Back in 2012, independent cybersecurity researcher Neil Smith reported to the U.S. government about a vulnerability in a communication standard used in trains. However, the issue has not yet been resolved, and the researcher’s concerns were dismissed for many years.
Last week, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a vulnerability CVE-2025-1727 (scored 8.1 on the CVSS scale). The issue involves weak authentication in the communication protocol between the train’s head and tail, allowing an attacker to transmit their own commands and even perform an emergency stop of the train.
The vulnerable system is known as the End-of-Train device or FRED (Flashing Rear-End Device). This device is installed on the last car of freight trains. FRED collects telemetry and transmits data to a device at the front of the train using a special protocol based on an outdated BCH checksum. With the advent of SDR (Software-defined radio), it has become apparent that such packets can be easily spoofed.
The operation of FRED is particularly useful for long freight trains, which can be over a kilometer in length. In addition to collecting telemetry, the devices can receive commands, and one of the most important commands is the ability to brake the train.
As discovered by Smith back in 2012, if you intercept the traffic using SDR, you can spoof the packets and command FRED to activate the brakes in an emergency. This can lead to an accident or even cause the train to derail.
However, there is simply no fix available for this vulnerability. The Association of American Railroads (AAR), which represents freight carriers, informed CISA that they are currently only considering the implementation of a new, more secure technology for freight trains. As noted by Smith on social network X, the replacement of FRED and the old protocol with a newer one (802.16t) will not occur before 2027. At best.
According to CISA, operators are currently forced to continue using the vulnerable protocol, which, according to Smith, can be hacked using equipment costing less than USD 500.
The only possible protective measures are network segmentation, isolation of critical components, and other basic cybersecurity practices. Unfortunately, all of this is unlikely to help: if someone with an SDR is seriously determined to derail a train, it’s unlikely that anything will stop them.
“How bad is it? You can remotely take control of a train’s brakes from a great distance. You could trigger a brake failure and cause a train to derail. Alternatively, you could simply stop the entire railway network of a country,” explains Smith in a lengthy thread on X.
A vulnerability that came to light back in 2012 could have been discovered not only by Smith but also by other individuals. However, as an article in the Boston Review from 2016 indicates, it’s not all that surprising that the issue remains unresolved to this day.
This article discusses how, back in 2012, Smith intercepted telemetry from a passing train using SDR and spent four years trying to draw attention to the issue. Eventually, he notified the ICS-CERT team, which is responsible for emergency response to incidents in industrial systems. ICS-CERT specialists passed this information to the AAR, hoping they would agree to additional checks and testing. However, AAR deemed the threat “theoretical,” and that was the end of it, with no further developments occurring.
Smith mentions that after publishing this article, he experienced burnout and temporarily stepped away from the topic. Meanwhile, in 2018, cybersecurity researcher Eric Reuter presented a talk at DEFCON, independently confirming the existence of the vulnerability.
Although by 2024 ICS-CERT had undergone several reorganizations, Smith reached out to specialists once again to attempt to revive the discussion (especially since Reuters had independently confirmed the issue). However, according to him, the AAR’s chief information security officer considered the problem insignificant, stating that FRED is regarded as outdated and due for replacement anyway, although the protocol is still in use.
“In the end, CISA agreed with me that the only way to move the situation forward and compel AAR to address the issue is to disclose the information,” says Smith.
The publication of the CVE identifier and information about the vulnerability has partially worked: AAR promised to switch to 802.16t. However, it will not happen for at least a couple of years.
Until then, as Smith points out, the entire US railway network remains vulnerable. The issue is that transitioning to a new protocol will require the physical replacement of more than 75,000 devices.
“It all comes down to the speed of replacing these 75,000 devices. They plan to start in 2026, but complete replacement will take 5-7 years,” says Smith. “By my calculations, this will require 7-10 billion dollars.”
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →