Cybersecurity Expert: American Trains Are Vulnerable to Remote Hacking

A critical security flaw in the U.S. rail system has left trains vulnerable to remote hacking for over a decade, raising concerns about the safety and security of the nation's rail infrastructure.

The vulnerability, which was first discovered by independent researcher Neil Smith in 2012, allows hackers to remotely lock a train's brakes by exploiting weaknesses in the "End-of-Train and Head-of-Train Remote Linking Protocol" (EOT/HOT). This protocol, implemented in the 1980s following a Congressional mandate, enables communication between the front and back of a train using radio frequencies.

The EOT/HOT system was designed to enhance safety by allowing the back of the train to send telemetry data to the front and for the front to send basic commands back. However, the radio link used in this system is a common frequency-shift keying data modem that can be easily identified and exploited.

According to Smith, a hacker with the right knowledge and equipment could trigger a train's brakes from a distance. "A low powered device like a FlipperZero could do it within a few hundred feet, and if you had a plane with several watts of power at 30,000 feet, then you could get about 150 miles of range," he told 404 Media.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the vulnerability, with Acting Executive Assistant Director of Cybersecurity Chris Butera stating that it has been "understood and monitored by rail sector stakeholders for over a decade." However, Butera also noted that exploiting the vulnerability would require "physical access to rail lines, deep protocol knowledge, and specialized equipment," which limits the feasibility of widespread exploitation.

Despite the potential severity of the vulnerability, the rail industry has been slow to address the issue. When Smith first alerted the Association of American Railroads (AAR) to the problem in 2012, he was met with skepticism and resistance. The AAR refused to acknowledge the vulnerability as real unless it could be demonstrated in real life, but they also would not authorize the testing required to prove its existence.

Smith has criticized the AAR for its handling of the situation, stating that "the American railway industry treats cybersecurity issues with the same playbook as the insurance industry's 'delay, deny, defend' mantra." The delay and lack of urgency in addressing this vulnerability have raised concerns about the safety and security of the nation's rail infrastructure.

Fixing the vulnerability requires changes to a standards-enforced protocol, a process that is currently underway but may take years to complete. CISA has been working with industry partners to develop mitigation strategies, but it remains to be seen how effective these efforts will be in addressing this critical security flaw.

The Consequences of Inaction

The consequences of inaction on this vulnerability could be severe. A remotely hacked train's brakes could be triggered, potentially leading to a catastrophic accident with devastating consequences for passengers and communities.

Furthermore, the lack of transparency and accountability from the rail industry has raised concerns about the safety and security of the nation's rail infrastructure. As one expert noted, "the American railway industry needs to take this vulnerability seriously and take action to address it immediately."

A Call to Action

The discovery of this critical security flaw in the U.S. rail system highlights the need for greater investment in cybersecurity and infrastructure resilience. The federal government, industry partners, and regulators must work together to develop effective mitigation strategies and implement them promptly.

Only by taking proactive steps can we ensure that our nation's rail infrastructure is protected from remote hacking threats and that passengers and communities are kept safe.