Vulnerability that Stops a Running Train ◆ Cervello
Cervello shares some perspective on Neil Smith’s EoT/HoT vuln. These folks have been deep into railway security for a long time.
This week, a vulnerability more than a decade in the making — discovered by Neil Smith and Eric Reuter, and formally disclosed by Cybersecurity & Infrastructure Security Agency (CISA) — has finally been made public, affecting virtually every train in the U.S. and Canada that uses the industry-standard End-of-Train / Head-of-Train (EoT/HoT) wireless braking system.
Neil must have been under a lot of pressure not to release all these years. CISA’s role as a government authority that stands behind the researcher is huge. Image how different this would have been perceived had he announced a critical unpatched ICS vuln over xitter without CISA’s support. There’s still some chutzpa left in CISA, it seems.
There’s no patch. This isn’t a software bug — it’s a flaw baked into the protocol’s DNA. The long-term fix is a full migration to a secure replacement, likely based on IEEE 802.16t, a modern wireless protocol with built-in authentication. The current industry plan targets 2027, but anyone familiar with critical infrastructure knows: it’ll take longer in practice.
Fix by protocol upgrade means ever-dangling unpatched systems.
In August 2023, Poland was hit by a coordinated radio-based attack in which saboteurs used basic transmitters to send emergency-stop signals over an unauthenticated rail frequency. Over twenty trains were disrupted, including freight and passenger traffic. No malware. No intrusion. Just an insecure protocol and an open airwave. ( BBC)
This BBC article has very little info. Is it for the same reason that it took 12 years to get this vuln published?
