- This topic has 0 replies, 1 voice, and was last updated 1 month, 2 weeks ago by
.
-
Security vulnerability on U.S. trains that let anyone activate the brake signal on the rear car was known for 13 years – operators refused to fix the issue
Read AloudA serious security flaw in American trains was first discovered back in 2012, but it was ignored for years. Only recently did the Cybersecurity and Infrastructure Security Agency (CISA) issue a public warning, forcing action.
🔍 What’s the Problem?
Trains in the U.S. use a system called End-of-Train (EoT) devices. These are small modules attached to the last car of a train. They send important data — like speed and brake pressure — wirelessly to the front of the train, where the driver is.This system was designed in the 1980s, when it was illegal for anyone else to use the radio frequencies it operated on. Because of that, the system didn’t have strong security — it only used a basic error-checking method called a BCH checksum (a way to make sure data isn’t corrupted, but not to keep it secure).
But by 2012, software-defined radios (SDRs) — cheap, programmable radios — became widely available. These devices can mimic the signals sent between the front and back of the train. That means someone with an SDR (which costs less than $500) and some technical knowledge could send fake commands to the train, including a brake command — without the train driver knowing.
🛑 Why Is This Dangerous?
If someone sends a fake brake signal, they could stop a train unexpectedly, which could cause delays, accidents, or worse. This isn’t just a theoretical risk — it’s a real vulnerability that could be exploited.🧑🔬 What Did the Experts Say?
A security researcher named Neils discovered this issue in 2012 and tried to warn the American Association of Railroads (AAR) — the group that oversees train safety standards. But the AAR dismissed the warning, saying it was only a “theoretical” problem unless it actually happened in real life.Neils couldn’t test the issue on real trains because:
The Federal Railway Authority (FRA) doesn’t have a test track.
The AAR wouldn’t allow testing on their property, citing security concerns.
Neils eventually published their findings in the Boston Review, but the AAR publicly denied the problem in Fortune magazine.⏳ What’s Happened Since?
By 2024, the problem still hadn’t been fixed. The AAR claimed it wasn’t a big deal because the vulnerable devices were “nearing the end of their life.” But they still hadn’t replaced them.Finally, CISA stepped in and issued a public advisory, warning about the risk. This forced the AAR to take action. They announced a fix in April 2024, but the rollout is slow — the earliest full deployment is expected in 2027.
Quoted:
https://alienskills.com/contents/Securityvulnerabilit_1752527148815.html
- You must be logged in to reply to this topic.