Schneier on Security

Clive Robinson • August 28, 2023 11:52 AM

@ ALL,

It’s not just Poland, in some way or another it applied across most of Europe.

But it realy only takes a wire, look up more recent protests and back in the 1960’s in Britain “Great Train Robbery” where one of those involved used a battery and a couple of wires to cause a false “track occupied” thus stop signal.

To reduce this issue it was hoped that radio would make it difficult and for over half a century it worked. However modern electronics from China are increadibly cheap noe and “Software Defind Radio”(SDR) systems that can transmit easy to get for not a lot of money.

However you can go do it for even less, by going out and buying a Boufang UV5R for as little as $25…

Along witha Arduino Nano for three to six dollars that will easily generate the tones (look up how a “Direct Digital Synthesizer”(DDS) works it only takes,

1, A Sinewave lookup table.
2, A hardware interuput counter.
3, Four output pins and resistors.

Personally I prefere to use two squarewaves at fixed frequencies mix then together in the software equivalent of a D-Type latch and low pass the resulting pulse train, it’s clraner and quicker.

Or just put a tone generator app on your mobile phone and play the toend into the UV 5R microphone.

The point is there are a myriad of inexpensive ways to do this, which is why there os a European initiative to upgrade railway signalling across the whole of Europe but… It’s going slowely, whilst the mobile phone standards in comparison are going fast…

For some background and further information Have a look at,

https://m.youtube.com/watch?v=uAEg5IHeURQ

Clive Robinson • August 28, 2023 8:40 PM

@ vas pup, ALL,

Re : AI as the perp.

You give me a thought,

If some one tells an AI to find secirity vulnetabilities what happens when it finds one?

We know from long experience, that if an ordinary individual finds a vulnarabilitu, and reports it they are told it is not realy there or is not abusable etc.

This ignore/attack the messanger is so common that in nearly every case these daus a “Proof Of Concept”(POC) is developed and executed as a “demonstration”.

Technically developing/demonstrating a POC can be a crime and some managers at some software devrlopers like Oracal have threatened or actually taken leagal action against the researcher.

So the thought occures what happens if you use an AI and tell it,

1, Find vulnerabilities in XXX
2, Produce POC code
3, Test POC code

Are you being any less a criminal if you say,

1, Find and demonstrate vulnerability in XXX.

I guess it’s one of those qurstions that courts will no doubt have to deal with eventually. That is AI ans an agent of another entity.

But then what if the entity is another AI?

Those turtles would need to breed real fast to keep up…

Anyway The August Bank Holiday is over in England etc, so technically it will be nose back to the grind stone, unless of course Public Transport has “overrunning works” in which case it will be welcome to “The road to hell”,

https://m.youtube.com/watch?v=OcW-BSEB3ng

(Shown is “Westway” A40(M40) in West London, with bits from London Heathrow into Edgware and down to Earls Court. Those tower blocks where you look into a flat and down onto the underground railway are on the “west cross route” A3220(M41) that strangely went north-south and was just East of what was White City where BBC Television Centre was,

https://en.m.wikipedia.org/wiki/Television_Centre,_London

And where many many years ago long before the dump called Westfield was constructed we used to put out more than one Pirate radio station, that was back when work was fun 😉

Clive Robinson • August 29, 2023 2:24 AM

@ Mr.Obvious, ALL,

“150.1 MHz limits you to radio-line-of-sight. You might reach 10 to 30 miles away, but not the other side of the country let alone the world. It’s strictly a local attack.”

Whilst I would agree with “let alone the world” not so much “the other side of the country” and certainly not a “local attack”.

I’ve previously pointed out the dangers of hand held radios like the Baofeng UV5R on the ground with a very what appears a very poor range of a couple of kilometers or so. But that with tiny SDR receivers and computers with WiFi dongles on drones that can fly to 300m or more getting 60km range for SigInt activities. We really have to think a little differently these days.

150MHz is 2m wave length only a fraction above the amateur radio VHF satellite band around 145.7-146.0 as can be seen,

https://amsat.org/amateur-satellite-index/

And amateurs communicate with them at distances that easily exceed the width of the Atlantic ocean.

Now as most know there is a war going on at the East of Europe currently and there have been attacks on satellite and other commercial communications and transportation systems by Russian personnel.

I’m not sure how big Poland is exactly but a quick measure in my European road atlas indicates, about 650km north to south and 690km east to west.

We know a light aircraft can fly ordinarily at a “mile up” or call it 1600m with a quite powerful VHF signal of upto one kilowatt output being easily possible.

