
Researchers Expose Critical Vulnerabilities in European Railway Signaling Systems
Researchers Gabriela Garcia and David Melendez presented a two-year investigation into vulnerabilities in railway signaling systems, focusing on legacy and modern European rail infrastructure. They demonstrated how the Spanish ASFA system—a 1960s-era inductive coupling technology using passive balises (beacons) to transmit speed, stop, and warning signals—can be spoofed by replicating its 50–100 kHz frequency bands, particularly the 90–95 kHz 'red light' emergency stop signal. Using publicly available documentation, they built a functional balise from cardboard, copper wire, and a NanoVNA (Vector Network Analyzer) to prove the system’s susceptibility to electromagnetic resonance manipulation. The investigation expanded to the European Rail Traffic Management System (ERTMS), which employs digitally encoded balises transmitting plaintext data at 27.095 MHz (telepowering) and 4.2 MHz (FSK-modulated uplink), with no authentication or handshake due to high-speed train constraints. Researchers used a ham radio, custom magnetic antennas, and an SDR (Software-Defined Radio) with upconversion to intercept and replicate ERTMS balise signals, highlighting the lack of encryption and reliance on transparency policies for security. Key findings emphasized that both legacy and modern systems share fundamental flaws, including public frequency tables, unencrypted transmissions, and the absence of tamper-proofing mechanisms. The work was previously presented at DEF CON and underscored the risks of over-reliance on outdated or overly transparent infrastructure standards.