Speaker
Description
Positive Train Control (PTC) is a collection of standards and technologies that attempts to prevent train collisions and derailments by automating certain safety functions aboard locomotives. The communications layer of one widely fielded PTC implementation uses proprietary wireless protocols operating at 220 MHz. Each locomotive has a PTC radio, and there are also stationary radios at certain points along the tracks and in central office locations.
As an independent vulnerability R&D project at Shift5, we purchased and studied several decommissioned 220 MHz PTC radios available on the open market. Our research is ongoing, but we will present the reverse engineering work that was required to fully decode the physical (PHY) layer of the radio traffic. This included open source research, signal analysis, and software/hardware reverse engineering.
The protocol utilizes a robust phase-shift keying (PSK) signal with non-standard inteleavers, multiple forward error correction (FEC) modes, and custom CRCs. We ultimately wrote a complete C++ library and several custom GNURadio signal processing blocks to implement the physical layer of the wireless protocol. We are able to demodulate/decode packets from the PTC radios as well as transmit our own packets that are correctly received by the radio. We will demonstrate both receive and transmit capabilities during the talk and release a fully functional out-of-tree module and flowgraph for the receive chain.
| Talk Length | 30 Minutes |
|---|---|
| Acknowledge | Acknowledge In-Person |
