Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years 37
Many trains in the U.S. are vulnerable to a hack that can remotely lock a train's brakes, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who discovered the vulnerability. From a report:The railroad industry has known about the vulnerability for more than a decade but only recently began to fix it. Independent researcher Neil Smith first discovered the vulnerability, which can be exploited over radio frequencies, in 2012.
"All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you," Smith told 404 Media. "The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
"All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you," Smith told 404 Media. "The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
Anyone is surprised about this? (Score:1)
From the industry that brought about the East Palestine derailment due to issues being ignored.
Re: (Score:2)
Liberated from the rails at last! Free East Palestine!
From Pittsburg to the Lake!
Re: (Score:1)
What the fucking fuck?? Why is it even possible for a train to receive radio signals that can do something with the brakes? That makes no sense.
Re: (Score:3)
Excellent question but the story is paywalled.
https://archive.ph/6fp8m [archive.ph]
Because of FSK encoded radio links designed in the 1980s.
Re: (Score:1)
Excellent question but the story is paywalled.
https://archive.ph/6fp8m [archive.ph]
Because of FSK encoded radio links designed in the 1980s.
Unfortunately, even if you read the paywalled article, it is very vague and doesn't actually explain anything. It only says this:
A lack of good communication between the front of the train and the back of a train caused accidents. In the 1980s, following a Congressional mandate, the rail industry instituted what it called an “End-of-Train and Head-of-Train Remote Linking Protocol.” This system allowed the back of the train to send telemetry data to the front and for the front to send basic commands back over radio frequencies.
Re: (Score:2)
Re: Anyone is surprised about this? (Score:3)
Trains use an air brake system with glad hand connections so that if a coupler fails (or more likely, wasn't correctly secured) the pressure is released and the brakes set on the entire train. The device we're talking about, which is known as FRED (on railroads the F is considered to be an F-Bomb) replaced the caboose in the 1980s. It monitors brake system pressure to ensure that it is in the operating range, and can also release the system pressure from the rear. This is needed so that the train brakes mor
Re: (Score:3)
Here's a non-paywalled article:
Hackers can tamper with train brakes using just a radio [gizmodo.com]
The obvious reason is to remotely stop a runaway train.
The stupid part is that there is no authentication or encryption.
Another option would be to use a deadman switch, which the engineer has to periodically reset to keep the brakes open. Most trains have some kinda deadman switch.
Re:Anyone is surprised about this? (Score:4, Interesting)
It's not necessarily stupid that there's no authentication. This fails safe (train stops), not deadly ... you actually want emergency services to be able to stop any runaway train without begging for a code to do so.
Trains already have a dead-man switch, generally in the form of a Big Red Button that has to be pressed within a certain time after a buzzer sounds (called an alerter).
The way that train brakes are applied is interesting - they respond to a DROP of air pressure in the brake pipe that goes from wagon to wagon. This is a fail-safe to force the brakes to apply if the line develops a leak. But what if the line has a clog or closed valve somewhere in the train? The dead-man switch in the locomotive would only cause the brakes IN FRONT OF the clog to apply - the radio system works from the rear of the train, so will apply the brakes BEHIND the clog. In an extreme situation, both the dead-man switch and the radio system can be useful.
Re: (Score:2)
Unfortunately it *is* stupid that there's no authentication. Something as simple as even a 4-digit PIN check would have been sufficient. There is no need to allow random radio transmitters to apply the brakes, and anyone with the *authorized* equipment would be able to have an emergency override code possibly built right into their gear.
The system, as designed, has *no* such codes at all.
Re: (Score:2)
If you implemented it entirely as dead-man switch logic, the signal could just be jammed, causing the dead-man timers to time out. Jamming does not require breaking the authentication scheme.
Re: (Score:2)
The protocol was designed in the 1980s. What encryption were you going to run on Z80 class processors?
Re: (Score:1)
How many humans do you think are aboard a freight train?
For safety reasons, most standard US freight trains are legally required to have a minimum of two human crew members, including a locomotive engineer and a conductor. However, there are exceptions for certain one-person train crew operations that do not pose significant safety risks, according to the Federal Railroad Administration (FRA).
And for the record: The train companies aren't happy about that. They'd rather have ONE person...
Key Takea [aar.org]
Re: (Score:3)
So essentially... (Score:2)
Re: (Score:2)
Or you could hire someone to do it on Fiverr or TaskRabbit.
They'll do the task they were paid to do so that they can get a five-star review.
Ukraine did something similar for the 2025-06-01 drone raid on Russian airfields. The truck drivers who delivered the drones had no idea what cargo they were carrying or why. They were just told where to go and where to park when they got there.
