Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
- Reference: 0178386342
- News link: https://it.slashdot.org/story/25/07/15/1814234/hackers-can-remotely-trigger-the-brakes-on-american-trains-and-the-problem-has-been-ignored-for-years
- Source link:
> The railroad industry has known about the vulnerability for more than a decade but only recently began to fix it. Independent researcher Neil Smith first discovered the vulnerability, which can be exploited over radio frequencies, in 2012.
>
> "All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you," Smith told 404 Media. "The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
[1] https://www.404media.co/hackers-can-remotely-trigger-the-brakes-on-american-trains-and-the-problem-has-been-ignored-for-years/
So essentially... (Score:2)
A foreign actor / interest could send the gear to the states to an employment firm... And simply ask them to interview people by sending them to a location with the device and activating the device at a specific time... Not good. User could be totally unaware of the actions being taken by the device. This could lead to easy entrapment across a number of scenarios.
Re: (Score:2)
Or you could hire someone to do it on Fiverr or TaskRabbit.
They'll do the task they were paid to do so that they can get a five-star review.
Ukraine did something similar for the 2025-06-01 drone raid on Russian airfields. The truck drivers who delivered the drones had no idea what cargo they were carrying or why. They were just told where to go and where to park when they got there.
Don't bother clicking on the link (Score:3)
It's a subscriber-only 404 Media blog post.
Too bad... I was curious to learn how "AI" could build something that would generate RF radio waves near railroad tracks. Is there nothing AI can't do?
Re: (Score:2)
> It's a subscriber-only 404 Media blog post.
So, so many of these lately, for the past year or two.
One may be inclined to think these are only Slashvertisements.
Is 404 also owned by Beez-Ex? (sic., to evade the lameness filter on that name)
CISA gave an updated statement (Score:2)
CISA has told The Register the train issue may not as bad as it sounds, and confirmed work is underway to get a replacement system deployed.
"[This] vulnerability has been understood and monitored by rail sector stakeholders for over a decade, CISA acting executive assistant director for cybersecurity Chris Butera told us in an email. "To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespre
Re: CISA gave an updated statement (Score:2)
It is as bad as it sounds. If you triggered it at the right time you could cause a derailment as the brakes applied full across the entire train. This is only likely if the train is moving at relatively high speed on bad track, though.
Well there are lots of ways to stop trains (Score:5, Insightful)
In railway safety is usually very important, and a stopped train usually is in its safest state. So everything typically fails towards stopping a train.
You can stop many stations by placing a copper wire on the tracks at a strategic position, making all of the systems believe that there is a train. You can puncture a brake line and the train will stop. You can cut wires used for signaling and the signals will fall back to stop... on AFAIK any signaling system.
Re: (Score:2)
> You can puncture a brake line
Presumably not on these trains since if they were using air brakes there would be no need for a radio interface.
Re: (Score:2)
They use air brakes operated by releasing the air from the lok end (front). The devices in question dump air from the back end of the train in an emergency (e.g. if there's a clog in the line and the rear wagons don't release pressure).
Re: Well there are lots of ways to stop trains (Score:2)
Puncture the hose and the train stops.
Re: Well there are lots of ways to stop trains (Score:2)
What do you think they use for brake control?
Trains use air brakes, there are air hoses that connect the cars together.
[1]https://youtu.be/ujF5ht6Blfg [youtu.be]
[1] https://youtu.be/ujF5ht6Blfg
Meh. (Score:3)
People have been able to do that since Snidely Whiplash tied Nell Fenwick to the railroad tracks.
Everything old is new again. . . sigh (Score:2)
I watched the [1]DEF CON 26 talk [youtube.com] on this. Basically, some dipshit designed a wireless system that is completely insecure and can be fooled into braking the train and possibly individual cars. It's like a LOT of industrial equipment that does this.
I remember during a hurricane years ago there was a run on gas. I was able to connect to gas stations all over the place (found by shodan.io) that had some kind of monitors on their underground tanks that showed what kind of fuel it was, how much, water contamination,
[1] https://www.youtube.com/watch?v=vloWB0LHT_4
Re: (Score:2)
These days, it's a few hundred to get the equipment to interact with this system. When it was invented, computer security was barely even thought about, and the equipment to exploit it would have been extremely expensive (if you could even get it outside industry).
Re: Everything old is new again. . . sigh (Score:2)
Once you stop the train, then what? What's the point of this possible exploit?
Re: Everything old is new again. . . sigh (Score:2)
> I watched the DEF CON 26 talk on this. Basically, some dipshit designed a wireless system that is completely insecure and can be fooled into braking the train and possibly individual cars. It's like a LOT of industrial equipment that does this.