The radio horizon calculation which gives the coverage radius, can be found from,

Dist = 4.12 x sqr(h)

So sqr(1600) = 40
Times 4.12 = 164.8km

So the coverage diameter would be double that at 329.6 km, giving about a quarter of Poland.

In 1945 Herald T. Friis, working at Bell Labs derived The free space formula for power at the receiver input from the transmitter output for any given wavelength and Tx and Rx antenna gains. It’s known as the “Friis Calculation” and it’s used as a quick way to find out how much power you need to cover a radio path or area when designing a communications path or broabcast area.

The Polish railway system opperates at 150MHz so has a 2m wavelength and at a 60dBm (1kW) Tx output power at 164800m range, assuming a TX antena gain of 2.5dBi and an RX antenna gain of -10dBi you get approximately -67.8dBm. As a narrow band FM receiver needs around -120dBm to be quietened you’ve got a margin of ~53db or 200,000 times the power in hand…

A quick lookup says a Cessna 172 has a given maximum normal operational altitude of 14,000ft or 4260m giving an increase in coverage diameter out to 540km ordinary passanger jets like for instance, the Boeing 747-200, that debuted in 1968, has a “service ceiling” of 45,100ft. So say 30,000 to 45,000ft or 9120-13680m giving a coverage diameter of 588-964km.

So a passanger aircraft flying at normal operational hight carrying a 1kW transmitter could stop every train in Poland at the same time.

Now if this should be a concern to the Polish authorites or not at a time when a Super Power effectively “next door” has dropped a less than subtle hint they will attack them…

From a couple of days back,

https://www.telegraph.co.uk/world-news/2023/08/28/ukraine-russia-war-latest-news-robotyne-counteroffensive/

If Russia does decide to invade Poland from Belarus, then almost the first thing they would want to do is shut down any and all transportation of military materials in Poland…

Clive Robinson • August 29, 2023 5:56 PM

@ Tatütata, ALL,

Re : 2G and usage.

“GSM-R was/is 2G GSM based,”

It still is in the UK, where 2G refuses to die for various reasons (not least the chipsets are less than 2USD whilst 4G is upwards of 25USD last time I looked shortly before 5G became normal).

I’m not entirely certain but it looks like National Rail runs it’s own 2G network based on the trackside antennas.

From an operations based perspective 2G offers what TETRA, P25 and DMR based networks can not. Not least is clarity of voice which is realy absent in the narrow band FM Digital networks, and is vitaly of importance in emergancy situations (it’s also argued that voice clarity is the same reason Airband systems are still AM based).

Mad as it might appear I can see 2G outliving not just 3G but plain 4G as well. There is so much of it in “infrastructure control systems” that the cost of pulling it out even over a decade would just be to expensive and the UK radio regulator OfCom is not going to want to get into that battle as much to their horror they found out a few years back that not just the network operators but user interest groups are more than happy to get highly litigious and can pay legal tallent that OfCom can only dream about.

And with some OfCom staff like Clive Corrie caught out being less than honest on multiple occasions and their in house legal staff committing forgery then presenting it in court as prosecution evidence…

As OfCom know I’ve got the evidence tucked away in several places just in case…

Clive Robinson • August 29, 2023 11:33 PM

@ Lynn H,

“Could someone, for example, hack a “smart” wireless doorbell to transmit on that frequency? Maybe not, ’cause there’s nothing but public FM radio, amateur radio, and aviation and marine radio near that frequency.”

It’s getting way easier day by day.

The world is moving very rapidly into “One chip/module fits all” type supply/inventory as it very significantly reduces BOM and SBOM costs.

All those Chinese hand helds and quite a few Japanese and South Korean manufactured radios all use the same family of chips/modules which are RDA1846 and use standard I2C interfacing[1]. Hence are very easy to reprogram and the 136-174MHz and 400-520MHz coverage commonality with the UV5R and which got augmented when the UV5X3 added 220–225Mhz (which is apparently now opening up to 50-600Mhz or more with the newer chips used in the Quansheng UV5 that appear to have an SDR within).

The difference between the Chinese commodity HTs etc below 30USD and Japanese and South Korean “Type approved” and carrying GCC and CE approvals with a 80USD and up price tag is how much in the way of filtering is added on the modual output prior to or following the aditional PA or the antenna circulator/diplexer both for TX and to remove de-sense issues on RX.

