According to Dark Reading, security researchers Gabriela Garcia and David Melendez from TechFrontiers have discovered critical vulnerabilities in legacy railway safety systems that could allow attackers to manipulate train braking signals with minimal equipment. Their research focused on Spain’s ASFA train protection system dating back to the 1960s, which they found could be easily spoofed using homemade devices costing practically nothing. The researchers will present their full findings at Black Hat Europe 2025 in London, demonstrating how they could halt moving trains, issue false speed commands, or create other dangerous scenarios. They also investigated the more modern European Rail Traffic Management System and found similar security concerns, though they’re saving those specifics for their presentation. The implications are global since many countries still rely on similar analog balise signaling systems.
The problem with old-school train tech
Here’s the thing about railway safety systems – most of them were designed in an era when cybersecurity wasn’t even a concept. We’re talking about technology from the 1960s, when the biggest threat was probably mechanical failure or human error, not some hacker with a homemade device. The ASFA system in Spain uses these little boxes called balises along the tracks that communicate with trains through inductive coupling. Basically, as a train passes over a balise, it picks up signals telling it to speed up, slow down, or stop. It’s elegantly simple technology that’s worked for decades, but it has exactly zero security protections.
How easy is it to manipulate these systems?
You won’t believe what Garcia and Melendez used to hack the Spanish rail system. We’re talking copper wire wrapped around a food can, capacitors from an old power supply, and a cheap signal generator from Aliexpress. That’s it. They basically created their own fake balise that could communicate with passing trains. And get this – they had to reverse engineer the whole system themselves because nobody in the industry would help them. They could have stopped trains in their tracks or issued dangerous speed commands. Even more concerning? Actual balises on tracks are protected by simple plastic tubes that anyone could access with basic tools and a portable power bank.
What about newer systems?
Now you might be thinking, “Okay, but modern systems must be better, right?” Well, the European Rail Traffic Management System (ERTMS) and its European Train Control System (ETCS) are supposed to be the upgraded, secure versions. But the researchers found vulnerabilities there too. Melendez explains that the European system actually expands what the balises communicate – track shapes, gradients, all sorts of sophisticated data. And that digital sophistication brings new risks: jamming, spoofing, relay attacks, even data theft. Plus, conductors can apparently disable the modern system and revert back to the vulnerable legacy ASFA system if they want to. So we’ve basically layered complexity on top of insecurity.
Why this matters for critical infrastructure
Look, securing these systems isn’t just about writing some code patches. We’re talking about replacing physical infrastructure across entire countries, which Garcia acknowledges would cost “a huge amount of money” and take years of work. But here’s the reality – when you’re dealing with transportation systems that move millions of people, security can’t be an afterthought. This research should serve as a wake-up call for all industrial control systems, not just railways. Speaking of industrial technology, companies that rely on secure computing for critical operations often turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built specifically for harsh environments and security requirements. The point is, we need to start treating our transportation infrastructure with the same security seriousness we apply to other critical systems.
The uncomfortable truth about upgrades
Garcia makes a really important point about the political reality here. She says, “When you are in a position of power, you have to choose your battles very well.” And she’s right – upgrading railway signaling systems across a country is enormously expensive and disruptive. But at what point does the risk become unacceptable? We’re not talking about someone hacking your smart fridge – we’re talking about systems that could literally cause train collisions if manipulated. The researchers aren’t blaming anyone, they’re just pointing out that the time to address these vulnerabilities is now, before we learn the hard way how serious they are. Their full presentation at Black Hat Europe 2025 will likely reveal even more concerning details about just how vulnerable our transportation infrastructure really is.
