Hackers can use just a radio to cause train accidents in US, CISA explains how

TOI Tech Desk / TIMESOFINDIA.COM / Jul 17, 2025, 00:34 IST

Text Size

Small
Medium
Large

CISA has warned about a critical vulnerability in US train systems, specifically the End-of-Train protocol. Researchers discovered that the system, lacking encryption and authentication, could be hacked using a radio to send fake brake commands. This could lead to sudden stops, disruptions, or even brake failure.

Hackers can use just a radio to cause train accidents in US, CISA explains how

Representative Image

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a key train system in the US. The warning specifically concerns the End-of-Train and Head-of-Train protocol, which the agency claims could be hacked using only a radio. This vulnerability stems from the system's lack of encryption and authentication protocols. The flaw involves the communication between a Flashing Rear End Device (FRED), or End-of-Train (EOT) device, attached to the back of a train, and a corresponding Head-of-Train (HOT) device in the locomotive. Installed in the 1980s to replace caboose cars, these devices can transmit data via radio signals, where commands can also be sent to the FRED to apply brakes at the rear of the train.The current system is dependent on data packets with a simple BCH checksum for error detection. However, CISA is now warning that a person using a software-defined radio could potentially send fake data packets, which would allow them to interfere with train operations.

What CISA said about this train system vulnerability

In its advisory, CISA wrote: “Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure,” the CISA wrote in its advisory.”

What researchers said about this train system’s vulnerability

CISA credited researchers Neil Smith and Eric Reuter for reporting this vulnerability. Moreover, in a post shared on the social media platform X (earlier Twitter) that he had first alerted the agency's predecessor, ICS-CERT, back in 2012 and no action was taken at the time.In his X post, Smith wrote: “So how bad is this? You could remotely take control over a Train’s brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure leading to derailments or you could shutdown the entire national railway system.”However, Smith noted that efforts to address a cybersecurity flaw stalled due to a disagreement between ICS-CERT and the Association of American Railroads (AAR) between 2012 and 2016, as the latter considered the risk too theoretical without real-world proof. When Smith raised the issue again in 2024, AAR still downplayed its importance, though it later announced plans to upgrade the outdated system in 2026.

About the Author

TOI Tech Desk

The TOI Tech Desk is a dedicated team of journalists committed to delivering the latest and most relevant news from the world of technology to readers of The Times of India. TOI Tech Desk’s news coverage spans a wide spectrum across gadget launches, gadget reviews, trends, in-depth analysis, exclusive reports and breaking stories that impact technology and the digital universe. Be it how-tos or the latest happenings in AI, cybersecurity, personal gadgets, platforms like WhatsApp, Instagram, Facebook and more; TOI Tech Desk brings the news with accuracy and authenticity.

End of Article