Hackers can use just a radio to cause train accidents, CISA explains how
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a key train system in the US. The warning specifically concerns the End-of-Train and Head-of-Train protocol, which the agency claims could be hacked using only a radio. This vulnerability stems from the system's lack of encryption and authentication protocols. The flaw involves the communication between a Flashing Rear End Device (FRED), or End-of-Train (EOT) device, attached to the back of a train, and a corresponding Head-of-Train (HOT) device in the locomotive. Installed in the 1980s to replace caboose cars, these devices can transmit data via radio signals, where commands can also be sent to the FRED to apply brakes at the rear of the train.
The current system is dependent on data packets with a simple BCH checksum for error detection. However, CISA is now warning that a person using a software-defined radio could potentially send fake data packets, which would allow them to interfere with train operations.
What CISA said about this train system vulnerability
In its advisory, CISA wrote: “Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure,” the CISA wrote in its advisory.”
What researchers said about this train system’s vulnerability
CISA credited researchers Neil Smith and Eric Reuter for reporting this vulnerability. Moreover, in a post shared on the social media platform X (earlier Twitter) that he had first alerted the agency's predecessor, ICS-CERT, back in 2012 and no action was taken at the time.
In his X post, Smith wrote: “So how bad is this? You could remotely take control over a Train’s brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure leading to derailments or you could shutdown the entire national railway system.”
However, Smith noted that efforts to address a cybersecurity flaw stalled due to a disagreement between ICS-CERT and the Association of American Railroads (AAR) between 2012 and 2016, as the latter considered the risk too theoretical without real-world proof.
When Smith raised the issue again in 2024, AAR still downplayed its importance, though it later announced plans to upgrade the outdated system in 2026.
The current system is dependent on data packets with a simple BCH checksum for error detection. However, CISA is now warning that a person using a software-defined radio could potentially send fake data packets, which would allow them to interfere with train operations.
What CISA said about this train system vulnerability
In its advisory, CISA wrote: “Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure,” the CISA wrote in its advisory.”
What researchers said about this train system’s vulnerability
CISA credited researchers Neil Smith and Eric Reuter for reporting this vulnerability. Moreover, in a post shared on the social media platform X (earlier Twitter) that he had first alerted the agency's predecessor, ICS-CERT, back in 2012 and no action was taken at the time.
In his X post, Smith wrote: “So how bad is this? You could remotely take control over a Train’s brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure leading to derailments or you could shutdown the entire national railway system.”
However, Smith noted that efforts to address a cybersecurity flaw stalled due to a disagreement between ICS-CERT and the Association of American Railroads (AAR) between 2012 and 2016, as the latter considered the risk too theoretical without real-world proof.
When Smith raised the issue again in 2024, AAR still downplayed its importance, though it later announced plans to upgrade the outdated system in 2026.
Next Story