Turns out you can just hack any train in the USA

https://twitter.com/midwestneil/status/1943708133421101446

19•lyu07282•6mo ago

Comments

DanAtC•6mo ago

https://threadreaderapp.com/thread/1943708133421101446.html

linusg789•6mo ago

https://nitter.net/stneil/status/1943708133421101446

railfan•6mo ago

This is FUD spread by the auto industry to make people afraid of public transportation options like high-speed rail. If the rail industry is ignoring this CVE, then it must be because it's either not practically exploitable or not as severe as the author claims. Publishing an "exploit" on a major piece of industrial equipment is great for the resume, but testing it would be a federal offense, so we can assume that the author has no real idea whether it works or not. People who work for the railroad are smart, and have a lot more experience with trains than your average Lambda School grad, so I'll defer to their judgemental rather than enthusiastic headlines like this. Do better.

mikeodds•6mo ago

eh I worked around this and other operational technology and industrial control system security testing previously - lots of it isn’t built with security in mind

test wise you’d be amazed at what old controllers end up at surplus places or on eBay.

IAmBroom•6mo ago

You clearly don't work in the train industry.

NO old surplus controllers are being reused in the industry.

The overriding mandate in EVERY train design system is "fail to safe". Trains are unique in that they have a reliably safe fail mode - brake, as fast as you can, so fast that the wheels heat up and weld to the tracks. Another train could come along and hit them, but that's another incident, unrelated to the current danger.

Cars doing that can get rear-ended as a result. Planes would de-elevate rather dramatically. Bicycles would throw their riders off.

The industry (and specifically, the light-rail aka people mover train industry) is so safety-conscious that railroads write additional safety regulations to be added to the FRA rulebook.

harvey9•6mo ago

Is Ethan Supplee in Unstoppable (2010) also auto industry propaganda, portraying some railroad workers as less than smart?

railfan•6mo ago

Is a fictional character in an action movie a realistic or relevant point in relation to real life?

dns_snek•6mo ago

> If the rail industry is ignoring this CVE, then it must be because it's either not practically exploitable or not as severe as the author claims.

> People who work for the railroad are smart, and have a lot more experience with trains than your average Lambda School grad, so I'll defer to their judgemental

That's a very idealistic view of the world, I don't think reality would agree. Ego, indifference, and plain incompetence are extremely common in every industry, then add onto that the fact that hardware companies are already notoriously bad at software, and then you can double the risk for entrenched companies that have little pressure to be proactive about these things.

This is exactly the kind of lax response I would intuitively expect from a company of this nature. I say that as I glance over at Boeing.

longfingers•6mo ago

It would be very short sighted of the auto industry to criticize an insecure car to car protocol when that is a thing they want to implement with exactly the same security budget.

It needs local proximity RF which was probably considered an out of scope risk in the initial design but is more and more likely to be available by accident as newer RF devices have more defined by software.

MartijnBraam•6mo ago

Maybe the CVE is being ignored because it's not such a big issue at all? It's already possible to cause a train to brake and make a disruption by pulling any of the emergency breaks inside it.

persolb•6mo ago

I work on trains. This is FUD.

Except for 1 train in the US, no passenger trains use this function. It is only for long freight trains.

If you block it, the train still brakes…. Just the propagation is at the speed of sound instead of speed of light. Functionally, it doesn’t matter.

You can theoretically cause the brakes to apply, but then this system just gets cut out anyway. It’s not really required.

US moves to deport 5-year-old detained in Minnesota

If you lose your passport in Austria, head for McDonald's Golden Arches

Show HN: Mermaid Formatter – CLI and library to auto-format Mermaid diagrams

RFCs vs. READMEs: The Evolution of Protocols

Kanchipuram Saris and Thinking Machines

Chinese chemical supplier causes global baby formula recall

I've used AI to write 100% of my code for a year as an engineer

Looking for 4 Autistic Co-Founders for AI Startup (Equity-Based)

AI-native capabilities, a new API Catalog, and updated plans and pricing

What changed in tech from 2010 to 2020?

From Human Ergonomics to Agent Ergonomics

Advanced Inertial Reference Sphere

Toyota Developing a Console-Grade, Open-Source Game Engine with Flutter and Dart

Typing for Love or Money: The Hidden Labor Behind Modern Literary Masterpieces

Show HN: A longitudinal health record built from fragmented medical data

CoreWeave's $30B Bet on GPU Market Infrastructure

Creating and Hosting a Static Website on Cloudflare for Free

"The Stanford scam proves America is becoming a nation of grifters"

Elon Musk on Space GPUs, AI, Optimus, and His Manufacturing Method

X (Twitter) is back with a new X API Pay-Per-Use model

Zlob.h 100% POSIX and glibc compatible globbing lib that is faste and better

Show HN: Deterministic signal triangulation using a fixed .72% variance constant

Scientists Discover Levitating Time Crystals You Can Hold, Defy Newton’s 3rd Law

When Michelangelo Met Titian

Solving NYT Pips with DLX

Baldur's Gate to be turned into TV series – without the game's developers

Interview with 'Just use a VPS' bro (OpenClaw version) [video]

EchoJEPA: Latent Predictive Foundation Model for Echocardiography

Disablling Go Telemetry

Effective Nihilism