Investigators find major security flaw that puts all trains at risk
Two Spanish researchers, Gabriela García and David Meléndez, presented a report during DEF CON 2024, one of the most important cybersecurity events in the world, held in Las Vegas (USA), in which they discovered a very important and serious security flaw in one of the Spanish railway management systems used for decades.
Garcia and Melendez presented their research on electronics at DEF CON 2024.A system called ASFA (Automatic Signal and Facing). which consist of a set of beacons distributed along the tracks that interact with receivers installed in the trains, giving instructions to drivers to change the direction of the train, stop it, start it, or limit its speed.
They found that it was possible. intercept and manipulate these messages between the lighthouses and the trains, leaving the way clear for someone with bad intentions to give the drivers the wrong directions and cause chaos in Spain’s railway system.
In their presentation they revealed there is an urgent need to update and protect these systems, which have been in operation for 7 years0 and are used on all tracks used by all Adif trains: RENFE, RAM and FGV.
While it is true that these beacons work quite well, it’s not that hard to duplicate them and send the wrong signals trains to stop, start or speed in areas where they should not.
The researchers note that this weakness is easy to exploit because there is a lot of publicly available information about these lighthouses and their operation, as well as the fact that, since the roads are old and easily accessible, It is not difficult to create a fake beacon and place it.
What is the solution?
Following their discoveries, the researchers worked to develop a solution and came up with several proposals for security measures that could solve the problem and fit any budget.
For example, this There are traffic inspectors who detect whether some strange device appears or whether it should not be there.as they point out, “Italy has driverless trains that inspect the tracks.” Although they would choose use drones for this purpose and thereby reduce the cost.
Despite this, they note that more protective and safety measures will need to be implemented and recommend use the ERTMS systemwhich is already in use in other European countries, and in fact the European Commission intends for all member states to use it as part of efforts to create a single rail network across the Union.
LinkedIntoo loud