Sunday, 5 July 2026

Black Hat Europe 2025 | Taking Control Over Legacy And ERTMS/ETCS Railroad Signaling Systems

Railroad signaling systems have evolved from legacy trackside beacons to sophisticated digital protocols such as the European Train Control System (ETCS) under the European Rail Traffic Management System (ERTMS). Despite these advancements, security vulnerabilities remain due to the inherent trust placed in beacon-based signaling mechanisms. This talk explores how both legacy and high-speed railway signaling systems can be compromised using low-cost and even hand-crafted hardware and software-defined radio (SDR) techniques. In legacy systems such as ASFA (Anuncio de Señales y Frenado Automático) and similar trackside beacon-based signaling architectures, we demonstrate how an attacker can deploy rogue balises using passive magnetic elements tuned to specific resonance frequencies. These fake beacons can be placed on any track segment to induce emergency braking in passing trains, leading to immediate halts and operational disruptions. We analyze the protocol weaknesses that enable these attacks and their feasibility in real-world scenarios. For high-speed rail systems utilizing ERTMS/ETCS, we investigate vulnerabilities in the Eurobalise communication framework. By capturing and replaying legitimate balise transmissions, an attacker could inject malicious control messages, misleading onboard train control units into triggering emergency stops or causing route confusion. We discuss the technical prerequisites for constructing a replay-capable attack setup. The presentation concludes with recommendations for mitigating these threats, including cryptographic authentication of balise messages, anomaly detection techniques, and real-time verification of beacon authenticity. As rail networks increasingly depend on digital signaling, addressing these vulnerabilities is critical to ensuring the safety and resilience of modern railway infrastructure. By: David Melendez | Co-Founder, TechFrontiers Gabriela Garcia | Co-Founder, TechFrontiers Alberto Rodriguez | RootedCON Staff, RootedCON Jaime Esquivias | OSINT researcher expert, TechFrontiers Joel Serna | IoT/ICS Pentest Engineer, TechFrontiers https://ift.tt/HaytW4B

source https://www.youtube.com/watch?v=hd6221cFb3g

No comments:

Post a Comment