Critical Security Flaw Allows Hackers to Remotely Trigger Train Brakes
Vulnerability in U.S. Train Systems
Many trains in the U.S. are vulnerable to a hack that can remotely lock a train’s brakes, as reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability has been known for over a decade. Independent researcher Neil Smith first identified the issue back in 2012, which can be exploited over radio frequencies.
“All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you,” Smith stated in an interview with 404 Media. The physical aspect of the hack means that exploitation cannot occur from another country; the attacker needs to be within a certain distance to successfully communicate with the train.
Image courtesy of Cody Otto on Unsplash.
Exploitation Potential with Inexpensive Equipment
A critical flaw has been identified in the End-of-Train (EoT) and Head-of-Train (HoT) systems. This flaw allows an attacker using a $500 radio setup to potentially trigger emergency braking, which has finally gained proper attention. The vulnerability, tracked as CVE-2025-1727, involves a weak authentication process in the radio-based communication between EoT and HoT systems.
An EoT device, also known as a Flashing Rear End Device (FRED), is a wireless system attached to the last car of a freight train. These systems, which lack encryption and proper authentication, could be exploited by attackers sending crafted radio packets via software-defined radios to issue unauthorized brake commands.
“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” according to the CISA advisory.
History of the Vulnerability
The vulnerability was first reported to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2012. Smith explained that in the 1980s, the caboose was replaced by the EoT device, which wirelessly communicates telemetry and can receive brake commands. The protocol used is outdated and relies on a simple BCH checksum, with no real security measures in place.
"Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published," Smith commented on X (formerly Twitter).
Image courtesy of Source Name.
Current Response and Future Actions
CISA has warned that successful exploitation could allow attackers to take control of train brakes, which raises significant safety concerns. The vulnerability affects major manufacturers, including Hitachi Rail STS USA, Wabtec, and Siemens. Although no active exploitation has been reported, the potential for catastrophic consequences remains.
The Association of American Railroads (AAR) has announced plans to replace the vulnerable protocol with IEEE 802.16t by 2027. However, the slow pace of action and the estimated cost of $7-10 billion to remediate the issue raises questions about industry accountability.
CISA’s advisory emphasizes that affected systems should be isolated from internet access and secured behind firewalls. The urgency for remedial action is clear, given that an attacker could cause significant disruptions with relatively inexpensive technology.
Recommendations for Mitigation
Experts suggest that while the AAR aims to replace the old protocols, the process will be lengthy. The lack of immediate mitigations poses a risk to both freight and passenger rail services across the U.S.
Rail operators must prioritize addressing this vulnerability to protect public safety. As the industry works towards implementing new systems, ongoing monitoring and proactive cybersecurity measures are essential.
Image courtesy of Source Name.
Explore our services or contact us at Gopher Security for more information on securing your systems against vulnerabilities like these.