A significant cybersecurity vulnerability affecting the United States rail network has recently come to light, revealing that trains can be remotely forced to engage emergency brakes through the use of inexpensive software-defined radio (SDR) equipment. This flaw, which poses serious safety and operational risks, has been known to security researcher Neil Smith since 2012, but only gained widespread attention following a formal advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) in 2025.
The Vulnerability
The root of the issue lies in the communication protocol used between End-of-Train (EoT) and Head-of-Train (HoT) devices, which are critical for monitoring and controlling train braking systems. These devices communicate wirelessly using an outdated protocol that lacks proper encryption and authentication mechanisms. Instead, the system relies solely on a simple BCH checksum for packet validation, making it vulnerable to interception and manipulation.
Using SDR hardware costing less than $500, an attacker can intercept these unencrypted signals, craft malicious packets, and transmit commands to the EoT device. This capability enables the attacker to remotely activate emergency brakes, potentially causing abrupt stops, derailments, or widespread disruption across the rail network.
Timeline and Industry Response
Neil Smith first identified and reported this vulnerability to the railroad industry and relevant government agencies in 2012. Despite his efforts, the industry largely dismissed the risk, citing the devices as obsolete and the threat as theoretical. The Association of American Railroads (AAR) and equipment manufacturers did not take substantial action to address the flaw.
It was not until 2025, when CISA publicly issued an advisory highlighting the severity of the vulnerability (tracked as CVE-2025-1727 with a CVSS score of 8.1), that the railroad industry began to acknowledge the issue. However, a comprehensive solution is still pending, as the secure replacement protocol (802.16t) is not expected to be deployed until 2027 at the earliest.
Implications and Recommendations
The vulnerability represents a critical national security concern given the essential role of railroads in freight transport, passenger travel, and military logistics. Until a full protocol upgrade is implemented, CISA recommends that rail operators adopt cybersecurity best practices such as network segmentation and enhanced monitoring to mitigate potential attacks.