Even though the Japanese and South Korean “Ham HT’s” and PMR etc tend to have way better filtering, it’s still quite broad. This is because it’s the 1st harmonic (@2xF) they want to get -50dBc or more down. Such filters are sometimes low passes going for -60dBc at the 4th harmonic (@5xF), with a Q or T-notch on the 1st harmonic. Which whilst it works very well when the device is used “in band” as intended… the Q-notch being narrow band is of very limited use. So for a 144-148 2m amature band HT “serious TX filtering” does not start till around 275-280MHz so the 136-174 gets through quite easily and it falls to the antenna that acts as a ~5% to -3db bandwidth filter by having a non ideal match.

Yes more specific filtering can be added but this increases both cost and PCB realestate thus device casing size all of which adds considerable unwarranted cost. So does not get done in FMCE type manufacturing.

So you now have all the information you need to go play and hack the RDA chip, thus you just need to find a device you can “jail break”

If you search for the “Quansheng UV5” you will find a web site that alows you to “patch the code” and make a download.

Have a look at how to first make it do 18-1300MHz,

https://m.youtube.com/watch?v=kqr8t0_4EXU&pp=ygUOcXVhbnNoZW5nIHV2NWs%3D

Then if you goto his channel you will find other vids.

None of this hacking is exactly difficult to do and should be well within the abilities of a college student or fitst year doing a hard science or engineering degree[2].

[1] Hacking the chip is not exactly difficult, in fact you can download all you need to get up and playing around with it in a day or less. There are even fairly explicit HOWTO’s such as,

http://www.liorelazary.com/index.php?option=com_content&view=article&id=49%3Ahacking-the-baofeng-uv5r&catid=14%3Abaofeng-uv5r&Itemid=17

Even though the chip is supposed to be “Under NDA Only” you can very easily find

1.1, Hardware data sheet
1.2, Programing guide
1.3, Code libraries

[2] For some reason, I point out things that are not just accurate but verifiable as such with an easy Intetnet search or three, yet I don’t get believed… Why I realy don’t know, I can only assume they think I’m making it up as a knee-jerk reaction and don’t or can’t be bothered to do the simple searches required to verify I’m not doing an “AI Hallucination”.

Clive Robinson • August 30, 2023 7:10 AM

@ Mr.Obvious,

“Is your plane flying at 45,000 feet over Poland? Or are you doing it from outside Poland?”

In the case of some actors it could be way more than 45,000ft military aircraft can do 55,000 and up. Even a clandestinely released ballon can go that high with a small payload and go very long distances[1]. And the maths shows there is enough “signal margin” to come down quite a ways you’ve got aprox 50db margin so 1kW can be reduced by 10^5 or 10,000 times down to 0.1watt or less if clear line of sight can be assured (and the higher you are the more likely that is, but I don’t want to get into defraction and terain following effects as the maths starts getting beyond mental calculation.

“Somewhere your plane won’t get shot down?”

You can do it with multiple aircraft outside of national air space, and who is going to shoot down a passanger aircraft other than Russia?

But think a little further and life gets very interesting at a “four man brick” Gladio level which as I’ve mentioned before I was involved with in the 1980’s.

“Radio direction finding is comparatively simple & straightforward.”

It’s not as simple as many people think, as you find out when you get a few “intermitant RDF fox-hunts” under your belt… Anyway it’s currently not in place and would take a while to put in place. You can buy such a small bug/fox device of 10-100mW output for less than $50 for the 2m band and they are increadibly easy to change their frequency if you want to. Also some made with “surface mount” components can be put inside a “Sharpie Pen” or “highlighter pen” or larger “felt pen” case and use a strand of nearly invisable 40AWG wire as an OCFD or EFHW antenna (I’ve done both, remember I am an RF Engineer by training and sometimes vocation, as I’ve mentioned befor one of my jobs working with a friend used to be making high end surveillance devices and later designing some of the best broadcast transmitters money could buy via his company “Broadcast Warehouse”).

Oh and remember both legally and technically it’s a “civil nuisance” bordering on criminality not an “act of war” whilst shooting a civilian aircraft down is something we know causes considerable political and state level disquiet and action, as more than one reader/poster here is acutely aware of.

The thing to remember about such emergancy stop signals is they only need be transmitted for at most 15secs to cause several hours or even days of disruption. And as they are base level safety systems you can not just “yank them out” way to many other systems have been built up on them with the assumption “they will just work” to do that…

As to your other points I can address them all if you want me to, but first do some fairly easy “Internet Searching” you will be quite shocked at what you will find. I suspect others such as @Tatütata, @Winter, @RobertT, are well aware of all of this as well as several other long term readers/posters.

