A decades-old vulnerability in train control systems is finally receiving the attention it warrants. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical flaw, identified as CVE-2025-1727, affecting the radio communication protocol between End-of-Train (EoT) and Head-of-Train (HoT) systems.
EoT devices, also known as Flashing Rear End Devices (FREDs), are wireless units attached to the last car of a freight train. They transmit important data to the locomotive, enable remote emergency braking, and serve as visual indicators with a flashing light.
These systems, used widely in freight operations, were found to lack proper encryption and authentication. This weakness could be exploited by attackers using software-defined radios to send fake control messages, potentially activating emergency brakes without authorization and putting train safety at risk.
According to CISA, “successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure.”
The flaw has been classified under CWE-1390 (Weak Authentication). The EoT/HoT radio protocol relies on a basic BCH checksum, which can be imitated. By forging packets with this checksum, an attacker could disrupt operations or overwhelm the braking system.
CISA explained, “The protocol used for remote linking over RF for End-of-Train and Head-of-Train relies on a BCH checksum for packet creation. It is possible to generate these packets using a software-defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.”
The vulnerability was reported by researchers Neil Smith and Eric Reuter, and it still has not been fixed. Smith revealed that he first identified the issue in 2012 after decoding signals with an RTL-SDR device. He found that the radio protocol, introduced in the 1980s to replace cabooses, uses outdated security assumptions based only on FCC regulations, rather than actual technical safeguards.
Despite presenting the problem more than a decade ago, Smith faced resistance from the American Association of Railroads (AAR) and the Federal Railroad Administration (FRA), which demanded real-world proof before taking action. Another researcher, Eric Reuter, independently discovered the vulnerability in 2018, but real progress was not made until 2024 when CISA became more involved.
Even now, AAR continues to downplay the issue, labeling the system as “end of life,” although it is still actively used in freight and passenger trains. Under growing pressure, officials have announced plans to replace the flawed protocol with IEEE 802.16t by 2027.
The danger remains serious. A person with a radio setup costing around $500 could remotely interfere with train braking systems, potentially causing derailments or serious accidents. Smith has warned against experimenting with this flaw, as doing so could result in injury or loss of life.
CISA noted in its advisory that there is no evidence of the flaw being exploited in real-world attacks. In response, industry groups are working on solutions. The AAR is now taking steps to replace the outdated equipment and implement stronger protocols to improve rail safety.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
