Facepalm: Despite increasing efforts to protect critical infrastructure, much of the US rail industry continues to rely on technology vulnerable to remote hacking, security researchers and federal officials say. The flaw, which could allow an attacker to lock a train’s brakes from afar, was first flagged more than a decade ago and only recently has the industry taken serious steps to address it.

The vulnerability was discovered in 2012 by independent researcher Neil Smith, who found that the communication protocol linking the front and rear of freight trains – technically known as the End-of-Train and Head-of-Train Remote Linking Protocol – can be compromised by intercepting unencrypted radio signals.

The system, designed to relay operational data and safety commands, dates back to a Congress-mandated upgrade in the 1980s to prevent deadly accidents caused by poor communication.

“All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you,” Smith told 404 Media. “The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received.” He explained that even a small consumer device could launch such an attack within a few hundred feet, adding, “if you had a plane with several watts of power at 30,000 feet, then you could get about 150 miles of range.”

Smith’s investigation involved decoding the radio protocol, using a frequency shift keying modem. “The radio link is a commonly found frequency shift keying data modem that was easy to identify,” he said. “The real challenge was reverse engineering what the various bits in the packet actually meant.”

When Smith alerted the Association of American Railroads (AAR), which manages the protocol for North America, he received little engagement. “The Association of American Railroads, which is the maintainer of the protocol used across North America for EOT/HOT radio links, would not acknowledge the vulnerability as real unless someone could demonstrate it to them in real life,” Smith recalled. “They also would not authorize the testing to be done to prove it was a real issue.”

Public attention around the flaw spiked in 2016, when a Boston Review article outlined the risks and included Smith’s findings. Days later, AAR’s then-VP for security, Tom Farmer, played down concerns, calling the reporting “based on a lot of inaccuracies and mischaracterizations.”

Federal officials, meanwhile, acknowledge the challenge. Chris Butera, CISA’s Acting Executive Assistant Director of Cybersecurity, noted that the exploit has been “understood and monitored by rail sector stakeholders for over a decade.” He said, though, that it is not easily exploited: Exploiting the vulnerability would require someone with physical access to railroad tracks, a strong understanding of the protocol, and specific technical gear – making large-scale attacks unlikely without a broad on-the-ground presence in the US, he said. He added that CISA has been collaborating with industry partners to address the issue, which involves updating a standardized protocol that’s already in the process of being revised.

Smith, however, disputes how difficult an attack would be and says CISA’s own assessment refers to the exploit as “low attack complexity.” He is also skeptical about the pace of industry reform, saying upgrades may take years and accusing railroad leaders of following the insurance industry’s “delay, deny, defend” approach to security problems.

“In my personal opinion, the American railway industry treats cybersecurity issues with the same playbook as the insurance industry’s ‘delay, deny, defend’ mantra,” he said.

So far, the AAR has not provided a timeline for rolling out a fix and did not respond to requests for comment.