As I’ve pointed out before, just be very thankfull engineers don’t tend to become terrorists… But as the Russian’s are finding out, they do make very good freedom fighters in asymetric warfare (see YouTube “PERUN” channel for some very interesting oversight on what is going on).

I’ve been in this skullduggery game one way or the other since the mid 1970’s and still “advise” at all sorts of “Pay Grades”. I suffer from what our host @Bruce has in the past called “thinking hinky”, I can not look at systems without seeing ways to exploit them and I’ve been doing that since atleast being in “Primary School” when I first started picking locks and similar and fixing valve/tube radios. By the time I hit “Secondary school” as a pre-teen I was an absolute menace as was someone who became a life long friend. We were seen as a “pair” and nobody knew which one was holding the other back what we got upto was so outside the box it was “alien” to the way nearly every adult thought. They were in the main just grateful that we were not malicious or of criminal intent just as one senior person once said “doing it for the craic”… And ranged from silly pranks with boobytraped ballons full of water through to taking over the BBC FM broadcast in the Isle of Wight because the BBC had daftly simply rebroadcast what they received from the mainland…

[1] Also to answer @Tatütata’s “why?” question “yes it has all been done before” it’s just that nobody talks about it “in case it gives others ideas”… If you look back on this blog you will find me relating the tale of a friend, a tiny tone generator a two transistor buging device on a VHF frequency running on a small battery supply and some large ballons and a cylinder of “party gas” to fill them back in the 1980’s[2]. Released from the outskirts of SW London from a back garden in the evening after dark. The frequency selected was one that my friend knew would be quiet, ie the British Gas repeater input frequency, but one that could easily be “followed” simply by listening to the frequency, the repeater(s) output frequency, or both. Which quite a few people in the “Pirate Radio/scanner scene” who got phoned up did, all the way into Europe untill the battery died or it came down (it’s one reason the UK Gov via OfCom are very very anti amateur radio ballon to this day nearly half a century later).

[2] This was at a time of the “Repeater wars” you tend not to hear very much about these days (though the YouTube “Ringway Manchester” channel has covered some of it). But one repeater subject to such attacks at the time was GB3SL on the BBC mast at Crystal Palace in South East London. It finally escalated to the point things got booby-trapped with explosives and people got rather more than surprised. Prior to that however some of the “intermitant jammers” got hidden in black cabs and minicabs unbeknown to the cabs owner/drivers thanks to “Bob” of East London.

Clive Robinson • September 1, 2023 6:08 AM

@ Tatütata,

Re : Back in the 90s

“The implementation of TETRA (and other digital trunking sytems) has been sadly a running fiasco.”

And always will be…

Because at the very base level the digital systems require three very important things analog systems do not,

1, An increased bandwidth.
2, Synchronisation.
3, A distortion free channel.

The actual issue was a frequency spectrum one, on how you shared it.

To keep with the existing chanalised analog system which is what the “Trunked” systems are ment to do, ment squeezing a digital voice system with a lot of overhead, into an existing NBFM analog system bandwidth. Simple logic indicates there are no magic buckets, and once a bucket is full you can not carry more.

But worse such Trunked digital systems are very expensive with handsets being more than eight times the price of an analog system and do not ask about the base syations the multiple went into imaganary mathmatics. Thus to sell them a lot of features were added that had little cost “as it was software” but at sales talks made it sound like you were going to get a lot of bang for your buck. But the reality was that could only happen by utilising spare channel time. In emergancies you just do not get spare channel time, so these Trunked digital systems will undoubtedly be the cause of deaths.

But also those digital systems had a much lesser range due to needing twenty times or more the radiated power in open field near perfect channel conditions. So the Trunked digital system handsets could not meet the coverage or battery life needs in urban let alone city areas. Which ment the solution was having vastly reduced range and having a lot more base stations (and a lot more “no coverage” areas).

Motorola especially knowingly made a lot of false promises over digital systems and in the process incorect decisions were made at the political level (in the UK it was at the Home Office).

GSM went the other way it went for very wide bandwidth and synchronization and lots of small coverage areas, but easily shared amoungst thousands of users. But still suffers the “full bucket effect” which always becomes an issue in emergancies.

The trick with GSM is the base station can stop individual chosen handsets from being used, thus in emergancies certain users can be prioritised over others in the blink of an eye.

