End-of-train devices, installed on the rear of freight trains in North America to sense and control braking, are outdated and simplistic. Hackers can easily target them with plain text radio signals to send emergency braking commands.
Security researcher Neil Smith discovered and reported the severe vulnerability in train systems 12 years ago, but it was only recently published. In a long thread, the expert explains that the issue was initially downplayed but can potentially cause catastrophic consequences.
“You could remotely take control over a train’s brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure, leading to derailments, or you could shut down the entire national railway system,” the post reads.
Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story: https://t.co/MKRFSOa3XY
undefined neils (@midwestneil) July 11, 2025
Watchdog issues an advisory
The two devices, End-of-Train (EoT) and Head-of-Train (HoT), transmit telemetry radio signals between the two ends of the train and enable the application of brakes. However, the protocol used does not have authentication or encryption, and only error-detecting codes (BCH checksums) are used.
That means that any external hacker with cheap radio equipment can create these plain-text packets and issue brake control commands from a long distance, disrupting operations or potentially overwhelming the brake systems, according to a recent advisory by the US Cybersecurity and Infrastructure Security Agency (CISA).
“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure,” the CISA said.
The assigned identifier to this vulnerability (CVE-2025-1727) has an 8.1 out of 10 severity score. It is not yet included in the watchdog’s Known Exploited Vulnerabilities Catalog (KEV), which means that attackers have not yet attempted to abuse the flaw.
It's not full remote code execution and the scope is limited to the brake application. Turns out there's no scoring adjustment for undefinedwill this kill someoneundefined in CVSS.
undefined neils (@midwestneil) July 12, 2025
According to Mathy Vanhoef, a network and software security researcher and professor at KU Leuven University, the vendor initially dismissed the issue, which was considered theoretical, and researchers weren’t given access to test-train systems ethically in practice.
The researchers warn that exploiting the flaw could lead to catastrophes – sudden braking can cause passenger injuries, transportation disruptions, and even derailments.
The Association of American Railroads (AAR) is replacing a flawed railroad protocol, but it might take 5-7 years to fully replace roughly 75,000 devices, and will cost up to $10 billion, according to Smith’s comments to Risky Business, a newsletter by Zero Networks.
“The advisory comes two months after the AAR itself announced plans to replace the old HoT/EoT protocol with IEEE 802.16t Direct Peer-to-Peer, a protocol that supports both security and lower latency,” the newsletter explains.
Attackers don’t need to be near the train
The train systems’ radio signals work over a couple of miles, as some trains can be three miles long. However, potential attackers could adjust the power to send stronger radio signals.
“If you were in a plane, you don't need a lot of power to be heard at 457Mhz over 150 miles,” Smith explained.
“This RF link is peak 1980s security. Why bother with security when it is just illegal to use the frequencies that the EOT/HOT operate on? So a simple BCH checksum was all that was needed,” Smith’s post on X reads.
Similar attacks have already been happening in other countries. In 2023, a century-old technology hack brought 20 trains to a halt in Poland when hackers spoofed an unauthorized radio-stop signal to trains. A freight train and a regional passenger train were involved in a minor collision, and an inter-city train was derailed. The attackers likely used a cheap radio transmitter to target the analog VHF 150 MHz system.
Your email address will not be published. Required fields are markedmarked