Serious security hole in Spanish rail network

Two Spanish researchers and cybersecurity specialists, Gabriela García and David Meléndez, have discovered that the national railway system has a serious security hole that could be exploited to commit terrorist attacks (the disaster of the new AVE and Avlo trains, in figures).

In a presentation at DEF CON 2024, a cybersecurity event taking place in Las Vegas, they raised the alarm about the shortcomings of the so-called ASFA (Automatic Signal Announcement and Braking), a system introduced in the 1970s that consists of a series of beacons placed along the tracks that send instructions to train drivers.

According to El Confidencial, their report shows that it is relatively easy to manipulate the communications between beacons and trains, which poses a serious security risk.

That is why Garcia and Melendez stress the importance of urgently updating rail management systems to prevent possible cyber attacks, as the European Commission is seeking to do with its own ERTMS (European Rail Traffic Management System).

The researchers show that cyber attacks of this kind on such systems have already occurred, for example during the war between Russia and Ukraine. “If someone duplicates the beacon and sends the wrong signals, madness can break out, causing the train to not stop, start, derail, or slow down when it shouldn’t,” they warn.