Vulnerabilities in US Railway System Allow Remote Hacking of Train Brakes
Long-standing security flaws in the US railway system make it possible for hackers to remotely activate train brakes, according to cybersecurity researchers and officials.
Critical weaknesses have existed in the railway system for over a decade, raising serious concerns about the safety of the infrastructure. This issue was first identified in 2012 by independent researcher Neil Smith, who revealed that hackers could remotely lock train brakes by exploiting a vulnerability in the “Train End and Train Remote Link Protocol” (EOT/HOT).
Implemented in the 1980s under a congressional directive, the EOT/HOT system allows communication between the front and back of a train using the train’s frequency. It was designed to enhance safety, sending telemetry data from the back to the front, with the front relaying basic commands back. Unfortunately, the radio links utilized in this system are based on common frequency shift keying modems, which can easily be targeted.
According to Smith, hackers equipped with the right tools can manipulate train brakes from a distance. “A low-power device like the Flipperzero can operate within hundreds of feet. With an airplane broadcasting several watts from 30,000 feet, you can reach about 150 miles,” he explained.
Chris Butera, executive assistant director of cybersecurity at the US Cybersecurity and Infrastructure Security Agency (CISA), mentioned that stakeholders in the railway sector have been aware of these vulnerabilities for over a decade. He noted, though, that exploiting them requires extensive knowledge of the railroad system, deep protocol understanding, and physical access to specialized gear, which limits the risk of widespread hacking.
However, the railway industry has been slow to respond to these vulnerabilities. When Smith alerted the American Railroad Association (AAR) about the issue in 2012, he met with skepticism and resistance. The AAR did not recognize these vulnerabilities as genuine unless they were shown in real-world scenarios but also barred testing that could have demonstrated their existence.
While reluctant to tackle the problem, CISA is collaborating with industry partners to devise strategies for mitigation. Addressing these vulnerabilities will require changes to the standard extension protocol—a process that can take years to finalize.
Smith criticized the AAR’s response, stating, “The American railroad industry handles cybersecurity issues like the insurance industry: with delays, denials, and standard mantras.”
