Bug in Railroad Protocol Allows Trains to Be Stopped Using SDR

In 2012, independent cybersecurity researcher Neil Smith uncovered a critical flaw in a railroad communication protocol and reported it to the U.S. government. His warnings, however, were largely ignored for over a decade.

That changed last week, when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory for CVE-2025-1727, rating it 8.1 on the CVSS scale. The vulnerability stems from weak authentication in the communications between the front and rear of a train, allowing an attacker to send malicious commands—including one that triggers an emergency brake.

At the center of the issue is the End-of-Train (EOT) device, also known as FRED (Flashing Rear-End Device). Positioned on the last car of a freight train, FRED transmits telemetry to the locomotive using a legacy protocol secured by a BCH checksum—a mechanism long outdated. With the rise of software-defined radio (SDR), researchers have shown these packets can be intercepted and spoofed.

While FRED helps monitor the integrity of freight trains—often stretching over a kilometer—it also accepts remote commands. One of them can trigger the brakes.

Smith’s 2012 research showed that an attacker using an SDR could forge command packets, forcing a train to brake abruptly—potentially causing a crash or derailment. Yet, more than a decade later, no fix exists.

The Association of American Railroads (AAR)—which represents freight carriers—told CISA it’s only considering adopting a more secure standard. Smith noted on X (formerly Twitter) that their proposed replacement, based on 802.16t, likely won’t be deployed before 2027 at the earliest.

According to CISA, operators must continue using the insecure protocol—one Smith says can be exploited with less than $500 worth of off-the-shelf equipment.

Mitigations are limited to network segmentation and isolating critical components—basic cybersecurity hygiene unlikely to stop a skilled SDR operator.

“How bad is it?” Smith wrote in a recent X thread. “You can remotely hijack a train’s brakes. You can trigger brake failure and derailment. Or just shut down the national rail network.”

The vulnerability may not be Smith’s discovery alone. A 2016 Boston Review article chronicled how Smith intercepted telemetry traffic in 2012 and spent four years trying to raise awareness. When he eventually contacted ICS-CERT—the industrial control systems emergency team—the agency forwarded his findings to AAR. The organization dismissed the threat as "theoretical." Nothing changed.

The experience led to burnout, and Smith withdrew from the space. But in 2018, researcher Eric Reuter independently confirmed the same flaw during a DEF CON talk.

In 2024, with ICS-CERT now under CISA’s purview, Smith re-engaged with experts to renew pressure on AAR—especially after Reuter’s independent validation. But AAR’s CISO downplayed the issue, calling FRED “legacy” and claiming it was slated for replacement.

“Eventually, CISA agreed the only way to force AAR’s hand was public disclosure,” Smith said.

Publishing the CVE made an impact: AAR has now committed to adopting 802.16t—but the timeline remains slow. The transition involves physically replacing over 75,000 units.

“They plan to start in 2026, but full replacement will take 5–7 years,” Smith estimates. “It’ll cost between $7 and $10 billion.”

Until then, the U.S. freight rail system remains vulnerable to remote hijacking—a known risk for over a decade.