The Cheap Radio Hack That Disrupted Poland’s Railway System
Since the beginning of the war erupted between Ukraine and Russia in 2014, Russian hackers used some of the most sophisticated hacking techniques ever seen in the wild to destroy Ukrainian networks, disrupt the country’s satellite communicationsand even caused power outages for hundreds of thousands of Ukrainian citizens. But the mysterious saboteurs who disrupted Poland’s rail system over the past two days — a key transit infrastructure for NATO in its support of Ukraine — appear to have used a much less impressive form of technical mishap: Spoof a simple radio command to trains, which activates their emergency stop function.
On Friday and Saturday, August 25 and 26, more than 20 of Poland’s freight and passenger trains were stopped across the country due to Polish media and the BBC described it as a “cyber attack”. Polish intelligence services are investigating the sabotage, which appears to have been carried out in support of Russia. The saboteurs reportedly peppered the commands they used to stop the trains with the Russian national anthem and parts of a speech by Russian President Vladimir Putin.
Poland’s rail system serves as a key resource for facilitating Western arms and other aid into Ukraine as NATO tries to bolster the country’s defenses against a Russian invasion. “We know that for several months there have been attempts to destabilize the Polish state,” Stanislaw Zarin, a senior security official, told the Polish Press Agency. “We are not ruling anything out at this time.”
But as devastating as the rail sabotage was, on closer inspection the “cyber attack” doesn’t appear to have involved cyberspace at all, according to Lukasz Olejnik, a Polish-language independent cybersecurity researcher and consultant and author of a forthcoming book Cyber Security Philosophy. In fact, the saboteurs appear to have sent simple “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for these commands, Olejnik says, anyone with less than $30 in off-the-shelf radio equipment can broadcast the command to a Polish train — sending a series of three acoustic tones at a frequency of 150.100 megahertz — and trigger their emergency stop function.
“These are three tone messages sent in succession. Once the radio equipment accepts it, the locomotive stops,” Olejnik says, pointing to a document outlining the various technical standards for trains in the European Union. describes the stop radio command used in the Polish system. In fact, Olejnik says the ability to send a command has been described on Polish radio and train forums and on YouTube for years. “Anybody could do that. Even teenagers troll. The frequencies are known. The tones are familiar. The equipment is cheap.”
Poland’s National Transport Agency has announced its intention to modernize Poland’s railway systems by 2025. almost exclusively use GSM cellular radios, which have encryption and authentication. But until then, it will continue to use the relatively unprotected VHF 150 MHz system, which allows radio stop commands to be tampered with.
Comments are closed.