- Computer pirates only need cheap hardware and basic skills to stop a moving loading train remotely
- The American Railway Association dismissed the threat until the federal pressure forced an answer
- The system is not yet solved, and complete updates will not reach up to at least 2027
A critical failure in the wireless systems used in the US rail networks. UU. It has remained unsolved for more than a decade, exposing trains at remote interference.
Vulnerability affects the training devices (EOT), which transmit the data of the last car to the front of the train, forming a link with the training head module (hot).
Although the problem was marked in 2012, it was greatly dismissed until the federal intervention forced an answer.
Ignored warnings and delayed responses
The hardware security researcher Neils first identified the defect in 2012, when software -defined radios (SDR) began to proliferate.
The discovery revealed that these radios could easily imitate the signals sent between the Hot and EOT units.
Since the system is based on a basic BCh Verification sum and lacks encryption, any device that transmits with the same frequency could inject false packages.
In a worrying turn, the hot one is able to send brake commands to the EOT, which means that an attacker could stop a train remotely.
“This vulnerability is not yet paveled,” Neils said on social networks, revealing that he took more than a decade and public advice from the cybersecurity and infrastructure security agency (CISA) before taking significant measures.
The problem, now cataloged as CVE-2025-1727, allows the interruption of American trains with hardware that costs less than $ 500.
Neils findings were received with skepticism by the American Railway Association (AAR), which dismissed vulnerability as merely “theoretical” in 2012.
The attempts to demonstrate the fault were frustrated due to the lack of a dedicated trial of the federal railway authority of a dedicated testing and the AAR that denies access to the operational sites.
Even after Boston Review published the findings, the AAR publicly refuted them through a piece in Fortune.
By 2024, the AAR Information Security Director continued to minimize the threat, arguing that the devices in question approached at the end of life and do not guarantee an urgent replacement.
It was not until Cisa issued a formal notice that the AAR began to describe a solution. In April 2025, an update was announced, but complete implementation is not expected until 2027.
Vulnerability comes from the technology developed in the 1980s, when frequency restrictions reduced the risk of interference, but today’s generalized access to SDRS has drastically altered the risk panorama.
“It turns out that you can hack any train in the United States and take control over brakes,” said Neils, encapsulating the broader concern.
The continuous delay and denial mean that US trains are probably sitting in a gunpowder barrel that could lead to serious risks at any time.
Via Tomshardware
