Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years 58
Many trains in the U.S. are vulnerable to a hack that can remotely lock a train's brakes, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who discovered the vulnerability. From a report:The railroad industry has known about the vulnerability for more than a decade but only recently began to fix it. Independent researcher Neil Smith first discovered the vulnerability, which can be exploited over radio frequencies, in 2012.
"All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you," Smith told 404 Media. "The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
"All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you," Smith told 404 Media. "The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
Anyone is surprised about this? (Score:1)
From the industry that brought about the East Palestine derailment due to issues being ignored.
Re: (Score:2)
Liberated from the rails at last! Free East Palestine!
From Pittsburg to the Lake!
Re: (Score:2)
"Pittsburg"? You must be from California. %^)
Re: (Score:1)
What the fucking fuck?? Why is it even possible for a train to receive radio signals that can do something with the brakes? That makes no sense.
Re: (Score:3)
Excellent question but the story is paywalled.
https://archive.ph/6fp8m [archive.ph]
Because of FSK encoded radio links designed in the 1980s.
Re: (Score:1)
Excellent question but the story is paywalled.
https://archive.ph/6fp8m [archive.ph]
Because of FSK encoded radio links designed in the 1980s.
Unfortunately, even if you read the paywalled article, it is very vague and doesn't actually explain anything. It only says this:
A lack of good communication between the front of the train and the back of a train caused accidents. In the 1980s, following a Congressional mandate, the rail industry instituted what it called an “End-of-Train and Head-of-Train Remote Linking Protocol.” This system allowed the back of the train to send telemetry data to the front and for the front to send basic commands back over radio frequencies.
Re: (Score:2)
Re: Anyone is surprised about this? (Score:3)
Trains use an air brake system with glad hand connections so that if a coupler fails (or more likely, wasn't correctly secured) the pressure is released and the brakes set on the entire train. The device we're talking about, which is known as FRED (on railroads the F is considered to be an F-Bomb) replaced the caboose in the 1980s. It monitors brake system pressure to ensure that it is in the operating range, and can also release the system pressure from the rear. This is needed so that the train brakes mor
Re: (Score:3)
Here's a non-paywalled article:
Hackers can tamper with train brakes using just a radio [gizmodo.com]
The obvious reason is to remotely stop a runaway train.
The stupid part is that there is no authentication or encryption.
Another option would be to use a deadman switch, which the engineer has to periodically reset to keep the brakes open. Most trains have some kinda deadman switch.
Re:Anyone is surprised about this? (Score:5, Interesting)
It's not necessarily stupid that there's no authentication. This fails safe (train stops), not deadly ... you actually want emergency services to be able to stop any runaway train without begging for a code to do so.
Trains already have a dead-man switch, generally in the form of a Big Red Button that has to be pressed within a certain time after a buzzer sounds (called an alerter).
The way that train brakes are applied is interesting - they respond to a DROP of air pressure in the brake pipe that goes from wagon to wagon. This is a fail-safe to force the brakes to apply if the line develops a leak. But what if the line has a clog or closed valve somewhere in the train? The dead-man switch in the locomotive would only cause the brakes IN FRONT OF the clog to apply - the radio system works from the rear of the train, so will apply the brakes BEHIND the clog. In an extreme situation, both the dead-man switch and the radio system can be useful.
Re: (Score:2)
Unfortunately it *is* stupid that there's no authentication. Something as simple as even a 4-digit PIN check would have been sufficient. There is no need to allow random radio transmitters to apply the brakes, and anyone with the *authorized* equipment would be able to have an emergency override code possibly built right into their gear.
The system, as designed, has *no* such codes at all.
Re: (Score:2)
If you implemented it entirely as dead-man switch logic, the signal could just be jammed, causing the dead-man timers to time out. Jamming does not require breaking the authentication scheme.
Re: (Score:2)
If you implemented it entirely as dead-man switch logic, the signal could just be jammed, causing the dead-man timers to time out
That requires placing a device on the train, because the train is in motion, or placing a whole lot of devices. The current situation only requires one low-power device someplace vaguely near the rail line.
Re: Anyone is surprised about this? (Score:1)
and when someone doesnt know the pin there is disaster. You don't put a pin on brakes, dumbass.
