The cybersecurity landscape for critical infrastructure is constantly evolving, and a recent disclosure by the US Cybersecurity and Infrastructure Security Agency (CISA) has brought a long-standing vulnerability in train control systems to the forefront. This vulnerability, identified as CVE-2025-1727, affects the remote linking protocol used by End-of-Train (EoT) and Head-of-Train (HoT) devices, critical components that enable communication and control over a train’s brakes. The core of the problem lies in the unsecure nature of this protocol, which lacks both authentication and encryption, making it susceptible to malicious exploitation.
EoT devices, also known as Flashing Rear End Devices (FREDs), are positioned at the rear of a train and transmit data to the HoT device in the locomotive. While primarily used to provide status data for long freight trains, these systems also possess the crucial capability to receive commands that apply the brakes at the rear of the train. CISA’s advisory highlights that an attacker could leverage readily available software-defined radio hardware and specially crafted packets to send their own brake control commands to the EoT device. The potential consequences are severe, ranging from sudden train stoppages that disrupt operations to inducing complete brake failure, which could lead to catastrophic derailments.
The discovery of this vulnerability is not new; it has a history stretching back over a decade. Researcher Neil Smith, credited by CISA, first identified this issue in 2012 while conducting industrial control system (ICS) security research. Smith, along with ICS-CERT (a predecessor to CISA), attempted to collaborate with the Association of American Railroads (AAR) for several years to address the vulnerability, but a consensus on remediation could not be reached. The AAR reportedly sought real-world proof of impact, which was difficult to provide given the immense safety risks involved. This disagreement culminated in public accusations in 2016 and further disclosures by another researcher, Eric Reuter, in 2018, yet no significant action was taken by the AAR. Alarmingly, Smith recently learned that the same weakness was initially reported to the AAR as far back as 2005, underscoring the long-standing nature of this unaddressed threat.
The recent CISA advisory is the result of Smith resubmitting his findings in 2024.
While the issue was initially downplayed by impacted vendors and the AAR, the AAR has now announced that it will be taking action. CISA’s advisory notes that there is currently no evidence of exploitation in the wild, providing a small window of opportunity for mitigation. The standards committee overseeing the protocol is actively seeking solutions, and the AAR is pursuing the development of new equipment and protocols to replace the vulnerable traditional EoT and HoT devices. This extensive undertaking will require upgrading approximately 25,000 HoT and 45,000 EoT devices, with the replacement process expected to commence in 2026.
This disclosure serves as a critical reminder of the ongoing cyber threats to railway systems, which have long been a concern within the cybersecurity industry. The threat is far from theoretical, as evidenced by recent incidents of both direct and indirect cyberattacks causing disruptions to railway operations globally. Notably, a 2023 incident in Poland saw 20 trains disrupted due to a hack that exploited a known, unencrypted radio frequency to broadcast stop commands to trains. The vulnerability in EoT/HoT systems presents a similar, if not more severe, risk, emphasizing the urgent need for comprehensive cybersecurity measures and proactive mitigation strategies within the rail industry to safeguard critical transportation infrastructure.
Reference:
