Radio software, capable of being defined, can cause a train in the U.S. to abruptly stop by taking control of the brakes from a distance.
Since 2012, a vulnerability in the FRED (Flashing Rear End Device) control system, which facilitates wireless communication between End-of-Train (EoT) and Head-of-Train (HoT) devices, has left the American rail network vulnerable to potential attacks. The issue was first identified by hardware security researcher Neil Smith, who demonstrated that the system's weak BCH checksum for authentication could be exploited using software-defined radios (SDRs), potentially enabling an attacker to send unauthorised brake commands.
Despite Smith's early warning, action from the American rail industry was delayed for over a decade. In 2012, Smith reported the vulnerability to the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), but it took him 12 years to get the vulnerability publicly disclosed and officially assigned a CVE (CVE-2025-1727) in 2025. During this period, the Association of American Railroads (AAR) did not prioritise the risk, viewing the devices as legacy systems not worth rapid upgrading.
Several factors contributed to the delayed response. The original protocol design assumed that FCC regulations would limit misuse, leading to a false sense of security within the industry. The AAR downplayed the threat, and the focus was reportedly on eventual replacement rather than immediate mitigation. The vulnerability was technically feasible to exploit, but actual attacks were not widely observed or publicised, reducing perceived urgency. Updating critical infrastructure protocols involves coordination across numerous manufacturers, rail operators, and regulatory bodies, which can slow response times even after vulnerabilities are recognised.
As of mid-2025, the vulnerability remains unpatched, and a comprehensive fix is not expected until at least 2027. CISA has issued urgent recommendations, including network isolation and use of secure VPNs, but the industry is only now working on new protocols to replace the outdated FRED system. The slow response highlights systemic challenges in securing legacy infrastructure, especially when initial risk assessments underestimate the potential for real-world exploitation.
CISA has stated that exploiting this vulnerability requires physical access to rail lines, deep protocol knowledge, and specialized equipment, limiting the feasibility of widespread exploitation. However, a savvy individual could potentially take remote control over a train's brake controller using an SDR. The American rail network, according to Smith, remains vulnerable.
Neither the AAR nor the Federal Railroad Administration responded to questions for this story. The AAR has stated that they are looking to implement a newer, more secure technology for freight trains, but it is not expected until 2027 at the earliest. The potential consequences of an exploit could be severe, leading to derailments or the shutdown of the entire national railway system.
- The cybersecurity industry has been alerted to the persistent vulnerability in the American rail network's FRED system, first identified in 2012, which leaves it open to potential cyber attacks.
- The issue, attributed to a weak BCH checksum for authentication in the system, could be exploited using software-defined radios (SDRs), potentially enabling one to send unauthorized brake commands.
- While Neil Smith, the hardware security researcher who first discovered the vulnerability, reported it in 2012 to the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), action from the American rail industry took over a decade to materialize.
- The automotive technology sector, meanwhile, is working on implementing a newer, more secure technology for freight trains, but it's not expected until 2027 at the earliest.
- Artificial intelligence (AI) might play a role in future solutions, as it can help identify and mitigate similar vulnerabilities across technology-driven sectors like public-transit, transportation, and finance.
- Cybersecurity best practices, such as network isolation, secure VPNs, and protocol updates, are crucial to protecting these critical infrastructure sectors from potential attacks.