Re: (Score:2)
Go too fast through a (yellow) signal, let alone pass a red one and the train protection slams in and forces the train to stop.
Fully automated without human interaction. OK afterwards the driver has to explain why he passed a signal that he should not have passed like that
The driver can start rolling again after the forced s
Re: (Score:3)
The protocol was designed in the 1980s. What encryption were you going to run on Z80 class processors?
Re: (Score:3)
"What encryption were you going to run on Z80 class processors?"
Wasn’t rhetorical? Cool — here's a serious answer.
XTEA is one of the strongest ciphers that can reasonably run on a Z80. It’s a 64-bit block cipher with a 128-bit key and a very compact footprint — perfect for 8-bit systems. The operations are just shifts, XORs, and adds, so it’s lightweight and doesn’t require much RAM or code space.
Is it brute-forceable?
In theory, yes — any 128-bit key cipher is, but
Re: (Score:2)
And this is why we have Slashdot. Thanks!
Re: (Score:1)
How many humans do you think are aboard a freight train?
For safety reasons, most standard US freight trains are legally required to have a minimum of two human crew members, including a locomotive engineer and a conductor. However, there are exceptions for certain one-person train crew operations that do not pose significant safety risks, according to the Federal Railroad Administration (FRA).
And for the record: The train companies aren't happy about that. They'd rather have ONE person...
Key Takea [aar.org]
Re: (Score:3)
Re: (Score:2)
Perhaps.. But is this technical Information, and the necessary radio even available to the emergency services in the first place? I think it is unlikely that any police and firefighters currently possess within their cars a box that can trigger even the old unauthenticated system.
It might not be that useful to responders in cases of a runaway train, Because the engineers are already trying to manage it, and most likely the observation of a runaway train says an extremely bad mechanical failure has happene
So essentially... (Score:2)
Re: (Score:2)
Or you could hire someone to do it on Fiverr or TaskRabbit.
They'll do the task they were paid to do so that they can get a five-star review.
Ukraine did something similar for the 2025-06-01 drone raid on Russian airfields. The truck drivers who delivered the drones had no idea what cargo they were carrying or why. They were just told where to go and where to park when they got there.
Don't bother clicking on the link (Score:3)
It's a subscriber-only 404 Media blog post.
Too bad... I was curious to learn how "AI" could build something that would generate RF radio waves near railroad tracks. Is there nothing AI can't do?
Re: (Score:2)
It's a subscriber-only 404 Media blog post.
So, so many of these lately, for the past year or two.
One may be inclined to think these are only Slashvertisements.
Is 404 also owned by Beez-Ex? (sic., to evade the lameness filter on that name)
Re: (Score:2)
https://archive.ph/8gU9l [archive.ph]
CISA gave an updated statement (Score:2)
CISA has told The Register the train issue may not as bad as it sounds, and confirmed work is underway to get a replacement system deployed.
"[This] vulnerability has been understood and monitored by rail sector stakeholders for over a decade, CISA acting executive assistant director for cybersecurity Chris Butera told us in an email. "To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespre
Re: CISA gave an updated statement (Score:2)
It is as bad as it sounds. If you triggered it at the right time you could cause a derailment as the brakes applied full across the entire train. This is only likely if the train is moving at relatively high speed on bad track, though.
Re: (Score:1)
Well there are lots of ways to stop trains (Score:5, Insightful)
In railway safety is usually very important, and a stopped train usually is in its safest state. So everything typically fails towards stopping a train.
You can stop many stations by placing a copper wire on the tracks at a strategic position, making all of the systems believe that there is a train. You can puncture a brake line and the train will stop. You can cut wires used for signaling and the signals will fall back to stop... on AFAIK any signaling system.
Re: (Score:2)
You can puncture a brake line
Presumably not on these trains since if they were using air brakes there would be no need for a radio interface.
Re: (Score:2)
Re: Well there are lots of ways to stop trains (Score:2)
Puncture the hose and the train stops.
Re: Well there are lots of ways to stop trains (Score:2)
What do you think they use for brake control?
Trains use air brakes, there are air hoses that connect the cars together.
https://youtu.be/ujF5ht6Blfg [youtu.be]
Re: (Score:2)
What do you think they use for brake control?
