Vulnerability in Railway Protocol Allows Train to Be Stopped Using SDR

📟 News

Date: 18/07/2025

Back in 2012, independent cybersecurity researcher Neil Smith reported to the U.S. government about a vulnerability in a communication standard used in trains. However, the issue has not yet been resolved, and the researcher’s concerns were dismissed for many years.

Last week, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a vulnerability CVE-2025-1727 (scored 8.1 on the CVSS scale). The issue involves weak authentication in the communication protocol between the train’s head and tail, allowing an attacker to transmit their own commands and even perform an emergency stop of the train.

The vulnerable system is known as the End-of-Train device or FRED (Flashing Rear-End Device). This device is installed on the last car of freight trains. FRED collects telemetry and transmits data to a device at the front of the train using a special protocol based on an outdated BCH checksum. With the advent of SDR (Software-defined radio), it has become apparent that such packets can be easily spoofed.

The operation of FRED is particularly useful for long freight trains, which can be over a kilometer in length. In addition to collecting telemetry, the devices can receive commands, and one of the most important commands is the ability to brake the train.

As discovered by Smith back in 2012, if you intercept the traffic using SDR, you can spoof the packets and command FRED to activate the brakes in an emergency. This can lead to an accident or even cause the train to derail.

However, there is simply no fix available for this vulnerability. The Association of American Railroads (AAR), which represents freight carriers, informed CISA that they are currently only considering the implementation of a new, more secure technology for freight trains. As noted by Smith on social network X, the replacement of FRED and the old protocol with a newer one (802.16t) will not occur before 2027. At best.

According to CISA, operators are currently forced to continue using the vulnerable protocol, which, according to Smith, can be hacked using equipment costing less than USD 500.

The only possible protective measures are network segmentation, isolation of critical components, and other basic cybersecurity practices. Unfortunately, all of this is unlikely to help: if someone with an SDR is seriously determined to derail a train, it’s unlikely that anything will stop them.

“How bad is it? You can remotely take control of a train’s brakes from a great distance. You could trigger a brake failure and cause a train to derail. Alternatively, you could simply stop the entire railway network of a country,” explains Smith in a lengthy thread on X.

A vulnerability that came to light back in 2012 could have been discovered not only by Smith but also by other individuals. However, as an article in the Boston Review from 2016 indicates, it’s not all that surprising that the issue remains unresolved to this day.

This article discusses how, back in 2012, Smith intercepted telemetry from a passing train using SDR and spent four years trying to draw attention to the issue. Eventually, he notified the ICS-CERT team, which is responsible for emergency response to incidents in industrial systems. ICS-CERT specialists passed this information to the AAR, hoping they would agree to additional checks and testing. However, AAR deemed the threat “theoretical,” and that was the end of it, with no further developments occurring.

Smith mentions that after publishing this article, he experienced burnout and temporarily stepped away from the topic. Meanwhile, in 2018, cybersecurity researcher Eric Reuter presented a talk at DEFCON, independently confirming the existence of the vulnerability.

Although by 2024 ICS-CERT had undergone several reorganizations, Smith reached out to specialists once again to attempt to revive the discussion (especially since Reuters had independently confirmed the issue). However, according to him, the AAR’s chief information security officer considered the problem insignificant, stating that FRED is regarded as outdated and due for replacement anyway, although the protocol is still in use.

“In the end, CISA agreed with me that the only way to move the situation forward and compel AAR to address the issue is to disclose the information,” says Smith.

The publication of the CVE identifier and information about the vulnerability has partially worked: AAR promised to switch to 802.16t. However, it will not happen for at least a couple of years.

Until then, as Smith points out, the entire US railway network remains vulnerable. The issue is that transitioning to a new protocol will require the physical replacement of more than 75,000 devices.

“It all comes down to the speed of replacing these 75,000 devices. They plan to start in 2026, but complete replacement will take 5-7 years,” says Smith. “By my calculations, this will require 7-10 billion dollars.”

Related posts:
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →