When independent security researcher Neil Smith reported a vulnerability in a comms standard used by trains to the US government in 2012, he most likely didn’t expect it would take until 2025 to sort the matter out, but here we are.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued CVE-2025-1727 (CVSS v3.1 8.1) last week, specifying the issue as one of weak authentication in the end-of-train to head-of-train linking protocol – allowing an attacker to input their own braking commands and stop the train in its tracks.
Commonly referred to as FRED, for the post-caboose Flashing Rear-End Device that now sits at the back of freight trains and transmits data to the locomotive using the protocol, the system uses an old BCH checksum to create packets that, since the age of software-defined radios, can be easily spoofed.
If a savvy person – Smith, for example – used an SDR to snoop on that traffic, they could spoof those packets to tell the FRED to apply the brakes, risking an accident or even potentially a derailment.
You could remotely take control over a train’s brake controller from a very long distance. You could induce brake failure leading to derailments or you could shut down the entire national railway system
There’s no solution to this vulnerability, with the Association of American Railroads (AAR), a trade group representing the freight rail industry, telling CISA it’s currently looking to implement a newer, more secure technology for freight trains. Unfortunately, as Smith pointed out in a long thread on X, the replacement for the outdated FRED control system (the 802.16t protocol) likely won’t arrive until “2027 at best.”
Meanwhile, says CISA, freight operators forced to continue operating using a protocol that’s hackable with, in Smith’s words, “sub $500” equipment, are left to segment networks to isolate critical controls and perform other basic cybersecurity maintenance that – let’s be realistic – are for peace of mind and probably won’t stop a miscreant with an SDR from derailing a train if they’re dead set on it.
How did this take so long?
“So, how bad is this,” Smith posited on X.
“You could remotely take control over a train’s brake controller from a very long distance,” he explained. “You could induce brake failure leading to derailments or you could shut down the entire national railway system.”
With a simple exploit sitting out there in the open since 2012 (if Smith discovered it, someone else might too), it seems practically negligent that someone didn’t take action, but as a 2016 story from the Boston Review explains, it’s not a surprise.
The BR article tells the story of Smith’s by then four-year tussle with the AAR upon first reporting the matter to the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) after successfully recording telemetry data from a passing train using an SDR in 2012.
ICS-CERT went to AAR with Smith’s concerns, hoping they would be open to further security testing, but that initial contact was as far as it went – and as far as the BR story was able to glimpse into the struggle.
As Smith explained on X, the BR article led to some burnout on the matter until security researcher Eric Reuter gave a talk at DEFCON in 2018, presenting an independent discovery of the same issue. By 2024, ICS-CERT had restructured several times, and Smith decided to reach back out to see if they could reopen the issue.
According to Smith, AAR’s infosec director saw it as a minor issue since the FRED protocol was end of life and slated for replacement despite still being in use.
“CISA finally agreed with me that publication would be the only remaining option to pressure AAR to fix this issue,” Smith said. He noted that the CVE publication “kinda worked” and saw the AAR commit to the 802.16t replacement mentioned earlier and, as noted, not coming for at least a couple of years.
In the meantime, the American rail network, Smith suggested – remains vulnerable.
Neither the AAR nor the Federal Railroad Administration responded to questions for this story. ®