Train Hack Gets Proper Attention After 20 Years: Researcher  – Source: www.securityweek.com

The US cybersecurity agency CISA has disclosed a vulnerability that can be exploited to manipulate or tamper with a train’s brakes. 

CISA last week published an advisory describing CVE-2025-1727, an issue affecting the remote linking protocol used by systems known as End-of-Train and Head-of-Train.

An End-of-Train (EoT) device, also known as a Flashing Rear End Device (FRED), is placed at the end of a train, being designed to transmit data to a device in the locomotive named the Head-of-Train (HoT). The system, introduced to replace the caboose, is used to obtain status data from the end of the train (particularly useful for long freight trains), but it can also receive commands to apply the brakes at the rear of the train.

The problem, according to CISA’s advisory, is that the protocol remotely linking the EoT and HoT over radio signals is not secure (no authentication or encryption are used), enabling an attacker to use specially crafted packets transmitted with a software-defined radio to send commands to the EoT device.

“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said.

The agency has credited researchers Neil Smith and Eric Reuter for finding the vulnerability. Smith shared additional details and context for CVE-2025-1727 on Friday in a post on X. 

Smith said he discovered the issue in 2012 during a time when he was doing industrial control system (ICS) security research with ICS-CERT, a predecessor of CISA. The researcher and ICS-CERT attempted over the next several years to work with the Association of American Railroads (AAR) to get the vulnerability fixed, but they failed to reach a consensus.

Smith said the AAR had wanted the impact of the vulnerability to be proven in the real world rather than only in lab environments, which was difficult to do due to the potential consequences.

“You could remotely take control over a train’s brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure leading to derailments or you could shut down the entire national railway system,” Smith said, adding that the vulnerable devices are also present on passenger trains. 

The disagreement between the researcher and AAR culminated in 2016, when the Boston Review published an article based on Smith’s findings, accusing the rail industry of risking safety over profits. A few days later, the AAR disputed Smith’s claims, saying the article was based on inaccuracies and mischaracterizations.

Eric Reuter, the second researcher credited by CISA for finding the vulnerability, discovered the issue in 2018 and disclosed technical details at the DEF CON conference. Again, no action was taken by the AAR, according to Smith. 

In addition, Smith said he recently learned that the same weakness was actually first discovered and reported to the AAR 20 years ago, in 2005.

The researcher said the advisory published by CISA last week is the result of him resubmitting his findings in 2024. The agency allegedly reached out to impacted vendors and the AAR and the issue was again downplayed, but the AAR ultimately announced that it would be taking action.

CISA’s advisory, which notes that there is no evidence of exploitation in the wild, points out that the standards committee in charge of the protocol is aware of the vulnerability and looking for mitigations, while the AAR is “pursuing new equipment and protocols which should replace traditional End-of-Train and Head-of-Train devices”.

A recent press release reveals that roughly 25,000 HoT and 45,000 EoT devices will need to be upgraded, with the process expected to begin in 2026.

The cybersecurity industry has long warned about trains being vulnerable to hacker attacks and the threat is not just theoretical. Both direct and indirect cyberattacks caused disruptions to railway systems in recent years. 

In a 2023 incident, 20 trains were disrupted in Poland as a result of a hack involving broadcasting radio commands that instructed trains to stop. That attack relied on a simple hack leveraging the fact that control signals could be transmitted to trains over a known, unencrypted radio frequency. 

SecurityWeek has reached out to the AAR for comment and will update this article if the organization responds. 

Related: Police Are Probing a Cyberattack on Wi-Fi Networks at UK Train Stations