Security Vulnerability on U.S. Trains Exposed After 13 Years: Operators Refused to Fix the Issue Until Now
A devastating security vulnerability has been exposed on American trains, leaving millions of passengers vulnerable to hacking and potential catastrophic consequences. The vulnerability, identified as CVE-2025-1727, was first discovered in 2012 by Hardware Security Researcher Neils, but the American Association of Railways (AAR) refused to act on it until the Cybersecurity & Infrastructure Security Agency (CISA) published an advisory just a few days ago.
The vulnerability is rooted in the End-of-Train (EoT) module attached to the last carriage of every train, which reports telemetry data to the front of the train wirelessly. This module uses a specific frequency allocated for communication between the EoT and the Head-of-Train (HoT) partner. However, due to a lack of security measures in place, anyone with a software-defined radio (SDR) and basic knowledge of packet creation can mimic these packets, allowing them to send false signals to the EoT module.
This would not be an urgent issue if the EoT only sent telemetry data, but since it also has the capability to receive brake commands from the HoT through this system, anyone with the necessary hardware and expertise can potentially compromise the safety of train operations. The entire process can be carried out without the knowledge of the train driver, raising serious concerns about passenger safety.
A History of Ignored Warnings
The AAR initially dismissed Neils' findings in 2012, labeling it as a "theoretical issue" that wouldn't become a reality until it was proven in real-world scenarios. Unfortunately, the Federal Railway Authority (FRA) lacked a test track facility to conduct thorough testing due to security concerns on their property. This lack of willingness to acknowledge and address the issue led to repeated warnings from Neils, who ultimately published his findings in The Boston Review.
Despite these warnings, the AAR continued to refuse to take action until CISA published its advisory just a few days ago. The AAR's Director of Information Security even went so far as to downplay the issue, stating that it wasn't really a major problem and that the affected devices were already nearing the end of their lifespan.
A New Approach to Safety
However, with CISA's publication of its advisory, the AAR has finally acknowledged the severity of the issue and is working towards a solution. The group announced an update last April, but implementation has been slow-going, with 2027 being targeted as the earliest year of deployment.
This new approach to addressing the vulnerability comes after years of inaction, and it remains to be seen whether this will be enough to prevent any potential catastrophic incidents. As the transportation sector continues to evolve, it's essential that organizations prioritize security measures to protect passengers and maintain public trust.