Railfan Technology > Reverse engineering PTC -- talk cancelled

I've been virtually attending GRCon22, the annual GNU Radio Conference.  GNU Radio is open source software supporting digital signal processing in general, with an emphasis on software defined radio.  

The next talk was to have been "Reverse Engineering the Positive Train Control (PTC) 220 MHz Wireless Protocol" which I thought could be quite informative.  My interest is as much in the analysis techniques as the protocol itself.

However, at the scheduled time, the presenter announced that his company, Shift5 Labs, "in an abundance of caution" had decided earlier today not to present the material "in the interests of the security of our railroad system [approximate quote]."  He also announced that the planned release at the end of his talk of code to decode the signals would not be happening.  

That's a good idea for safety and security, as we've already had domestic terrorists messing with signal systems, albeit in a crude way.  Plus, the protocols might be proprietary and legally protected.  The manufacturer's lawyers could take action against the information being publicized.

Somebody in India will figure it out and put information on Internet.

Bob

I've seen reports online from a couple guys who have done it, but they're not going to release the code nor go any further with it. At the time the data was not encrypted, but there was an encryption mechanism built into the system and it was basically a matter of the railroad flipping a switch and it would be inaccessible.

Posted from Android

Darren Boes
Lethbridge, AB
Southern Alberta Railfan

The difference between PTC and ATCS is that none of the information carried on ATCS is safety-sensitive. The worst thing a bad-actor could do is slow down the railroad, all of the safety-critical functions are carried out in the local boxes. ATCS is truly just a request, no difference to me asking a random person to "please punch yourself in the face." The person will [hopefully] say no. I have no means to force that. PTC is different, bad PTC commands are theoretically no diffent than how railroads have operated for over a hundred years, the crew operates in accordance with the signals that they see, but PTC is still supposed to enforce that if the crew doesn't respond properly. There shouldn't be a way to to transmit a command that turns a signal green when there's an opposing train, or throw a switch under a train, that SHOULD still be handled electronically by the line-side logic, but the stakes are higher with PTC.

Good point on safety concerns with PTC decoding, can understand the reticence to release software to do that.
I'm disappointed that local ATCS on the UPRR has gone to fiber, no radio signals are now available north of Red Bluff, CA up to maybe K Falls.
We had a good run with the 900 mHz radio operation though - from 1996 to about 2021, not bad.

So perhaps forget the signal but decode the GPS thats being transmitted.  More usefull anyway and doesnt get into the safety of the signal system.  Just a thought!

As silly as the concerns are, the railroads would have a cow if each train's GPS location could be determined and broadcast. They barely tolerated ATCS and it didn't precisely locate a specific train. I recall a rather substantial kerfluffle a few years ago when unauthorized AEI readers were popping up along various rail lines. Most of them were illegally placed. In fact there seems to be an extensive TrainOrders post on it from 2015: https://www.trainorders.com/discussion/read.php?2,3888413