Well I thought they used air brakes but if they used air brakes then the hose is what transmits the braking information and you would not need a radio.
Re: (Score:2)
Well I thought they used air brakes but if they used air brakes then the hose is what transmits the braking information and you would not need a radio.
And what if the hose doesn't work? The thing you're fundamentally missing here is the point of redundancy. A system which has the potential to kill hundreds of people in one go doesn't rely on a single path. It's all due to risk.
- 4 people potentially die in a car : Breaks are not fail safe.
- 10 people potentially die when a large truck ploughs into traffic : Brakes are fail safe.
- 400 people potentially die when a train derails : Brakes are fail safe and have redundant an independent means of being trigger
Re: (Score:2)
I thought they used air brakes but if they used air brakes then the hose is what transmits the braking information and you would not need a radio.
Think harder. You know effectively nothing about trains, so do some searches so you can know something before posting again. Start by looking up "caboose" and what functions were performed there before they were replaced by FRED.
Meh. (Score:3)
People have been able to do that since Snidely Whiplash tied Nell Fenwick to the railroad tracks.
Everything old is new again. . . sigh (Score:3)
I watched the DEF CON 26 talk [youtube.com] on this. Basically, some dipshit designed a wireless system that is completely insecure and can be fooled into braking the train and possibly individual cars. It's like a LOT of industrial equipment that does this.
I remember during a hurricane years ago there was a run on gas. I was able to connect to gas stations all over the place (found by shodan.io) that had some kind of monitors on their underground tanks that showed what kind of fuel it was, how much, water contamination, and other things. Whoever it was who designed this stuff decided that it would be a good idea to just go slam it on the Internet. If you telnetted to it, it would dump the data. I was able to guide some friends and family around to the stations that still had gas.
Re: (Score:2)
These days, it's a few hundred to get the equipment to interact with this system. When it was invented, computer security was barely even thought about, and the equipment to exploit it would have been extremely expensive (if you could even get it outside industry).
Re: Everything old is new again. . . sigh (Score:2)
Once you stop the train, then what? What's the point of this possible exploit?
Re: Everything old is new again. . . sigh (Score:2)
I watched the DEF CON 26 talk on this. Basically, some dipshit designed a wireless system that is completely insecure and can be fooled into braking the train and possibly individual cars. It's like a LOT of industrial equipment that does this.
You're right, they should run a wire the length of the train to trigger the brakes when the wire disconnects! But then you'd have to keep connecting and disconnecting the wire as you add or remove RR cars.
The system is designed to 'fail safe' - if 'attacked' the train stops moving, that's good.
Short of putting a person at the end of the train (caboose), but that got expensive, so what is the superior alternative?
Anything wired is too much hassle.
Anything wireless can be disrupted.
Anything manual is too expe
Talk about a "show-stopper"... (Score:2)
Fortunately, the US has no enemies and nobody would ever think to use this for anything bad. Right?
Re: Talk about a "show-stopper"... (Score:2)
To what end? Slowing train travel? If an enemy wants to 'hurt' Americans, randomly stopping freight trains is a non-issue (I guess stopping a passenger train would upset the folks on the train, but whoop-de-doo, who cares?
There are so many better ways to cause problems - water system, electricity providers, etc.
Re: (Score:2)
I am so glad you cannot think of the possibilities of using this as part of a more complex attack! The non-existent enemies of the US will miss that possibility too!
Remote exploit? (Score:2)
"The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
If it is a passive signal, it seems like the only thing preventing that is a lack of transmit power, at least to within the limits of the curvature of the earth (or, depending on frequency, maybe not even beyond that limit). And it's hard to overestimate the potential for financial loss if someone remotely cracked into a SpaceX satellite and manipulated its SDR to send such a signal from space.
Even if the attack requires two-way communication, the attacker still wouldn't need to be close to the train; the
Re: Remote exploit? (Score:2)
Nothing prevents someone from maliciously dangling a battery-powered or solar-powered, cellular-capable pod off the edge of a highway bridge that crosses a railroad track and being half a continent away when actually triggering it.
Except that as the train passes under bridge, it will momentarily interrupt the brake signal, yes, but as the train slows down it will go away from the transmitter and likely get far enough away to restore the signal and the train brake signal will be restored, so the train keeps going...
