Hackers Could Remotely Stop Trains Using Cheap Gear, Experts Warn
A critical flaw in US train braking systems could allow hackers to send remote stop commands using low-cost equipment, raising concerns about potential derailments and major service disruptions.
The vulnerability, tracked as CVE-2025-1727, lies in weak authentication for radio signals used to control train braking. According to a July 10 advisory from CISA, attackers could exploit this flaw to issue fake brake commands, abruptly halting trains and possibly causing brake failure.
“This could lead to a disruption of operations, or induce brake failure,” the advisory stated, calling the issue “relatively simple to exploit.”
The flaw affects the protocol behind “end-of-train” and “head-of-train” packets — radio signals exchanged between a train’s lead and rear units. These systems are still widely in use despite being labeled “end-of-life” by the rail industry.
Security researchers Neil Smith and Eric Reuter independently discovered the flaw, with Smith saying he first reported it to the Department of Homeland Security back in 2012. He claims the Association of American Railroads (AAR) only acknowledged the risk after he resumed discussions with CISA last year.
“AAR walked away from talking to CISA multiple times,” Smith wrote in a thread on X, noting that the protocol is still in use even though new systems aren’t expected until 2027.
CISA and the AAR have not responded to requests for comment.
CISA urged organizations to take immediate steps to reduce risk, advising them to “minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.” In its advisory, CISA also recommended placing these systems “behind firewalls and isolating them from business networks.” If remote access is necessary, CISA said companies should “use more secure methods, such as Virtual Private Networks (VPNs),” but warned that “VPNs may have vulnerabilities and should be updated to the most current version available,” noting that a VPN “is only as secure as the connected devices.”
The revelation marks one of the most severe cyber risks ever reported in US rail infrastructure, with the potential to threaten both passenger safety and freight stability across the country.
React to this headline: