
-
-
- Request cross-referral to
- -
- Output has been delayed by COVID-19
- No
- COVID-19 affected output statement
- -
- Forensic science
- No
- Criminology
- No
- Interdisciplinary
- No
- Number of additional authors
-
3
- Research group(s)
-
-
- Citation count
- 5
- Proposed double-weighted
- No
- Reserve for an output with double weighting
- No
- Additional information
- The communication between trains, central operators, and trackside equipment is performed by the European Rail Traffic Management System (ERTMS). This work presents a security attack which exploits weaknesses in all three ERTMS protocols: GSM-R, EuroRadio, and the application-level protocol. We combine known vulnerabilities in GSM-R with newly identified cryptographic vulnerabilities in the EuroRadio protocol and exhibit weaknesses in the application-level protocol to forge valid train-control messages. We demonstrate a proof-of-concept attack using self-generated messages, and compute the probability spectrum of a successful attack. RSSB and NetworkRail agreed that EuroRadio is not safe to use with transport protocols faster than GSM-R.
- Author contribution statement
- -
- Non-English
- No
- English abstract
- -