A vulnerability reported in 2012 by independent researcher Neil Smith was formally acknowledged in 2025 by CISA as CVE-2025-1727, indicating weak authentication within train communication protocols. This flaw allows an attacker to spoof braking commands, potentially halting trains. The FRED system uses an outdated checksum method that is easily compromised, enabling hackers to disrupt operations from afar. The Association of American Railroads is seeking to upgrade technology, but remediation may take until 2027. Meanwhile, freight operators are tasked with implementing basic cybersecurity measures to address this critical risk.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued CVE-2025-1727, specifying weak authentication in the end-of-train to head-of-train linking protocol, enabling attackers to input braking commands.
Smith exemplified how an attacker could use software-defined radios to spoof FRED packets and control a train's brake controller, posing significant safety risks.
AAR reported that while it aims to implement more secure technology, the replacement for the outdated FRED control system may not arrive until 2027.
Freight operators are left to isolate critical controls and maintain cybersecurity, but the current protocol remains vulnerable and can be exploited with accessible equipment.
Collection
[
|
...
]