[Ground-station] Documentation Friday + 219 MHz PTC and CVE-2025-1727

[Michelle Thompson]

Greetings all!

It's Documentation Friday. Please get in touch with your project lead or
your favorite board of director and send a few sentences about your work.

There's been a lot of work completed on Opulent Voice human-radio
interface, and work has started on the satellite segment repeater
functions. This is a conference-based system that can and will be extended
to terrestrial use. We'll be presenting the work at AMSAT-DL's space
symposium and ESA workshop, and possibly at other events later in the
autumn of 2026.

We're familiar with 219 MHz PTC train signals, as the railroad industry has
taken over the AMTS licenses originally established. How does PTC relate to
the recently disclosed security vulnerability CVE-2025-1727?

It's described here:
https://www.tomshardware.com/tech-industry/cyber-security/security-vulnerability-on-u-s-trains-that-let-anyone-activate-the-brakes-on-the-rear-car-was-known-for-13-years-operators-refused-to-fix-the-issue-until-now

The 219 MHz frequency use of PTC is not directly related to the
CVE-2025-1727 vulnerability. They are different systems at different
frequencies.

End-of-Train (EoT) Vulnerability (CVE-2025-1727) is about operation on
452.9375/457.9375 MHz frequency pairs. This is an End of Train Device
(EOTD) and examples can be found on the Signal Identification Wiki.

The vulnerability affects the communication between the locomotive
(Head-of-Train) and the rear device (End-of-Train/FRED). The root cause is
that there is an insecure protocol with only BCH checksums for packet
validation. This allows attackers to send false brake commands. In other
words, someone with an SDR could activate the brakes on the rear car. This
problem was known about (reported repeatedly) for 13 years. Train operators
refused to fix the issue until now, insisting that it was theoretical.

Positive Train Control (PTC) is at 219 MHz. This is a completely separate
train control and safety system. It is different from the EoT/HoT brake
communication system because it provides train control and collision
avoidance. It has its own security issues, but it's in a completely
different category than the vulnerability finally getting attention this
week. It's not good that something know about since 2012 was ignored by the
American Association of Railways until CISA finally published an advisory.

We advocate for regulatory renovation on 219 MHz. One of the things we have
to be aware of and sensitive about is that railroads are now using this
band for PTC. If there's a perception of insecurity, or that interference
might cause problems, then we have to be aware of those perceptions and
make all efforts to distinguish and clarify. The train brake problem is not
a PTC 219 MHz problem. It's been ignored for a long time. It took CISA
pressing the issue pretty hard to get a response. Things should improve
from here.

-Michelle Thompson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openresearch.institute/pipermail/ground-station-openresearch.institute/attachments/20250725/207705ad/attachment.htm>