An Attacker Using a $500 Radio Setup Could Potentially Trigger Train Brake Failures or Derailments from a Distance

A 20-year-old flaw in End-of-Train and Head-of-Train systems could let hackers trigger emergency braking, finally getting proper attention. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical flaw, tracked as CVE-2025-1727, in the radio-based linking protocol between these two systems.

An End-of-Train (EoT) device, also known as a Flashing Rear End Device (FRED), is a wireless system attached to the last car of a freight train. This device monitors and transmits key data to the locomotive, enables remote emergency braking, and marks the train's rear with a flashing light.

These systems, used in freight trains to relay data and apply the rear brakes, lack encryption and authentication. Attackers could exploit this vulnerability by sending crafted radio packets via software-defined radios, potentially issuing unauthorized brake commands and compromising train safety.

"Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure," reads CISA's advisory. The agency labeled the flaw as a WEAK AUTHENTICATION CWE-1390.

The EoT/HoT remote RF linking protocol uses a BCH checksum, allowing attackers with a software-defined radio to forge packets and send brake commands, risking disruption or brake system overload.

The Vulnerability: A Decade in the Making

The vulnerability has been reported by researchers Neil Smith and Eric Reuter, who first discovered it in 2012. However, efforts to get the American Association of Railroads (AAR) and the Federal Railroad Administration (FRA) to act were stalled for years.

AAR refused to acknowledge the issue unless proven in a real-world scenario, while another researcher, Eric Reuter, independently discovered the flaw in 2018. It wasn't until 2024 that the case gained traction again with renewed support from CISA.

The Consequences: A $500 Radio Setup Could Be Enough

According to CISA, an attacker using a $500 radio setup could trigger train brake failures or derailments from a distance. This poses national safety risks and could even induce brake failure leading to derailments.

"You could remotely take control over a Train's brake controller from a very long distance away, using hardware that costs sub $500," warns Neil Smith. "You could induce brake failure leading to derailments or you could shutdown the entire national railway system."

The Response: A New Protocol on the Horizon

Under pressure, it was announced that the vulnerable protocol would be replaced with IEEE 802.16t by 2027. The standards committee is seeking mitigations, and the AAR is working on replacing the outdated devices and protocols with new equipment.

CISA's advisory states there's no evidence of active exploitation of the EoT/HoT vulnerability. However, the risk remains severe, and it is essential for train operators to take immediate action to patch the vulnerability and ensure the safety of their trains.