• Cyber Syrup
  • Posts
  • CISA Discloses Vulnerability in Train Brake Control Systems

CISA Discloses Vulnerability in Train Brake Control Systems

The U.S. Cybersecurity and Infrastructure Security Agency has issued an advisory on a security vulnerability that could allow attackers to remotely manipulate a train’s braking system using radio signals

July 15, 2025

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

CISA Discloses Vulnerability in Train Brake Control Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory on a newly disclosed security vulnerability—CVE-2025-1727—that could allow attackers to remotely manipulate a train’s braking system using radio signals. The flaw affects a commonly used protocol linking End-of-Train (EoT) and Head-of-Train (HoT) devices.

What Are EoT and HoT Devices?

  • EoT (End-of-Train) devices, also known as FREDs (Flashing Rear-End Devices), are mounted at the end of trains to transmit real-time data (such as brake pressure) to HoT devices located in the locomotive.

  • These systems were introduced to replace traditional cabooses and are critical for monitoring and controlling brakes, especially in long freight trains.

The Vulnerability

CISA’s advisory highlights a fundamental weakness: lack of encryption and authentication in the radio protocol linking the two devices. This opens the door for attackers to use software-defined radios (costing under $500) to send spoofed brake commands to the EoT unit.

“Successful exploitation could cause sudden train stoppages, disrupt operations, or even induce brake failure,” CISA warned.

Notably, this vulnerability has been known to researchers for over two decades, but has only recently been acknowledged at the federal level.

Timeline of Discovery and Disclosure

  • 2005: The flaw was first discovered and reported to the Association of American Railroads (AAR).

  • 2012: Researcher Neil Smith, working with ICS-CERT, rediscovered and attempted to remediate the issue.

  • 2016: The Boston Review published an exposé based on Smith’s findings; the AAR disputed the claims.

  • 2018: Researcher Eric Reuter publicly presented the vulnerability at DEF CON, still with no industry response.

  • 2024: Smith resubmitted his findings to CISA, prompting a new advisory in 2025.

Mitigation and Industry Response

According to CISA and the AAR:

  • Around 45,000 EoT and 25,000 HoT devices will need to be upgraded.

  • Equipment replacement and protocol redesigns are scheduled to begin in 2026.

  • While exploitation in the wild hasn’t been observed, recent incidents—such as the 2023 Polish railway hack—prove the risk is real.

"Fixing this issue requires changes to a standards-enforced protocol... CISA continues to encourage manufacturers to adopt Secure by Design principles,” said CISA’s acting executive assistant director for cybersecurity, Chris Butera.

Final Thoughts

This vulnerability underscores the broader challenge of securing legacy industrial systems, especially in critical infrastructure like rail transport. While successful exploitation requires technical expertise and physical proximity, the potential consequences—disruptions, derailments, or worse—are severe.

As transportation systems modernize, the integration of cybersecurity at the design level becomes not just recommended—but essential.