Skip to main content

Multi-channel Man-in-the-Middle Attack Against Communication-Based Train Control Systems: Attack Implementation and Impact

Part of the Lecture Notes in Electrical Engineering book series (LNEE,volume 640)

Abstract

Communication-based train control (CBTC) systems utilize continuous, high-capacity, and bidirectional train-to-wayside wireless communications to ensure the safe and efficient operation, where wireless local area networks (WLANs) based on 802.11 protocols are adopted as the main method. WLANs are working at the public frequency, and malicious interference and attacks are inevitable, which can badly affect the performance of CBTC systems. Due to the fail-safe mechanisms of CBTC systems, malicious attacks can cause the emergency braking of trains, and the operation efficiency can be reduced. Based on the vulnerabilities of WLANs, a multi-channel man-in-the-middle (MitM) attack on WLAN-based train-to-wayside communications is considered. The proposed attack method can manipulate the 802.11 frames, and bring delays, packet losing, and even modification of messages transmitted between trains and wayside equipment. Based on the operation principles of CBTC systems, the impacts of MitM attack are quantified according to the comparison between the train trajectories under attacks and the preset optimal running profiles of trains. Simulation results demonstrate principles and consequences of MitM attack.

Keywords

  • Communication-based train control
  • Multi-channel Man-in-the-Middle attack
  • WLAN
  • Cyber-physical system information security
  • Attack impact

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-981-15-2914-6_14
  • Chapter length: 11 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   269.00
Price excludes VAT (USA)
  • ISBN: 978-981-15-2914-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   349.99
Price excludes VAT (USA)
Hardcover Book
USD   349.99
Price excludes VAT (USA)
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

References

  1. Schifers C, Hans G (2000) IEEE standard for communications-based train control (CBTC) performance and functional requirements. In: Vehicular technology conference proceedings, VTC, pp 1581–1585

    Google Scholar 

  2. Aguado M, Jacob E, Saiz P, Unzilla JJ, Higuero MV, Matías J (2005). Railway signaling systems and new trends in wireless data communication. In VTC-2005-Fall. 2005 IEEE 62nd vehicular technology conference, vol 2. IEEE, pp 1333–1336

    Google Scholar 

  3. Weng J, Wu Y, Wei Z et al (2018) Position manipulation attacks to balise-based train automatic stop control. IEEE Trans Veh Technol 67:5287–5301

    CrossRef  Google Scholar 

  4. Lakshminarayana S, Karachiwala JS, Chang SY, Revadigar G, Kumar SLS, Yau DK, Hu YC (2018) Signal jamming attacks against communication-based train control: attack impact and countermeasure. In: Proceedings of the 11th ACM conference on security & privacy in wireless and mobile networks. ACM, pp 160–171

    Google Scholar 

  5. Vanhoef M, Piessens F (2014) Advanced Wi-Fi attacks using commodity hardware. In: Proceedings of the 30th annual computer security applications conference. ACM, pp 256–265

    Google Scholar 

  6. Vanhoef M, Piessens F (2017) Key reinstallation attacks: forcing nonce reuse in WPA2. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. ACM, pp 1313–1328

    Google Scholar 

  7. Vanhoef M, Piessens F (2016) Predicting, decrypting, and abusing WPA2/802.11 group keys. In: 25th USENIX security symposium (USENIX security 16), pp 673–688

    Google Scholar 

  8. Zhu L, Ning B (2010) The design of the CBTC train-ground communication system based on IEEE 802.11g standard. China Railway Sci 31(5):119–124 (in Chinese)

    Google Scholar 

  9. Vanhoef M, Bhandaru N, Derham T, Ouzieli I, Piessens F (2018) Operating channel validation: preventing Multi-Channel Man-in-the-Middle attacks against protected Wi-Fi networks. In: Proceedings of the 11th ACM conference on security & privacy in wireless and mobile networks. ACM, pp 34–39

    Google Scholar 

  10. IEEE Std 802.11 (2012) Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications

    Google Scholar 

  11. pyDot11. https://github.com/ICSec/pyDot11/. Accessed 1 May 2019

Download references

Acknowledgements

This paper was supported by grants from the National Natural Science Foundation of China (No. 61790575, 61603031), Beijing Natural Science Foundation (No. L181004) projects (No. RCS2018K008), and Beijing Laboratory for Urban Mass Transit.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mengchao Chi .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Singapore Pte Ltd.

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Chi, M. et al. (2020). Multi-channel Man-in-the-Middle Attack Against Communication-Based Train Control Systems: Attack Implementation and Impact. In: Liu, B., Jia, L., Qin, Y., Liu, Z., Diao, L., An, M. (eds) Proceedings of the 4th International Conference on Electrical and Information Technologies for Rail Transportation (EITRT) 2019. EITRT 2019. Lecture Notes in Electrical Engineering, vol 640. Springer, Singapore. https://doi.org/10.1007/978-981-15-2914-6_14

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-2914-6_14

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-2913-9

  • Online ISBN: 978-981-15-2914-6

  • eBook Packages: EngineeringEngineering (R0)