Warning: Use of undefined constant FILTER_VALIDATE_BOOL - assumed 'FILTER_VALIDATE_BOOL' (this will throw an Error in a future version of PHP) in /html/wp-content/plugins/woocommerce/src/Admin/WCAdminHelper.php on line 184

Warning: filter_var() expects parameter 2 to be int, string given in /html/wp-content/plugins/woocommerce/src/Admin/WCAdminHelper.php on line 184
Transport & Mobility - Quarkslab
Talk to an expert
Talk to an expert

Transport & Mobility

Air, rail, logistics

An attack on signaling. Irreversible physical consequences.

Trenitalia 2022: total shutdown of Italian trains by ransomware. Collins MUSE 2025: a single software provider, five airports paralyzed simultaneously. CVE-2025-1727: railcar brakes remotely controllable via radio with no authentication.
Critical operators (OIV) 1
SNCF, RATP, ADP, Air France under direct ANSSI supervision
Collins 2025 1
1 SaaS provider: Heathrow, Brussels, Berlin, Dublin, Cork halted
CVE-2025-1727 1
Train brakes remotely controllable, radio protocol with no auth
NIS2 1
Transport operators classified as OES, supply chain included

A SYSTEMICALLY CONNECTED AND UNDERAUDITED CRITICAL INFRASTRUCTURE

ETCS/ERTMS: safety firmware with no cyber audit
ETCS systems carry 20-year-old firmware. CVE-2025-1727: an EOT/HOT radio protocol with no authentication, allowing the brakes to be commanded from a handheld radio. Injection of erroneous commands = cascading emergency stop or a potentially fatal false-go.
Collins MUSE: one SaaS, five airports paralyzed
A single software provider serves dozens of airports. Its 2025 compromise paralyzed Heathrow, Brussels, Berlin, Dublin and Cork simultaneously. DSB Denmark 2022: ransomware on Supeo = national shutdown. A single weak link, maximum damage.
CBTC & network protocols in safety systems
Modern metros' CBTC communicates over WLAN. The interconnection of CBTC with the IT back office creates IT→OT lateral-movement paths. Trackside cabinets, physically accessible with simple locks, complete the picture.
Transport critical operators (OIV): ANSSI can prescribe OT audits
SNCF, RATP, ADP and Air France are OIVs under the French Military Programming Law (LPM). ANSSI supervises and can impose measures. NIS2 reinforces EU obligations. The TSA Security Directives impose OT requirements on US operators.

OUR SERVICES

QREDTEAM

ADVERSARY SIMULATION

  • Railway OT Red Team — attack simulation on signaling and control
  • Testing of IT→OT lateral-movement paths from the corporate network to the controllers
  • Supply-chain compromise simulation via a provider (DSB/Supeo type)
  • Red Team of ATM, ATC and airport infrastructure systems
  • Pentest of ticketing, passenger and operational-management systems.
Discover QRedTeam

QLAB

DEEP SECURITY RESEARCH

  • Reverse engineering of ETCS/ERTMS and CBTC system firmware without sources
  • Analysis of railway protocols (MVB, CAN, Profibus, IEC 61375) and debug interfaces
  • 0-day research on transport OT equipment (Alstom, Siemens Mobility, Thales Rail)
  • Supply-chain audit of critical software providers — dependencies and backdoors
  • Firmware audit of train embedded systems and avionics (ACARS, ADS-B).
Discover QLab

QSHIELD

SOFTWARE PROTECTION

  • Protection of railway embedded-system firmware against reverse engineering
  • Anti-cloning for suppliers exporting signaling systems outside the EU
  • IP protection of train-control and automation algorithms
  • Protection of infrastructure-management software against adversary analysis
  • Anti-cloning for ATM systems exported to geopolitically risky markets.
Discover QShield

DIFFERENTIATOR QUARKSLAB

NIS2 compliance audits verify security policies — not the protocols that move trains, manage runways or drive logistics flows. Quarkslab works in depth across all three sub-sectors: firmware of railway signaling equipment (ETCS, CBTC), avionics and ATM embedded systems exposed via their provider chains, and warehouse-management and logistics-traceability systems interconnected with OT networks. In every case, the same conviction: the real attack surface isn’t in your ISMS’s documented policies — it’s in the systems no one has ever tested offensively.

WHAT WOULD WE SAY TO EACH OTHER, FACE TO FACE

Is your shared software provider your main vulnerability?

Three sectors, one pattern: the attack never comes from where you expect it. DSB Denmark: compromising the subcontractor Supeo was enough to stop every train in the country. Collins MUSE: one airport check-in software paralyzed Heathrow, Brussels and Berlin simultaneously. XPO Logistics 2023: ransomware on the TMS halted distribution flows for dozens of clients. In all three cases, the vector is not the critical infrastructure itself — it’s the shared software provider, the pooled management system, the unaudited third-party access. That is precisely where Quarkslab steps in.

ETCS firmware audited like an attacker
We audit ETCS and CBTC firmware with the techniques of a hostile adversary. Not a network test — an analysis of what runs in your safety systems.
Your providers are your attack surface
We simulate a compromise via your critical software suppliers — before it actually happens.
ANSSI-compatible deliverables
We produce deliverables that go beyond paper compliance — with technical verification of the most sensitive systems.
Independence
Quarkslab has no commercial relationship with equipment makers.
Our publications & CVEs
Assess your transport OT systems