A security vulnerability on American trains was discovered in 2012, but the American Association of Railways (AAR) has refused to act on it until the Cybersecurity & Infrastructure Security Agency (CISA) published an advisory a few days ago. According to Hardware Security Researcher Neils on X (formerly Twitter), they first discovered the issue in 2012 when software-defined radios (SDR) started becoming more popular. All American trains were equipped with an End-of-Train (EoT) module attached to the last carriage, which reports telemetry data to the front of the train wirelessly.
Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here’s the story: https://t.co/MKRFSOa3XYJuly 11, 2025
Back when it was first implemented in the late 1980s, it was illegal for anyone else to use the frequencies allocated for this system. So, the system only used the BCH checksum for packet creation. Unfortunately, anyone with an SDR could mimic these packets, allowing them to send false signals to the EoT module and its corresponding Head-of-Train (HoT) partner. This would not have been an urgent issue if the EoT had only sent telemetry data. However, the HoT can also issue a brake command to the EoT through this system. Thus, anyone with the hardware (available for less than $500) and know-how can easily issue a brake command without the train driver’s knowledge, potentially compromising the safety of the transport operation.
What’s frustrating for Neils is that the AAR refused to acknowledge the vulnerability back in 2012, saying that it was just a theoretical issue and that they’d only believe it if it happened in real life. Unfortunately, the Federal Railway Authority (FRA) lacks a test track facility, and the AAR has not permitted any testing due to security concerns on their property. It has got to the point that the security researcher published their findings in the Boston Review, only to be refuted by the AAR in Fortune magazine.
By 2024, the issue still hasn’t been resolved — the AAR’s Director of Information Security said that it wasn’t really a major issue and that the vulnerable devices are already reaching their end of life. Because the AAR continued to ignore the warnings, the CISA had no choice but to officially publish an advisory to warn the public about it. This has got the AAR moving forward, with the group announcing an update last April. However, implementation is going at a snail’s pace, with 2027 being the target as the earliest year of deployment.
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
