- Hackers only need cheap hardware and basic skills to stop a moving freight train remotely
- The American Association of Railways dismissed the threat until federal pressure forced a response
- The system still isn’t fixed, and full updates won’t arrive until at least 2027
A critical flaw in the wireless systems used across US rail networks has remained unresolved for more than a decade, exposing trains to remote interference.
The vulnerability affects End-of-Train (EoT) devices, which relay data from the last carriage to the front of the train, forming a link with the Head-of-Train (HoT) module.
Although the issue was flagged in 2012, it was largely dismissed until federal intervention forced a response.
Ignored warnings and delayed responses
Hardware security researcher Neils first identified the flaw in 2012, when software-defined radios (SDRs) began to proliferate.
The discovery revealed that these radios could easily mimic signals sent between the HoT and EoT units.
Since the system relies on a basic BCH checksum and lacks encryption, any device transmitting on the same frequency could inject false packets.
In a concerning twist, the HoT is capable of sending brake commands to the EoT, which means an attacker could stop a train remotely.
“This vulnerability is still not patched,” Neils stated on social media, revealing it took over a decade and a public advisory from the Cybersecurity and Infrastructure Security Agency (CISA) before meaningful action was taken.
The issue, now catalogued as CVE-2025-1727, allows for the disruption of U.S. trains with hardware costing under $500.
Neils’s findings were met with skepticism by the American Association of Railways (AAR), which dismissed the vulnerability as merely “theoretical” back in 2012.
Attempts to demonstrate the flaw were thwarted due to the Federal Railway Authority’s lack of a dedicated test track and the AAR denying access to operational sites.
Even after the Boston Review published the findings, the AAR publicly refuted them via a piece in Fortune.
By 2024, the AAR’s Director of Information Security continued to downplay the threat, arguing that the devices in question were approaching end-of-life and didn’t warrant urgent replacement.
It wasn’t until CISA issued a formal advisory that the AAR began outlining a fix. In April 2025, an update was announced, but full deployment is not expected until 2027.
The vulnerability stems from technology developed in the 1980s, when frequency restrictions reduced the risk of interference, but today’s widespread access to SDRs has altered the risk landscape dramatically.
“Turns out you can just hack any train in the USA and take control over the brakes,” Neils said, encapsulating the broader concern.
The ongoing delay and denial mean US trains are probably sitting on a keg of gunpowder that could lead to serious risks at any time.
Via TomsHardware