(Train brakes aren't like throwing an anchor from a ship, they take time to stop the train.)
Yes, you could attach the transmitter to the train, but, really, what's the point?
Re: (Score:2)
Nothing prevents someone from maliciously dangling a battery-powered or solar-powered, cellular-capable pod off the edge of a highway bridge that crosses a railroad track and being half a continent away when actually triggering it.
Except that as the train passes under bridge, it will momentarily interrupt the brake signal, yes, but as the train slows down it will go away from the transmitter and likely get far enough away to restore the signal and the train brake signal will be restored, so the train keeps going...
(Train brakes aren't like throwing an anchor from a ship, they take time to stop the train.)
Yes, you could attach the transmitter to the train, but, really, what's the point?
You're assuming you can't transmit the signal for at least half the stopping distance of a train. If you can, then you start transmitting at half the stopping distance, and it will stop before it leaves the signal range.
In practice, one mile of range would likely be enough for even the heaviest trains.
Re: (Score:2)
If it is a passive signal, it seems like the only thing preventing that is a lack of transmit power, at least to within the limits of the curvature of the earth (or, depending on frequency, maybe not even beyond that limit).
It's 220 MHz. Not super fancy. 5-15 mile (7-25 km) range.
And it's hard to overestimate the potential for financial loss if someone remotely cracked into a SpaceX satellite and manipulated its SDR to send such a signal from space.
No, that ain't gonna happen. You'd need a huge amount of signal (kilowatts for many minutes?) delivered from low-earth orbit to overcome a fairly high-power signal generated only a few miles/km away.
Even if the attack requires two-way communication, the attacker still wouldn't need to be close to the train; the signal generator would. Nothing prevents someone from maliciously dangling a battery-powered or solar-powered, cellular-capable pod off the edge of a highway bridge that crosses a railroad track and being half a continent away when actually triggering it.
Give me a break. An evil-doer would have to dangle a lot of battery-operated jammers everywhere along the line, and then all it'd do is slow the darned train down, safely.
On the flip side, the fact that this hasn't been exploited yet is a pretty strong indication that nobody is trying to attack us, making it likely a pretty low risk. :-)
This I agree with.
All it hurts are the beancounters and the unionized on-board crew who have to deal with it.
Re: (Score:2)
If it is a passive signal, it seems like the only thing preventing that is a lack of transmit power, at least to within the limits of the curvature of the earth (or, depending on frequency, maybe not even beyond that limit).
It's 220 MHz. Not super fancy. 5-15 mile (7-25 km) range.
Unless it's straight down from overhead (satellites, drones, etc.), in which case the curvature of the earth goes away as a factor, and you're just left with attenuation.
And it's hard to overestimate the potential for financial loss if someone remotely cracked into a SpaceX satellite and manipulated its SDR to send such a signal from space.
No, that ain't gonna happen. You'd need a huge amount of signal (kilowatts for many minutes?) delivered from low-earth orbit to overcome a fairly high-power signal generated only a few miles/km away.
Wait, overpower another signal? That's a new detail.
First, I would assume that such a signaling mechanism would use some sort of spread spectrum or frequency hopping approach to allow multiple senders, or else you'd kind of have a signal-shaped mess on your hands, unless the wattage is *really* small, because presumably a train would "see"
Not just the US (Score:3)
They can do it on cars, too (Score:1)
....and have been able to for a while. :|
So all you need to do.. (Score:2)
Contrive a transmitter such that it jams the radio signal that tells the train engineer the brakes are working properly, so the train reacts by hitting the brakes. Of course, you have to be traveling close enough to the train so your transmitter can overwhelm the safety equipment...
Seems simple enough.
If you want to stop a train, wouldn't it be easier to steal a car and park it on the RR track so the train hits it. If don't want to hurt anyone, put it at the end of a long straightaway, with the lights on so
Nothing To See Here (Score:2)
US Positive Train Control (PTC) systems puts the life-safety-critical functions into a computer on-board the locomotive, parallel to the train engineer/operator. PTC needs, just the the meat-bag engineer, to know what's going on in front of the train (what the signals are set to, whether the track ahead is occupied by another train, etc.). While a lot of the more static information is canned into the PTC computer and updated occasionally, real-time stuff are information messages transmitted by radio every 6