Back in 2012, independent cybersecurity researcher Neil Smith reported to the U.S. government about a vulnerability in a communication standard used in trains. However, the issue has not yet been resolved, and the researcher’s concerns were dismissed for many years.
Last week, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a vulnerability CVE-2025-1727 (scored 8.1 on the CVSS scale). The issue involves weak authentication in the communication protocol between the train’s head and tail, allowing an attacker to transmit their own commands and even perform an emergency stop of the train.
The vulnerable system is known as the End-of-Train device or FRED (Flashing Rear-End Device). This device is installed on the last car of freight trains. FRED collects telemetry and transmits data to a device at the front of the train using a special protocol based on an outdated BCH checksum. With the advent of SDR (Software-defined radio), it has become apparent that such packets can be easily spoofed.
The operation of FRED is particularly useful for long freight trains, which can be over a kilometer in length. In addition to collecting telemetry, the devices can receive commands, and one of the most important commands is the ability to brake the train.
As discovered by Smith back in 2012, if you intercept the traffic using SDR, you can spoof the packets and command FRED to activate the brakes in an emergency. This can lead to an accident or even cause the train to derail.
However, there is simply no fix available for this vulnerability. The Association of American Railroads (AAR), which represents freight carriers, informed CISA that they are currently only considering the implementation of a new, more secure technology for freight trains. As noted by Smith on social network X, the replacement of FRED and the old protocol with a newer one (802.16t) will not occur before 2027. At best.
According to CISA, operators are currently forced to continue using the vulnerable protocol, which, according to Smith, can be hacked using equipment costing less than USD 500.
The only possible protective measures are network segmentation, isolation of critical components, and other basic cybersecurity practices. Unfortunately, all of this is unlikely to help: if someone with an SDR is seriously determined to derail a train, it’s unlikely that anything will stop them.
“How bad is it? You can remotely take control of a train’s brakes from a great distance. You could trigger a brake failure and cause a train to derail. Alternatively, you could simply stop the entire railway network of a country,” explains Smith in a lengthy thread on X.
A vulnerability that came to light back in 2012 could have been discovered not only by Smith but also by other individuals. However, as an article in the Boston Review from 2016 indicates, it’s not all that surprising that the issue remains unresolved to this day.
This article discusses how, back in 2012, Smith intercepted telemetry from a passing train using SDR and spent four years trying to draw attention to the issue. Eventually, he notified the ICS-CERT team, which is responsible for emergency response to incidents in industrial systems. ICS-CERT specialists passed this information to the AAR, hoping they would agree to additional checks and testing. However, AAR deemed the threat “theoretical,” and that was the end of it, with no further developments occurring.
Smith mentions that after publishing this article, he experienced burnout and temporarily stepped away from the topic. Meanwhile, in 2018, cybersecurity researcher Eric Reuter presented a talk at DEFCON, independently confirming the existence of the vulnerability.
Although by 2024 ICS-CERT had undergone several reorganizations, Smith reached out to specialists once again to attempt to revive the discussion (especially since Reuters had independently confirmed the issue). However, according to him, the AAR’s chief information security officer considered the problem insignificant, stating that FRED is regarded as outdated and due for replacement anyway, although the protocol is still in use.
“In the end, CISA agreed with me that the only way to move the situation forward and compel AAR to address the issue is to disclose the information,” says Smith.
The publication of the CVE identifier and information about the vulnerability has partially worked: AAR promised to switch to 802.16t. However, it will not happen for at least a couple of years.
Until then, as Smith points out, the entire US railway network remains vulnerable. The issue is that transitioning to a new protocol will require the physical replacement of more than 75,000 devices.
“It all comes down to the speed of replacing these 75,000 devices. They plan to start in 2026, but complete replacement will take 5-7 years,” says Smith. “By my calculations, this will require 7-10 billion dollars.”
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →