- Pirates only need inexpensive equipment and basic skills to stop a distance freight gear
- The American Association of Railways rejected the threat until federal pressure requires an answer
- The system is still not fixed and the full updates will not arrive before at least 2027
A critical defect in wireless systems used on American rail networks has not been resolved for more than a decade, exposing trains to remote interference.
Vulnerability affects the end of training devices (EOT), which relay the data from the last trolley at the front of the train, forming a link with the train module (hot).
Although the question was reported in 2012, it was widely rejected until the federal intervention makes an answer.
Warnings ignored and delayed responses
The material safety researcher, nels, identified the flaw for the first time in 2012, when the radios defined by software (SDR) began to proliferate.
The discovery revealed that these radios could easily imitate the signals sent between the hot and eot units.
Since the system is based on a basic BCH control and lack of encryption, any device transmitting on the same frequency could inject false packages.
In a worrying turn, hot is able to send brake controls to the EOT, which means that an attacker could stop a train from a distance.
“This vulnerability is still not corrected,” said on social networks, revealing that he has taken more than a decade and a public opinion from the Cybersecurity and Infrastructure Safety Agency (CISA) before significant measures were taken.
The problem, now cataloged under the name of CVE-2025-1727, allows the disturbance of American trains with equipment costing less than $ 500.
Neils’ conclusions met the skepticism of the American Association of Railways (AAR), which rejected vulnerability as simply “theoretical” in 2012.
Faille demonstration attempts were thwarted due to the absence of a dedicated test track of the Federal Railway Authority and AAR denying access to operational sites.
Even after the Boston Review published the results, the AAR publicly refuted them via an article in Fortune.
By 2024, the Director of Information Security of the AAR continued to minimize the threat, arguing that the devices in question were approaching the end of life and did not justify the urgent replacement.
It was only when Cisa issued an official opinion that the AAR began to describe a solution. In April 2025, an update was announced, but the full deployment was not planned in 2027.
Vulnerability stems from the technology developed in the 1980s, when frequency restrictions reduced the risk of interference, but the generalized access today to SDRs has considerably changed the risk landscape.
“It turns out that you can just hack any train in the United States and take control of the brakes,” said Nelie, summarizing the broader concern.
The delay and American denial and denial trains are probably seated on a barrel barrel that could cause serious risks at any time.
Via Tomshardware
