A recently disclosed vulnerability in train braking systems could let hackers remotely stop trains with relatively simple and inexpensive hardware, potentially causing derailments, according to the US Cybersecurity & Infrastructure Security Agency (CISA). The high-severity vulnerability, tracked as CVE-2025-1727, involves weak authentication in the protocol used to send what are known as end-of-train and head-of-train packets, radio signals that command a rail vehicle’s end-of-train device to stop the vehicle.[1]
“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure,” CISA said in an advisory that the vulnerability was relatively simple to exploit.
A railroad’s ‘end-of-train’ device is an electronic system attached to the last car of a train. Its primary function is to provide information on train integrity, such as brake pressure and movement, back to the locomotive. It receives and transmits radio signals, called end-of-train and head-of-train packets, that allow the engineer and other train operators to monitor and sometimes control critical braking functions remotely from the lead engine. Partially, why do you never see cabooses anymore? Technology replaced the caboose operator.
The Association of American Railroads, an industry trade group that manages a committee responsible for maintaining the flawed protocol, is developing new systems to replace the vulnerable ones, according to the CISA advisory. These new systems will not be ready until 2027 at the earliest, according to Neil Smith, one of two researchers who independently discovered the vulnerability and reported it to CISA. The vulnerability was first reported at the DEF CON hacker conference in 2018, when a researcher was credited with its discovery.
The vulnerability is recognized as potentially representing one of the most serious cyber threats to rail infrastructure ever discovered. By sending fraudulent brake signals to a train, hackers could derail or damage it, endangering passengers and cargo, and disrupt the US’s complex freight and passenger rail system.
The US has around 140,000 miles of track, which transports over a billion tons of goods annually, and railroads are also vital to military logistics. Hackers believed to be working for the Russian government have hit rail lines in Ukraine and Poland, which is a key hub for Western aid bound for Ukraine.
The US Transportation Security Administration, the federal agency responsible for helping to protect the rail industry from cyber threats and natural disasters, issued its first cyber regulations in 2022. Since then, the TSA has tried to work with the industry to improve digital defenses, but so far without success.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/railroad-vulnerability-will-let-hackers-attack-trains-8547.html
Comments