You're right, they should run a wire the length of the train to trigger the brakes when the wire disconnects! But then you'd have to keep connecting and disconnecting the wire as you add or remove RR cars.
The system is designed to 'fail safe' - if 'attacked' the train stops moving, that's good.
Short of putting a person at the end of the train (caboose), but that got expensive, so what is the superior alternative?
Anything wired is too much hassle.
Anything wireless can be disrupted.
Anything manual is too expe
Talk about a "show-stopper"... (Score:2)
Fortunately, the US has no enemies and nobody would ever think to use this for anything bad. Right?
Remote exploit? (Score:2)
> "The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."
If it is a passive signal, it seems like the only thing preventing that is a lack of transmit power, at least to within the limits of the curvature of the earth (or, depending on frequency, maybe not even beyond that limit). And it's hard to overestimate the potential for financial loss if someone remotely cracked into a SpaceX satellite and manipulated its SDR to send such a signal from space.
Even if the attack requires two-way communication, the attacker still wouldn't need to be close to the train; the
Re: Remote exploit? (Score:2)
> Nothing prevents someone from maliciously dangling a battery-powered or solar-powered, cellular-capable pod off the edge of a highway bridge that crosses a railroad track and being half a continent away when actually triggering it.
Except that as the train passes under bridge, it will momentarily interrupt the brake signal, yes, but as the train slows down it will go away from the transmitter and likely get far enough away to restore the signal and the train brake signal will be restored, so the train keeps going...
(Train brakes aren't like throwing an anchor from a ship, they take time to stop the train.)
Yes, you could attach the transmitter to the train, but, really, what's the point?
Re: (Score:2)
>> If it is a passive signal, it seems like the only thing preventing that is a lack of transmit power, at least to within the limits of the curvature of the earth (or, depending on frequency, maybe not even beyond that limit).
> It's 220 MHz. Not super fancy. 5-15 mile (7-25 km) range.
>> And it's hard to overestimate the potential for financial loss if someone remotely cracked into a SpaceX satellite and manipulated its SDR to send such a signal from space.
> No, that ain't gonna happen. You'd need a huge amount of signal (kilowatts for many minutes?) delivered from low-earth orbit to overcome a fairly high-power signal generated only a few miles/km away.
>> Even if the attack requires two-way communication, the attacker still wouldn't need to be close to the train; the signal generator would. Nothing prevents someone from maliciously dangling a battery-powered or solar-powered, cellular-capable pod off the edge of a highway bridge that crosses a railroad track and being half a continent away when actually triggering it.
> Give me a break. An evil-doer would have to dangle a lot of battery-operated jammers everywhere along the line, and then all it'd do is slow the darned train down, safely.
>> On the flip side, the fact that this hasn't been exploited yet is a pretty strong indication that nobody is trying to attack us, making it likely a pretty low risk. :-)
> This I agree with.
> All it hurts are the beancounters and the unionized on-board crew who have to deal with it.
Not just the US (Score:3)
This was an issue in Poland a couple of years ago with a similar system called "RadioStop." I think it was even exploited by Russian hackers.
They can do it on cars, too (Score:1)
....and have been able to for a while. :|
So all you need to do.. (Score:2)
Contrive a transmitter such that it jams the radio signal that tells the train engineer the brakes are working properly, so the train reacts by hitting the brakes. Of course, you have to be traveling close enough to the train so your transmitter can overwhelm the safety equipment...
Seems simple enough.
If you want to stop a train, wouldn't it be easier to steal a car and park it on the RR track so the train hits it. If don't want to hurt anyone, put it at the end of a long straightaway, with the lights on so
Nothing To See Here (Score:2)
US Positive Train Control (PTC) systems puts the life-safety-critical functions into a computer on-board the locomotive, parallel to the train engineer/operator. PTC needs, just the the meat-bag engineer, to know what's going on in front of the train (what the signals are set to, whether the track ahead is occupied by another train, etc.). While a lot of the more static information is canned into the PTC computer and updated occasionally, real-time stuff are information messages transmitted by radio every 6
Anyone is surprised about this? (Score:1)
From the industry that brought about the East Palestine derailment due to issues being ignored.
Re: (Score:2)
> Liberated from the rails at last! Free East Palestine!
From Pittsburg to the Lake!
Re: (Score:2)
"Pittsburg"? You must be from California. %^)
Re: (Score:1)
> .... the vulnerability, which can be exploited over radio frequencies
What the fucking fuck?? Why is it even possible for a train to receive radio signals that can do something with the brakes? That makes no sense.
Re: (Score:3)
Excellent question but the story is paywalled.
[1]https://archive.ph/6fp8m [archive.ph]
Because of FSK encoded radio links designed in the 1980s.
[1] https://archive.ph/6fp8m
Re: (Score:1)
> Excellent question but the story is paywalled.
> [1]https://archive.ph/6fp8m [archive.ph]
> Because of FSK encoded radio links designed in the 1980s.
Unfortunately, even if you read the paywalled article, it is very vague and doesn't actually explain anything. It only says this:
> A lack of good communication between the front of the train and the back of a train caused accidents. In the 1980s, following a Congressional mandate, the rail industry instituted what it called an “End-of-Train and Head-of-Train Remote Linking Protocol.” This system allowed the back of the train to send telemetry data to the front and for the front to send basic commands back over radio frequencies.
[1] https://archive.ph/6fp8m
Re: (Score:2)
It sounds like 80s era wireless trail braking used on trucks hauling trailers. You want all the units braking in unison.
Re: Anyone is surprised about this? (Score:3)
Trains use an air brake system with glad hand connections so that if a coupler fails (or more likely, wasn't correctly secured) the pressure is released and the brakes set on the entire train. The device we're talking about, which is known as FRED (on railroads the F is considered to be an F-Bomb) replaced the caboose in the 1980s. It monitors brake system pressure to ensure that it is in the operating range, and can also release the system pressure from the rear. This is needed so that the train brakes mor
Re: (Score:3)
Here's a non-paywalled article:
[1] Hackers can tamper with train brakes using just a radio [gizmodo.com]
The obvious reason is to remotely stop a runaway train.
The stupid part is that there is no authentication or encryption.
Another option would be to use a deadman switch, which the engineer has to periodically reset to keep the brakes open. Most trains have some kinda deadman switch.
[1] https://gizmodo.com/hackers-can-tamper-with-train-breaks-using-just-a-radio-feds-warn-2000629522
Re:Anyone is surprised about this? (Score:4, Interesting)
It's not necessarily stupid that there's no authentication. This fails safe (train stops), not deadly ... you actually want emergency services to be able to stop any runaway train without begging for a code to do so.
Trains already have a dead-man switch, generally in the form of a Big Red Button that has to be pressed within a certain time after a buzzer sounds (called an alerter).
The way that train brakes are applied is interesting - they respond to a DROP of air pressure in the brake pipe that goes from wagon to wagon. This is a fail-safe to force the brakes to apply if the line develops a leak. But what if the line has a clog or closed valve somewhere in the train? The dead-man switch in the locomotive would only cause the brakes IN FRONT OF the clog to apply - the radio system works from the rear of the train, so will apply the brakes BEHIND the clog. In an extreme situation, both the dead-man switch and the radio system can be useful.
Re: (Score:2)
Unfortunately it *is* stupid that there's no authentication. Something as simple as even a 4-digit PIN check would have been sufficient. There is no need to allow random radio transmitters to apply the brakes, and anyone with the *authorized* equipment would be able to have an emergency override code possibly built right into their gear.
The system, as designed, has *no* such codes at all.
Re: (Score:2)
If you implemented it entirely as dead-man switch logic, the signal could just be jammed, causing the dead-man timers to time out. Jamming does not require breaking the authentication scheme.
Re: (Score:2)
The protocol was designed in the 1980s. What encryption were you going to run on Z80 class processors?
Re: (Score:2)
"What encryption were you going to run on Z80 class processors?"
Wasn’t rhetorical? Cool — here's a serious answer.
XTEA is one of the strongest ciphers that can reasonably run on a Z80. It’s a 64-bit block cipher with a 128-bit key and a very compact footprint — perfect for 8-bit systems. The operations are just shifts, XORs, and adds, so it’s lightweight and doesn’t require much RAM or code space.
Is it brute-forceable?
In theory, yes — any 128-bit key cipher is, but
Re: (Score:1)
How many humans do you think are aboard a freight train?
For safety reasons, most standard US freight trains are legally required to have a minimum of two human crew members, including a locomotive engineer and a conductor. However, there are exceptions for certain one-person train crew operations that do not pose significant safety risks, according to the Federal Railroad Administration (FRA).
And for the record: The train companies aren't happy about that. They'd rather have ONE person...
[1]Key Takea [aar.org]
[1] https://www.aar.org/issue/crew-size/
Re: (Score:3)
The response to the radio signal is to fail safe (stop), not fail deadly. You definitely want emergency services to be able to stop a runaway train (esp on without a driver) without much bureaucracy. The risk is a stopped train. The risk of NOT having that ability is a disaster like the Lac-Mégantic incident ~10 years ago.