Vulnerability Allows Hackers to Remotely Control Train Brakes

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 15, 2025
3 min read

Vulnerabilities in Train Brake Systems

Many trains in the U.S. face a serious security vulnerability that allows hackers to remotely engage the brakes. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged this issue, which could have catastrophic effects on passenger safety and freight operations. The flaw, tracked as CVE-2025-1727, has been known for over a decade but has only recently come to light due to increased scrutiny.

Independent researcher Neil Smith discovered this vulnerability in 2012. It stems from a weak authentication protocol used in the communication link between End-of-Train (EoT) and Head-of-Train (HoT) devices, primarily utilizing a simple BCH checksum for validation. This outdated security protocol enables attackers to craft malicious brake commands using software-defined radio equipment that costs less than $500.

Smith stated, “All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you.” The physical proximity required for exploitation limits remote hacks but still poses a significant threat to operational safety.

Major EoT/HoT Vulnerability

The Association of American Railroads (AAR) has acknowledged the need to replace the insecure EoT and HoT protocols that link locomotives to the EoT devices, commonly known as “FREDs” (Flashing Rear End Devices). This decision comes more than 12 years after the issue was initially reported. The EoT devices collect telemetry and can receive commands from conductors, including the ability to apply brakes from the back of the train.

Neil Smith

Image courtesy of Risky Business

Smith’s initial report to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) did not lead to immediate action from the AAR, which downplayed the threat. Smith’s persistence, alongside the independent discovery of the same issue by another security researcher, Eric Reuter, eventually led to renewed attention on the vulnerability.

The AAR is set to replace the old protocol with the IEEE 802.16t Direct Peer-to-Peer (DPP) protocol, which promises better security and lower latency. However, this transition will involve replacing over 75,000 EoT devices across North America, a task expected to take 5-7 years and cost between $7-10 billion.

Exploitation Risks

The implications of this vulnerability are severe. Hackers could potentially disrupt rail operations by triggering emergency brakes remotely, leading to passenger injuries, derailments, and widespread transportation disruptions. CISA's advisory emphasizes that successful exploitation could allow attackers to send unauthorized brake control commands to the EoT devices.

Train Safety

Image courtesy of Security Affairs

Despite the risks, there have been no reported active exploitations so far. Smith warns against testing these vulnerabilities, citing the severe potential consequences, including loss of life. The delay in addressing this issue raises questions about industry accountability in safeguarding critical infrastructure.

Conclusion

The vulnerabilities in the train brake systems highlight significant gaps in cybersecurity within the railway industry. The lack of action over the years and the eventual acknowledgment of the issue underscore the need for urgent remediation. The transition to more secure protocols cannot come soon enough, as the current systems remain susceptible to exploitation.

For those interested in ensuring the safety of their operations or looking for advanced cybersecurity solutions, Gopher Security offers a range of services that can help mitigate these risks.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related News

Surge in Cloud RCE Vulnerabilities and Privilege Escalation Disclosures Shifts Focus to Infrastructure Security
cloud RCE vulnerability disclosures 2026

Surge in Cloud RCE Vulnerabilities and Privilege Escalation Disclosures Shifts Focus to Infrastructure Security

Critical cloud vulnerabilities have doubled. Learn why Azure RCE and privilege escalation flaws are shifting the focus to infrastructure security in 2026.

By Brandon Woo July 9, 2026 4 min read
common.read_full_article
2026 Industry Analysis Ranks Top Tools for Assessing Quantum Attack Risks in Crypto Exchanges
post-quantum cryptography migration roadmap 2026

2026 Industry Analysis Ranks Top Tools for Assessing Quantum Attack Risks in Crypto Exchanges

Discover the top tools for assessing quantum attack risks in crypto exchanges. Learn how to defend against 'harvest-now, decrypt-later' threats in 2026.

By Edward Zhou July 8, 2026 4 min read
common.read_full_article
New Regulatory Directives Mandate Enhanced Cybersecurity Resilience Standards for Global Critical Infrastructure Operators
critical infrastructure cyber resilience regulations

New Regulatory Directives Mandate Enhanced Cybersecurity Resilience Standards for Global Critical Infrastructure Operators

The U.S. shifts from voluntary compliance to mandatory NSM-22 cybersecurity standards for critical infrastructure. Learn about new SIE designations and oversight.

By Alan V Gutnov July 7, 2026 5 min read
common.read_full_article
Microsoft Releases New Security Framework to Address Autonomous AI Agent Vulnerabilities and Identity Risks
Microsoft Agent 365

Microsoft Releases New Security Framework to Address Autonomous AI Agent Vulnerabilities and Identity Risks

Microsoft introduces Agent 365 and the MDASH security harness to secure autonomous AI agents against identity risks and emerging vulnerabilities. Learn more.

By Divyansh Ingle July 6, 2026 4 min read
common.read_full_article