CNBC AI News – A glaring security flaw in the U.S. rail system, initially flagged in 2012, has been largely ignored by the Association of American Railroads (AAR) for over a decade. The AAR only sprang into action after a recent security advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) brought the issue to the forefront.
According to hardware security researcher Neils, the vulnerability was first identified in 2012, coinciding with the increasing accessibility of software-defined radios (SDRs).
The weak point lies within the End-of-Train (EoT) modules present on all U.S. trains. These modules wirelessly transmit telemetry data to the front of the train while also capable of receiving commands.
Originally implemented in the late 1980s, the system relied on a specific frequency assuming exclusive use, and therefore only employed a basic BCH checksum for data packet creation. This approach, while adequate at the time, has proven woefully inadequate in the face of modern technology.
However, the proliferation of SDRs means that anyone can now easily spoof these data packets, effectively sending false signals to both the EoT module and its corresponding Head-of-Train (HoT) module.
While a bogus signal alone might not cause immediate alarm, the real danger lies in the HoT’s ability to issue braking commands to the EoT through this very system. This means, critically, that an individual armed with readily available hardware costing less than $500 and the requisite knowledge could potentially trigger emergency braking remotely, without the engineer’s awareness.
Neils claims the AAR dismissed the findings in 2012, dismissing it as a theoretical problem that they would only believe if it actually happened.
This inaction was compounded by the Federal Railroad Administration’s (FRA) lack of dedicated testing track facilities. Further complicating matters, the AAR reportedly declined to allow any testing on its own properties, citing safety concerns.
As recently as 2024, the issue remains unresolved. The AAR’s Information Security Director reportedly downplayed the severity of the vulnerability, suggesting it wasn’t a significant concern and that the at-risk equipment was nearing the end of its service life. A cost-benefit approach to rail safety that is sure to raise eyebrows.
CISA’s intervention underscores the gravity of the situation. Its public advisory likely forced the AAR’s hand. The group has since announced an upgrade plan in April 2024. However, the rollout is expected to be slow, with full deployment not anticipated until 2027 – fifteen years after the initial warning.
Original article, Author: Tobias. If you wish to reprint this article, please indicate the source:https://aicnbc.com/4637.html
