Back in 2012, independent cybersecurity researcher Neil Smith reported to the U.S. government about a vulnerability in a communication standard used in trains. However, the issue has not yet been resolved, and the researcher’s concerns were dismissed for many years.
Last week, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a vulnerability CVE-2025-1727 (scored 8.1 on the CVSS scale). The issue involves weak authentication in the communication protocol between the train’s head and tail, allowing an attacker to transmit their own commands and even perform an emergency stop of the train.
The vulnerable system is known as the End-of-Train device or FRED (Flashing Rear-End Device). This device is installed on the last car of freight trains. FRED collects telemetry and transmits data to a device at the front of the train using a special protocol based on an outdated BCH checksum. With the advent of SDR (Software-defined radio), it has become apparent that such packets can be easily spoofed.
The operation of FRED is particularly useful for long freight trains, which can be over a kilometer in length. In addition to collecting telemetry, the devices can receive commands, and one of the most important commands is the ability to brake the train.
As discovered by Smith back in 2012, if you intercept the traffic using SDR, you can spoof the packets and command FRED to activate the brakes in an emergency. This can lead to an accident or even cause the train to derail.
However, there is simply no fix available for this vulnerability. The Association of American Railroads (AAR), which represents freight carriers, informed CISA that they are currently only considering the implementation of a new, more secure technology for freight trains. As noted by Smith on social network X, the replacement of FRED and the old protocol with a newer one (802.16t) will not occur before 2027. At best.
According to CISA, operators are currently forced to continue using the vulnerable protocol, which, according to Smith, can be hacked using equipment costing less than USD 500.
The only possible protective measures are network segmentation, isolation of critical components, and other basic cybersecurity practices. Unfortunately, all of this is unlikely to help: if someone with an SDR is seriously determined to derail a train, it’s unlikely that anything will stop them.
“How bad is it? You can remotely take control of a train’s brakes from a great distance. You could trigger a brake failure and cause a train to derail. Alternatively, you could simply stop the entire railway network of a country,” explains Smith in a lengthy thread on X.
A vulnerability that came to light back in 2012 could have been discovered not only by Smith but also by other individuals. However, as an article in the Boston Review from 2016 indicates, it’s not all that surprising that the issue remains unresolved to this day.
This article discusses how, back in 2012, Smith intercepted telemetry from a passing train using SDR and spent four years trying to draw attention to the issue. Eventually, he notified the ICS-CERT team, which is responsible for emergency response to incidents in industrial systems. ICS-CERT specialists passed this information to the AAR, hoping they would agree to additional checks and testing. However, AAR deemed the threat “theoretical,” and that was the end of it, with no further developments occurring.
Smith mentions that after publishing this article, he experienced burnout and temporarily stepped away from the topic. Meanwhile, in 2018, cybersecurity researcher Eric Reuter presented a talk at DEFCON, independently confirming the existence of the vulnerability.
Although by 2024 ICS-CERT had undergone several reorganizations, Smith reached out to specialists once again to attempt to revive the discussion (especially since Reuters had independently confirmed the issue). However, according to him, the AAR’s chief information security officer considered the problem insignificant, stating that FRED is regarded as outdated and due for replacement anyway, although the protocol is still in use.
“In the end, CISA agreed with me that the only way to move the situation forward and compel AAR to address the issue is to disclose the information,” says Smith.
The publication of the CVE identifier and information about the vulnerability has partially worked: AAR promised to switch to 802.16t. However, it will not happen for at least a couple of years.
Until then, as Smith points out, the entire US railway network remains vulnerable. The issue is that transitioning to a new protocol will require the physical replacement of more than 75,000 devices.
“It all comes down to the speed of replacing these 75,000 devices. They plan to start in 2026, but complete replacement will take 5-7 years,” says Smith. “By my calculations, this will require 7-10 billion dollars.”