WWW.404MEDIA.CO
Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
Many trains in the U.S. are vulnerable to a hack that can remotely lock a trains brakes, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who discovered the vulnerability. The railroad industry has known about the vulnerability for more than a decade but only recently began to fix it.Independent researcher Neil Smith first discovered the vulnerability, which can be exploited over radio frequencies, in 2012.All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you, Smith told 404 Media. The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received.Smith said that a hacker who knew what they were doing could trigger the brakes from a distance. A low powered device like a FlipperZero could do it within a few hundred feet, and if you had a plane with several watts of power at 30,000 feet, then you could get about 150 miles of range, he said.The origins of the vulnerability, ironically, come from something that was designed to make trains more safe. A lack of good communication between the front of the train and the back of a train caused accidents and in the 1980s, following a Congressional mandate, the rail industry instituted what it called an End-of-Train and Head-of-Train Remote Linking Protocol, or EOT/HOT.) This system allowed the back of the train to send telemetry data to the front and for the front to send basic commands back over radio frequencies.The radio link is a commonly found [frequency-shift keying] data modem that was easy to identify, Smith told 404 Media. The real challenge was reverse engineering what the various bits in the packet actually meant. A frequency-shift keying modem modulates the frequency of the transmitted data to protect it.According to Smith, the rail industry ghosted him in 2012 when he alerted it to the problem. The Association of American Railroads (AAR), which is the maintainer of the protocol used across North America for EOT/HOT radio links, would not acknowledge the vulnerability as real unless someone could demonstrate it to them in real life, Smith said. They also would not authorize the testing to be done to prove it was a real issue.A 2016 Boston Review article detailed the vulnerability and quoted Smith. Days later, Fortune published an interview with Tom Farmer, who was then the VP for security at AAR, that downplayed the threat. At the time, Farmer said the Boston Review article was based on a lot of inaccuracies and mischaracterizations.Chris Butera, CISAs Acting Executive Assistant Director of Cybersecurity, told 404 Media that the exploit had been understood and monitored by rail sector stakeholders for over a decade.To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespread exploitationparticularly without a large, distributed presence in the U.S, Butera said. While the vulnerability remains technically significant, CISA has been working with industry partners to drive mitigation strategies. Fixing this issue requires changes to a standards-enforced protocol, and that work is currently underway.Smith told me that Buteras statement was overly complicated, and that exploiting it would not actually be that hard.Even CISA's writeup deems the exploit to be of "low attack complexity." The vulnerability has not yet been fixed. CISA said the industry is working on it, but did not give me a timeline. AAR did not respond to a request for comment. According to Smith, the update may take years.He also called out the AAR for the way its handled the situation for more than a decade. In my personal opinion, the American railway industry treats cybersecurity issues with the same playbook as the insurance industry's delay, deny, defend' mantra, he said.This is the second major train-related security story in recent years. Last year, we published multiple articles about a team of Polish hackers who hacked a train in order to repair it.
0 Comments 0 Shares 5 Views 0 Reviews