Since war first broke out between Ukraine and Russia in 2014, Russian hackers have used some of the most sophisticated hacking techniques ever seen in the wild to destroy Ukrainian networks, disrupt the country’s satellite communications, and even trigger blackouts for hundreds of thousands of Ukrainian citizens. But the mysterious saboteurs who have, over the past two days, disrupted Poland’s railway system—a major piece of transit infrastructure for NATO in its support of Ukraine—appear to have used a far less impressive form of technical mischief: Spoof a simple radio command to the trains that triggers their emergency stop function.
On Friday and Saturday, August 25 and 26, more than 20 of Poland’s trains carrying both freight and passengers were brought to a halt across the country through what Polish media and the BBC have described as a “cyberattack.” Polish intelligence services are investigating the sabotage incidents, which appear to have been carried out in support of Russia. The saboteurs reportedly interspersed the commands they used to stop the trains with the Russian national anthem and parts of a speech by Russian president Vladimir Putin.
Poland’s railway system has served as a key resource in the facilitating of Western weapons and other aid into Ukraine as NATO attempts to bolster the country’s defense against Russia’s invasion. “We know that for some months there have been attempts to destabilize the Polish state,” Stanislaw Zaryn, a senior security official, told the Polish Press Agency. “For the moment, we are ruling nothing out.”
But as disruptive as the railway sabotage has been, on closer inspection, the “cyberattack” doesn’t seem to have involved any cyber at all, according to Lukasz Olejnik, a Polish-speaking independent cybersecurity researcher and consultant, and the author of the forthcoming book Philosophy of Cybersecurity. In fact, the saboteurs appear to have sent simple “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train—sending a series of three acoustic tones at a 150.100 megahertz frequency—and trigger their emergency stop function.
“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the radio-stop command used in the Polish system. In fact, Olejnik says the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”
Poland’s national transportation agency has stated its intention to upgrade Poland’s railway systems by 2025 to use almost exclusively GSM cellular radios, which do have encryption and authentication. But until then, it will continue to use the relatively unprotected VHF 150 MHz system that allows the radio-stop commands to be spoofed.