Don't bother clicking on the link (Score:3)
It's a subscriber-only 404 Media blog post.
Too bad... I was curious to learn how "AI" could build something that would generate RF radio waves near railroad tracks. Is there nothing AI can't do?
Re: (Score:2)
It's a subscriber-only 404 Media blog post.
So, so many of these lately, for the past year or two.
One may be inclined to think these are only Slashvertisements.
Is 404 also owned by Beez-Ex? (sic., to evade the lameness filter on that name)
CISA gave an updated statement (Score:2)
CISA has told The Register the train issue may not as bad as it sounds, and confirmed work is underway to get a replacement system deployed.
"[This] vulnerability has been understood and monitored by rail sector stakeholders for over a decade, CISA acting executive assistant director for cybersecurity Chris Butera told us in an email. "To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespre
Re: CISA gave an updated statement (Score:2)
It is as bad as it sounds. If you triggered it at the right time you could cause a derailment as the brakes applied full across the entire train. This is only likely if the train is moving at relatively high speed on bad track, though.
Well there are lots of ways to stop trains (Score:5, Insightful)
In railway safety is usually very important, and a stopped train usually is in its safest state. So everything typically fails towards stopping a train.
You can stop many stations by placing a copper wire on the tracks at a strategic position, making all of the systems believe that there is a train. You can puncture a brake line and the train will stop. You can cut wires used for signaling and the signals will fall back to stop... on AFAIK any signaling system.
Re: (Score:2)
You can puncture a brake line
Presumably not on these trains since if they were using air brakes there would be no need for a radio interface.
Re: (Score:2)
Meh. (Score:3)
People have been able to do that since Snidely Whiplash tied Nell Fenwick to the railroad tracks.
Everything old is new again. . . sigh (Score:2)
I watched the DEF CON 26 talk [youtube.com] on this. Basically, some dipshit designed a wireless system that is completely insecure and can be fooled into braking the train and possibly individual cars. It's like a LOT of industrial equipment that does this.
I remember during a hurricane years ago there was a run on gas. I was able to connect to gas stations all over the place (found by shodan.io) that had some kind of monitors on their underground tanks that showed what kind of fuel it was, how much, water contamination,
Re: (Score:2)
These days, it's a few hundred to get the equipment to interact with this system. When it was invented, computer security was barely even thought about, and the equipment to exploit it would have been extremely expensive (if you could even get it outside industry).
Re: Everything old is new again. . . sigh (Score:2)
Once you stop the train, then what? What's the point of this possible exploit?
Talk about a "show-stopper"... (Score:2)
Fortunately, the US has no enemies and nobody would ever think to use this for anything bad. Right?
Remote exploit? (Score:2)
"The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
If it is a passive signal, it seems like the only thing preventing that is a lack of transmit power, at least to within the limits of the curvature of the earth (or, depending on frequency, maybe not even beyond that limit). And it's hard to overestimate the potential for financial loss if someone remotely cracked into a SpaceX satellite and manipulated its SDR to send such a signal from space.
Even if the attack requires two-way communication, the attacker still wouldn't need to be close to the train; the
Re: Remote exploit? (Score:2)
Nothing prevents someone from maliciously dangling a battery-powered or solar-powered, cellular-capable pod off the edge of a highway bridge that crosses a railroad track and being half a continent away when actually triggering it.
Except that as the train passes under bridge, it will momentarily interrupt the brake signal, yes, but as the train slows down it will go away from the transmitter and likely get far enough away to restore the signal and the train brake signal will be restored, so the train keeps going...
(Train brakes aren't like throwing an anchor from a ship, they take time to stop the train.)
Yes, you could attach the transmitter to the train, but, really, what's the point?
Not just the US (Score:3)
They can do it on cars, too (Score:1)
....and have been able to for a while. :|
So all you need to do.. (Score:2)
Contrive a transmitter such that it jams the radio signal that tells the train engineer the brakes are working properly, so the train reacts by hitting the brakes. Of course, you have to be traveling close enough to the train so your transmitter can overwhelm the safety equipment...
Seems simple enough.
If you want to stop a train, wouldn't it be easier to steal a car and park it on the RR track so the train hits it. If don't want to hurt anyone, put it at the end of a long straightaway, with the lights on so
Nothing To See Here (Score:2)
US Positive Train Control (PTC) systems puts the life-safety-critical functions into a computer on-board the locomotive, parallel to the train engineer/operator. PTC needs, just the the meat-bag engineer, to know what's going on in front of the train (what the signals are set to, whether the track ahead is occupied by another train, etc.). While a lot of the more static information is canned into the PTC computer and updated occasionally, real-time stuff are information messages transmitted by radio every 6