- Hackers need only cheap hardware and basic skills to stop a moving freight train remote
- American Association of Railways rejected the threat until federal pressure forced an answer
- The system is still not fixed and full updates do not arrive until at least 2027
A critical error in the wireless systems used across US rail networks has been unresolved for more than a decade and exposed trains for remote interference.
Vulnerability affects devices (EOT) that forward data from the last wagon to the front of the train, forming a link with the head-of-train (Hot) module.
Although the question was marked in 2012, it was largely rejected until federal intervention forced an answer.
Ignored warnings and delayed answers
Hardware security researcher Neils first identified the error in 2012 when software -defined radios (SDRs) began to spread.
The discovery revealed that these radios could easily mimic signals sent between the hot and EOT devices.
Since the system depends on a basic BCH control sum and lacks encryption, any device that transmits on the same frequency can spray fake packages.
In an regarding VRI, the heat is able to send brake commands to EOT, which means an attacker can stop a train externally.
“This vulnerability is still not patched,” Neils said on social media, revealing it took over a decade, and public advice from cyber security and infrastructure security agency (CISA), before meaningful act was taken.
The problem, which is now cataloged as CVE-2025-1727, allows for disruption of US trains with hardware that costs below $ 500.
Neil’s conclusions were met with skepticism by the American Association of Railways (years), which rejected the vulnerability as merely “theoretical” back in 2012.
Attempts to demonstrate that the error was averted due to the Federal Railway Authority’s lack of a dedicated test track and years that denied access to operational sites.
Even after the Boston Review published the results, years of time rejected them in public via a piece in Assets.
By 2024, the Director of Information Security continued to neglect the threat and argued that the units in question approached life and did not guarantee urgent replacement.
It was only before CISA issued a formal advice that years began to outline a solution. In April 2025, an update was announced, but full implementation is not expected until 2027.
The vulnerability comes from technology developed in the 1980s, when frequency restrictions reduced the risk of interference, but today’s widespread access to SDRs has changed the risk landscape dramatically.
“It turns out that you can just hack any train in the United States and take control of the brakes,” Neils said, encapsulating the wider concern.
The ongoing delay and denial means that American trains are likely to sit on a barrel with Kruttt that can lead to serious risks at all times.
Via Tomshardware
