Critical Railway Braking Systems Open to Tampering TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsCan a Global, Decentralized System Save CVE Data?Can a Global, Decentralized System Save CVE Data?byRobert Lemos, Contributing WriterNov 18, 20254 Min ReadApplication SecurityMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScamMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScambyElizabeth Montalbano, Contributing WriterNov 18, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryICS/OT SecurityVulnerabilities & ThreatsCybersecurity OperationsPhysical SecurityNewsCritical Railway Braking Systems Open to TamperingIt only takes recycled cans, copper, and cheap gadgets off the Web to trick a train conductor into doing something dangerous.Nate Nelson, Contributing WriterNovember 19, 20255 Min ReadSource: PRILL Mediendesign via Alamy Stock PhotoResearchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios.When a large, moving train is rolling down the tracks toward an oncoming obstacle, one can't rely solely on a conductor to handle what's ahead. To account for human error, in emergency circumstances, you need a system built into the train itself that can automatically bring the stock to a halt.In most countries around the world, though, these safety systems are quite old and outdated. In Spain, for instance, the primary train protection system — Anuncio de Señales y Frenado Automático, or ASFA for short — dates back to the 1960s. "In the '60s, of course, there were no hackers trying to infiltrate your signaling systems, because people were, like, doing other things," says TechFrontiers cofounder Gabriela Garcia. Recently, she and Techfrontiers cofounder David Melendez tested what would happen if a hacker tried it today.In an upcoming presentation at Black Hat Europe 2025 in London, they'll discuss the results of this experiment. The bottom line: With minimal knowledge of system particulars and no expensive tooling, they could easily manipulate safety signals and cause life-threatening consequences.Related:Operational Technology Security Poses Inherent Risks for ManufacturersAll but the most modern safety systems today, she says, "are not very secure, because [security] wasn't a point of thinking by the time they were created. We are not trying to blame any public institutions for not changing it, we are just trying to give a wake-up call: that the time is now to change all these systems."How Analog Train Signalling WorksIf you pause to notice the details in a set of train tracks, you'll realize that there's more to them than just rails held together by planks.There's the ballast, for example — a locally jagged but overarchingly even layer of small rocks that run the entire length of the track, used to facilitate water drainage, distribute weight, and stabilize moving trains. And every so often along the tracks there are these boxy, little things — about the size of a notebook, and possibly painted in a color that distinguishes it from the planks it rests on. Confusingly, these are called balises.Balises are passive signalling beacons. They're charged to resonate at particular frequencies, corresponding with particular train signals. As a train moves over a balise, the two perform an inductive coupling, ultimately warning the train conductor to keep going, slow down, stop, or adhere to some other command.Related:Critical Claroty Authentication Bypass Flaw Opened OT to AttackIt goes without saying, then, that the reliability of the balise signaling system is critical to the safety of all those on or near a train. That made it a point of interest for Spain-based Garcia and Melendez, "because in Spain we have had some incidents related to public terror on trains. It's something that is very sensitive in Spain, such as planes in the US."Sabotaging Train SignalsTo figure out how to manipulate their home ASFA system, Garcia and Melendez designed a crude recreation of the inductive handshake between train and balise. Melendez recalls how "we had to replicate the whole system based on [what we could infer from] public documentation, because nobody gave us any equipment or any kind of help." They ended up doing it with little more than loose trash — copper wire wound around a recycled food can, capacitors from an old power supply formed into a circuit, a cheap signal generator off Aliexpress, etc.ASFA is too primitive and analog to involve any kind of security protections. So all they needed to do was tune their copycat balises to the right frequencies, and the same principle would allow them to communicate with a real passing train. Their handheld, cardboard device could have been used to halt a moving train in its tracks, issue false speed commands, or worse.Related:Bombarding Cars With Lasers: Novel Auto Cyberattacks EmergeThey also could have affected a similar outcome by tampering with legitimate balises installed on train tracks. In Spain, the wiring to balises tends to be protected only by simple plastic tubes. Any attacker with motive to do so could access those wires, and affect the frequency of the balise signal using something like a portable power bank.These same findings apply to other rail systems in other parts of the globe — any that use balises for inductive coupling. Garcia recalls, "We studied a lot of different legacy railway systems, such as the German one, the UK one, the Amtrak American one, and the Spanish one was the most robust."Are Modern Train Systems More Secure?In the 1990s, as Europe began to plan for an international rail system connecting countries across the continent, the European Union (EU) introduced a European Rail Traffic Management System (ERTMS), the signalling component being the European Train Control System (ETCS). Like ASFA, ETCS uses balises to transmit information about track conditions and speed limits to the moving stock. It also supplements this system with two more levels of continuous communication and control.Though analog systems like ASFA predominate, ERTMS/ETCS can be found in modern, mostly high-speed lines on the continent. So when they finished investigating ASFA, Garcia and Melendez wondered if similar principles could be used to manipulate ERTMS/ETCS.Due to the sensitive, continent-spanning implications of this line of research, they declined to share specifics with Dark Reading, saving them for the moment of their presentation. They did, however, allude to risks in that system, too. It begins with the fact that, as Melendez explains, "the European system expands that [signalling] concept to include any kind of aspect of the tracks. The system can communicate the shape of the tracks, if the train goes uphill or downhill, not only [if the train should] stop and go. So the data taken from the beacon is much more sophisticated, and that's because it's a digital system instead of an analog system."Hand in hand with that added functionality comes added risks: digital jamming and spoofing, relay attacks, tampering, even data theft. A train conductor might also have reason to disable ERTMS, and revert back to the vulnerable ASFA system.Garcia acknowledges that actually securing these systems is a tall task, and would likely engender political pushback. "It's such a huge amount of money you have to spend to change a signaling system," she says. "It's also a huge amount of work and time you have to spend. And when you are in a position of power, you have to choose your battles very well. So we understand the situation, but we are trying to point out that now, in this moment, railway security is very important."Read more about:Black Hat NewsAbout the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The potential for tampering with critical railway braking systems represents a significant and alarming vulnerability. As detailed by Nate Nelson, researchers demonstrated the feasibility of manipulating signals used by systems like Anuncio de Señales y Frenado Automático (ASFA) – a system dating back to the 1960s – utilizing readily available components and minimal technical expertise. The core finding is that, due to the age and analog nature of these systems, they are inherently insecure and susceptible to manipulation. The researchers, operating out of TechFrontiers, successfully replicated the inductive signaling process, enabling them to effectively halt or influence the operation of a moving train using a simple, makeshift device.

The vulnerability extends beyond ASFA. The research highlights the broader risk associated with legacy railway systems that rely on balises for signal transmission. These systems, including European Rail Traffic Management System (ERTMS)/European Train Control System (ETCS), while more sophisticated, still share the same underlying vulnerability: their reliance on analog signals prone to interference or manipulation. The expanded functionality of ETCS, including the transmission of data about track conditions, only exacerbates the risk, introducing new attack vectors such as digital jamming and relay attacks.

The cost and complexity of upgrading these systems represent a significant political and logistical barrier. As Garcia highlights, the investment required to modernize railway signaling is substantial, and the decision to undertake such changes is often influenced by political considerations. This creates a situation where critical infrastructure remains exposed to potentially catastrophic risks.

The research underscores the need for a renewed focus on railway security. While ETCS offers improved features, its underlying vulnerabilities necessitate robust security measures. Furthermore, the reliance on legacy systems, like ASFA, presents a continuous threat, particularly in regions with outdated infrastructure. Moving forward, the findings emphasize the urgent need to prioritize security upgrades across all railway signaling systems, acknowledging the inherent risks associated with aging technology and the potential for exploitation.