Well, the security of the freight train, that is:
When independent security researcher Neil Smith reported a vulnerability in a comms standard used by trains to the US government in 2012, he most likely didn't expect it would take until 2025 to sort the matter out, but here we are.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued CVE-2025-1727 (CVSS v3.1 8.1) last week, specifying the issue as one of weak authentication in the end-of-train to head-of-train linking protocol - allowing an attacker to input their own braking commands and stop the train in its tracks.
Now that's pretty bad, just by itself. This could also cause derailment. But this part is maddening:
With a simple exploit sitting out there in the open since 2012 (if Smith discovered it, someone else might too), it seems practically negligent that someone didn't take action, but as a 2016 story from the Boston Review explains, it's not a surprise.
The article tells the story of Smith's by then four-year tussle with the AAR upon first reporting the matter to the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) after successfully recording telemetry data from a passing train using an SDR in 2012.
ICS-CERT went to AAR with Smith's concerns, hoping they would be open to further security testing, but that initial contact was as far as it went - and as far as the BR story was able to glimpse into the struggle.
As Smith explained on X, the Boston Review article led to some burnout on the matter until security researcher Eric Reuter gave a talk at DEFCON in 2018, presenting an independent discovery of the same issue. By 2024, ICS-CERT had restructured several times, and Smith decided to reach back out to see if they could reopen the issue.
According to Smith, AAR's infosec director saw it as a minor issue since the FRED protocol was end-of-life and slated for replacement, despite still being in use.
Translation: yeah, we sat on this for 12 years but it's all good, bro.
All those people going on about "OMG Trump is going to gut Internet Security teams" should ask themselves just what the heck those teams have been up to for the last dozen years.
1 comment:
"Updated to add
CISA has told The Register the train issue may not as bad as it sounds, and confirmed work is underway to get a replacement system deployed.
"[This] vulnerability has been understood and monitored by rail sector stakeholders for over a decade, CISA acting executive assistant director for cybersecurity Chris Butera told us in an email. "To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespread exploitation.""
Physical access to rail lines? The lines are physically running throughout the country. It's not like one has to stand on the track itself to make this happen.
Deep protocol knowledge? The vulnerability is a outdated security checksum transmitted over radio. I'm not sure how deep one's knowledge has to be to foil it - the security researcher who discovered it is a computer guy - not a railroad guy, and he found the vulnerability.
Specialized equipment? A software defined radio transmitter and a computer. That's not extremely specialized.
Post a Comment