A 13-Year-Old Security Flaw Remains Unaddressed, Putting Lives at Risk

A software-defined radio can potentially derail a US train by remotely slamming the brakes on, according to a warning issued by the US Cybersecurity and Infrastructure Security Agency (CISA) last week. The vulnerability, which has been known since 2012, exists in the communication system used by trains to link the end-of-train device to the head-of-train locomotive.

Independent security researcher Neil Smith first reported the issue to the US government 13 years ago, but it took a CISA warning to prompt action from the railroad industry. The vulnerability allows an attacker to input their own braking commands and stop the train in its tracks, posing a significant risk to passenger and freight safety.

The issue lies in the use of an outdated checksum protocol, known as BCH (Bose-Chaudhuri-Hocquenghem), which can be easily spoofed by a savvy individual using a software-defined radio (SDR). This allows them to snoop on the communication traffic and send fake braking commands to the end-of-train device, which can then apply the brakes remotely.

The BCH protocol uses a simple checksum algorithm to verify the integrity of the data transmitted between the end-of-train device and the head-of-train locomotive. However, this algorithm can be easily bypassed by an attacker using an SDR to intercept and manipulate the communication traffic. This allows them to inject fake braking commands into the system, which can then be executed by the end-of-train device.

The vulnerability is particularly concerning because it can be exploited using relatively inexpensive and widely available equipment. Smith estimates that an attacker could potentially exploit this vulnerability using equipment costing less than $500.

The impact of this vulnerability could be catastrophic, with the potential to cause train derailments, accidents, and even fatalities. The CISA warning notes that an attacker could use this vulnerability to induce brake failure, leading to derailments, or even shut down the entire national railway system.

The Association of American Railroads (AAR), a trade group representing the freight rail industry, has acknowledged the vulnerability and is currently working to implement a newer, more secure technology for freight trains. However, this replacement is not expected to be implemented until at least 2027.

In the meantime, the American rail network remains vulnerable to hacking, with CISA warning that freight operators are left to segment their networks and perform basic cybersecurity maintenance to mitigate the risk. However, this may not be enough to prevent a determined attacker from derailing a train.

Smith, who has been advocating for the industry to address the issue since 2012, expressed frustration at the slow pace of action. “You could remotely take control over a train’s brake controller from a very long distance,” he explained. “You could induce brake failure leading to derailments or you could shut down the entire national railway system.”

The AAR has been criticized for its handling of the issue, with some questioning why it took a CISA warning to prompt action. The agency’s infosec director reportedly downplayed the issue, viewing it as a minor problem since the FRED protocol was end-of-life and slated for replacement.

However, Smith’s persistence and the CISA warning have finally led to a commitment from the AAR to implement the new technology. While this is a step in the right direction, the rail network remains vulnerable to hacking until the replacement is implemented.

Technical Details

Vulnerability ID: CVE-2025-1727

CVSS Score: 8.1 (High)

Affected Protocol: FRED (Flash Rear-End Device) protocol

Vulnerable Component: End-of-train device

Exploitation Method: Software-defined radio (SDR) attack

Estimated Cost of Exploitation: Less than $500

Potential Impact: Train derailments, accidents, fatalities, and disruption of national railway system.