Since war first broke out between Ukraine and Russia in 2014, Russian hackers have at times used some of the most sophisticated hacking techniques ever seen in the wild to destroy Ukrainian networks, disrupt the country’s satellite communications, and even trigger blackouts for hundreds of thousands of Ukrainian citizens. But the mysterious saboteurs who have, over the last two days, disrupted Poland’s railway system—a major piece of transit infrastructure for NATO’s support of Ukraine—appear to have used a far less impressive form of technical mischief: Spoof a simple radio command to the trains that triggers their emergency stop function.
On Friday and Saturday, more than 20 of Poland’s trains carrying both freight and passengers were brought to a halt across the country through what Polish media and the BBC have described as a “cyberattack.” Polish intelligence services are investigating the sabotage incidents, which appear to have been carried out in support of Russia. The saboteurs reportedly interspersed the commands they used to stop the trains with the Russian national anthem and parts of a speech by Russian president Vladimir Putin.
Poland’s railway system, after all, has served as a key source of Western weapons and other aid flowing into Ukraine as NATO attempts to bolster the country’s defense against Russia’s invasion. “We know that for some months there have been attempts to destabilize the Polish state,” Stanislaw Zaryn, a senior security official, told the Polish Press Agency. “For the moment, we are ruling nothing out.”
But as disruptive as the railway sabotage has been, on closer inspection, the “cyberattack” doesn’t seem to have involved any “cyber” at all, according to Lukasz Olejnik, a Polish-speaking independent cybersecurity researcher and consultant and author of the forthcoming book Philosophy of Cybersecurity. In fact, the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train—sending a series of three acoustic tones at a 150.100 megahertz frequency—and trigger their emergency stop function.
“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”
Poland’s national transportation agency has stated its intention to upgrade Poland’s railway systems by 2025 to use almost exclusively GSM cellular radios, which do have encryption and authentication. But until then, it will continue to use the relatively unprotected VHF 150 MHz system that allows the “radio-stop” commands to be spoofed.