The problem is that in the UK certainly, you now find Police especially as well as other first responders carrying multiple GSM Phones to make up for the fact that Trunked Digital Systems just do not work even in quiet times…

So come a major emergancy as happend in 2005 with the 7/7 London bombings not only did the Trunked Systems fail the GSM systems did as well, and it was not a pretty sight.

Yes the radio communications systems failing was reported, but as always with “stupid” the politicians “doubled down” on Trunked Digital…

And the current “on the ground” response by those doing their daily job is more GSM handset traffic on Personal Phones.

Something not lost on the Mobile Phone network providers who now sell priority service to the Utility Companies who have switched over to these “Push to talk” GSM systems such as POC, Real-PTT and Global-PTT and Zello systems, using so called “Network Radios”. That basically use GSM “Networks” rather than Two Way Radio. To see how confusing it is watch,

https://m.youtube.com/watch?v=88-dg3BBf20

(just remember that UV5’s are only Two Way NBFM HT’s)

Zello is interesting as it uses Android and thus can not only be customized it can use WiFi as well.

There are now some units that can do all three ie Two Way on amateur bands, WiFi and GSM. They can be complicated to set up but they do offer considerable reserve capability. Whacking an emergancy WiFi hotspot in place is simply a case of throw a flight case on a high point and flipping a switch if you add filtering by MAC you can keep a lot of idiots away. Likewise these days a cross-band repeater with VHF in and UHF out is easy to deploy and as such you can put several in the same place without interfering with each other add multiple CTS/DTS tones and you can keep others out. Use cross band DMR and life can get interesting.

So we are starting to move towards systems that can cope with emergancies by tailoring bandwidth and time utilisation as needed, and which will even work underground and transition to above and remote as needed with Ambulance staff. But no one system is going to work, and untill the Politico’s get to understand this, the likes of Motorola are going to make a lot of snake-oil profit…

Clive Robinson • September 1, 2023 8:39 AM

@ trainspotter, lurker, P Coffman, Winter, ALL,

“The classical solution is to make the wheels slightly conical,”

But it still only works with limited or gentle curves.

As old fashioned brewery and similar who rolled barrels down wooden rails can attest. Or more modernly those who design factory systems to transport items as they are made.

Another trick was “track banking” where you would cant the track up to minimise the difference in track lengths. Kind of like wrapping a strip of paper around a broom handle etc. The downside of this is of course it moves the center of gravity of the trains engines and cars which can be counter acted by velocity (and why motor bikes can “ride the wall of death”). But that puts a minimum speed on the banked section of track and center of gravity requirments on the loads carried, as well as having a significant effect on the track upkeep as @lurker has noted is “not a thing” in North America.

But the other scary problem and it’s a real issue in North America is the shere length of trains and curves.

In a traditional single engine pulls train, it can be worked out simply that the train has to be less than ~2/3rds of the curve radius in length as the engine pulls the train increasingly sideways in a curve, again moving the center of gravity. Whilst inertia lessens the effect the train still has to move with sufficient velocity, thus the minimum speed and track up keep issues are even more prevelant.

To get around this in the past, as with “climbs” a “banker engine” would be used to push from the back of the train. However this introduces other issues such as vertical buckling where light cars can lift off the track and move outward thus directly causing a derailment. The solution to this is two fold, firstly more engines distributed in the train but they have to be synchronized which is expensive, but secondly the cars have to be placed in the train by a complex calculation of weight and length…

The modern trend in North American railway companies is to entirely ignore the car placment requirments to increase profits, so derailment can come “built in” before the train even starts moving “out the yard”.

As can be seen none of these problems can be solved by computers as there are way to many unknowns. And managment are not their to run derailment free trains, but make profit for share holders. This can most easily be seen by the “hot box” detection issue, if ever there was a wrong way to do it…

Clive Robinson • September 1, 2023 12:31 PM

@ Winter,

But what would be the radius be for a gentle curve for a train nearly two miles (3kM) long?

If you use the traditional figures it would be 4500m…

A circle bigger than CERN’s LHC little toy…

Clive Robinson • September 1, 2023 3:40 PM

@ Tatütata,

“At the bottom is a detail of the strengthening of the outer rail.”

These are not uncommon in London, where some of the rail network is the oldest in the world –and scarily still in use–

There was one station on the underground on the central line in West London where the wheels on the train scream in pain on a curve just outside “white city”. Again it’s one of the places I used to frequent but nolonger do.

Oh fun fact the central line else where runs very close under a nuclear reactor that was used for making isotopes for medical imaging and the like. I once traveled that section with a giger counter and it sang a high tempo song, fit to put it in a punk band 😉