Critical Train Safety Flaw: Hackers Can Remotely Trigger Brakes with $500 Radio
TL;DR
- A critical vulnerability in train communication systems allows hackers to remotely trigger emergency brakes, risking derailments and disruptions.
- The flaw, known as CVE-2025-1727, affects End-of-Train (EoT) and Head-of-Train (HoT) systems and remains unpatched despite being reported over a decade ago.
- Efforts are underway to replace the outdated protocols, but the risk persists until the new systems are fully implemented.
Critical Flaw in Train Communication Systems Puts Safety at Risk
A recently highlighted vulnerability in the radio-based linking protocol used by End-of-Train (EoT) and Head-of-Train (HoT) systems could allow hackers to remotely trigger emergency brakes, potentially leading to derailments or significant disruptions. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about this critical flaw, tracked as CVE-2025-17271.
Understanding End-of-Train (EoT) and Head-of-Train (HoT) Systems
End-of-Train (EoT) devices, also known as Flashing Rear End Devices (FRED), are wireless systems attached to the last car of freight trains. These devices monitor and transmit key data to the locomotive, enable remote emergency braking, and mark the train’s rear with a flashing light. The communication between EoT and HoT systems relies on an outdated protocol that lacks encryption and authentication, making it vulnerable to attacks.
Exploiting the Vulnerability
Attackers can exploit this vulnerability by sending crafted radio packets via software-defined radios, potentially issuing unauthorized brake commands and compromising train safety. According to CISA’s advisory, “Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure.”1
CISA has labeled the flaw as a WEAK AUTHENTICATION CWE-1390. The EoT/HoT remote RF linking protocol uses a BCH checksum, which allows attackers with a software-defined radio to forge packets and send brake commands, risking disruption or brake system overload.2
Discovery and Reporting
The vulnerability was reported by researchers Neil Smith and Eric Reuter. Smith first detected the issue in 2012 after recognizing the protocol’s structure using an RTL-SDR. However, efforts to get the American Association of Railroads (AAR) and the Federal Railroad Administration (FRA) to act were stalled for years. Despite another researcher, Eric Reuter, independently discovering the flaw in 2018, it was not until 2024 that the case gained traction again with renewed support from CISA.
Industry Response
The AAR initially downplayed the threat, claiming the system was “end of life,” despite its continued use, including in passenger trains. Under pressure, it was announced that the vulnerable protocol would be replaced with IEEE 802.16t by 2027. However, the risk remains severe: an attacker using a $500 radio setup could trigger train brake failures or derailments from a distance, posing national safety risks.
Current Status and Mitigation Efforts
CISA’s advisory states there’s no evidence of active exploitation of the EoT/HoT vulnerability. The standards committee is seeking mitigations, and the AAR is working on replacing the outdated devices and protocols with new equipment.
Conclusion
The critical vulnerability in EoT and HoT systems highlights the urgent need for updated and secure communication protocols in train systems. While efforts are underway to replace the outdated protocols, the risk persists until the new systems are fully implemented. It is crucial for the industry to prioritize these upgrades to ensure the safety of train operations.