A vulnerability that can be exploited to tamper with a train’s brakes

https://www.securityweek.com/train-hack-gets-proper-attention-after-20-years-researcher/

20•01-_-•6mo ago

Comments

bestouff•6mo ago

USA trying to make is public transport system even less popular.

persolb•6mo ago

I believe this is only used on one passenger line in the entire country. This is really a freight based system intended to transmit brake apply signals as speed of light instead of speed of sound.

Since passenger trains are usually short and often have a wired bus) they don’t really need this system.

senectus1•6mo ago

>“The End-of-Train (EOT) and Head-of-Train (HOT) vulnerability has been understood and monitored by rail sector stakeholders for over a decade. To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespread exploitation—particularly without a large, distributed presence in the U.S.

Sure, thats reaaaally unlikely hey... /S

kotaKat•6mo ago

While this is bad… keep in mind you can also stop trains with a jumper cable across the tracks, too.

https://hackaday.com/2016/12/14/protesters-use-jumper-cables...

persolb•6mo ago

Yeah. Exactly. The consequence of this club is either:

1) The brakes take an extra couple seconds to apply (note: this is only used on long trains… so stopping is over a minute anyway)

2) The emergency brakes apply. This is considered a safe condition, and for Positive Train Control is considered the ‘safe state’.

If someone tries to utilize this vulnerability, the EOT device will be shutoff. On the few tracks where it’s actually required, there are mitigations to still operate safely.

This would be really easy to annoy a single train crew. This would be really hard to do to geographically diverse trains.

BikDk•6mo ago

This looks like an exploit for all future train control systems (TCS)

IAmBroom•6mo ago

Does including a three-letter acronym (TLA) make your answer look informed (ALI)?

Because it's an article about outdated systems. Radio-controlled systems built in the last ten years, and in the future, are all mandated to be encrypted.

Furthermore, very few passenger train systems are radio-controlled. Instead, just like cars and buses, control is decentralized to the individual vehicle, and automated based on feedback from the track. No feedback, and the train stops.

BikDk•6mo ago

This ist a standard and ancient sender/receiver problem of communication. However, I'm glad you like big machines and seem interested enough to dive deeper into this topic. The official acronym TCS is still no match to your creativeness, please take it easy, as if you plan to do some research on this you will encounter a lot of those.

xtiansimon•6mo ago

Don’t know about today, but you used to be able to drop the gates with a nail.

marklubi•6mo ago

Shocking, not shocking. Worked for a company more than two decades ago that ran a lot of shortlines.

Called out several different vulnerabilities that I found while researching how to make things more efficient (the company owning the tracks get charged for the car lease while it's on their tracks).

Nothing came of it though. They were more worried about replacing infrastructure after several cars toppled because the ties had rotted.

Octrafic – open-source AI-assisted API testing from the CLI

US Accuses China of Secret Nuclear Testing

Peacock. A New Programming Language

A postcard arrived: 'If you're reading this I'm dead, and I really liked you'

What to know about the software selloff

Show HN: Syntux – generative UI for websites, not agents

Microsoft appointed a quality czar. He has no direct reports and no budget

AI overlay that reads anything on your screen (invisible to screen capture)

Show HN: Seafloor, be up and running with OpenClaw in 20 seconds

Tesla turbine-inspired structure generates electricity using compressed air

State Department deleting 17 years of tweets (2009-2025); preservation needed

Learning to code, or building side projects with AI help, this one's for you

Effulgence RPG Engine [video]

Five disciplines discovered the same math independently – none of them knew

We Scanned an AI Assistant for Security Issues: 12,465 Vulnerabilities

Amazon no longer defend cloud customers against video patent infringement claims

Show HN: Medinilla – an OCPP compliant .NET back end (partially done)

How Does AI Distribute the Pie? Large Language Models and the Ultimatum Game

Resistance Infrastructure

Fire-juggling unicyclist caught performing on crossing

Restoring a lost 1981 Unix roguelike (protoHack) and preserving Hack 1.0.3

GPS and Time Dilation – Special and General Relativity

Show HN: Witnessd – Prove human authorship via hardware-bound jitter seals

Show HN: I built a clawdbot that texts like your crush

Scientists reverse Alzheimer's in mice and restore memory (2025)

Compiling Prolog to Forth [pdf]

Show HN: Cymatica – an experimental, meditative audiovisual app

GitBlack: Tracing America's Foundation

Horizon-LM: A RAM-Centric Architecture for LLM Training

We just ordered shawarma and fries from Cursor [video]