A software-defined radio can derail a US train by slamming the brakes on remotely
- Reference: 1752514925
- News link: https://www.theregister.co.uk/2025/07/14/train_brakes_flaw/
- Source link:
The US Cybersecurity and Infrastructure Security Agency (CISA) issued [1]CVE-2025-1727 (CVSS v3.1 8.1) last week, specifying the issue as one of weak authentication in the end-of-train to head-of-train linking protocol - allowing an attacker to input their own braking commands and stop the train in its tracks.
Commonly referred to as FRED, for the post-caboose Flashing Rear-End Device that now sits at the back of freight trains and transmits data to the locomotive using the protocol, the system uses an old BCH checksum to create packets that, since the age of software-defined radios, can be easily spoofed.
[2]
If a savvy person - Smith, for example – used an SDR to snoop on that traffic, they could spoof those packets to tell the FRED to apply the brakes, risking an accident or even potentially a derailment.
You could remotely take control over a train's brake controller from a very long distance. You could induce brake failure leading to derailments or you could shut down the entire national railway system
There's no solution to this vulnerability, with the Association of American Railroads (AAR), a trade group representing the freight rail industry, telling CISA it's currently looking to implement a newer, more secure technology for freight trains. Unfortunately, as Smith pointed out in a long [3]thread on X , the replacement for the outdated FRED control system (the 802.16t protocol) likely won't arrive until "2027 at best."
Meanwhile, says CISA, freight operators forced to continue operating using a protocol that's hackable with, in Smith's words, "sub $500" equipment, are left to segment networks to isolate critical controls and perform other basic cybersecurity maintenance that - let's be realistic - are for peace of mind and probably won't stop a miscreant with an SDR from derailing a train if they're dead set on it.
How did this take so long?
"So, how bad is this," Smith posited on X.
"You could remotely take control over a train's brake controller from a very long distance," he explained. "You could induce brake failure leading to derailments or you could shut down the entire national railway system."
[4]
[5]
With a simple exploit sitting out there in the open since 2012 (if Smith discovered it, someone else might too), it seems practically negligent that someone didn't take action, but as a 2016 [6]story from the Boston Review explains, it's not a surprise.
The BR article tells the story of Smith's by then four-year tussle with the AAR upon first reporting the matter to the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) after successfully recording telemetry data from a passing train using an SDR in 2012.
[7]US infrastructure could crumble under cyberattack, ex-NSA advisor warns
[8]Network Rail steps back from geofencing over safety fears
[9]Deutsche Bahn train hits 405 km/h without falling to bits
[10]DARPA tasks Northrop Grumman with drafting lunar train blueprints
ICS-CERT went to AAR with Smith's concerns, hoping they would be open to further security testing, but that initial contact was as far as it went - and as far as the BR story was able to glimpse into the struggle.
As Smith explained on X, the BR article led to some burnout on the matter until security researcher Eric Reuter gave a [11]talk at DEFCON in 2018, presenting an independent discovery of the same issue. By 2024, ICS-CERT had restructured several times, and Smith decided to reach back out to see if they could reopen the issue.
[12]
According to Smith, AAR's infosec director saw it as a minor issue since the FRED protocol was end of life and slated for replacement despite still being in use.
"CISA finally agreed with me that publication would be the only remaining option to pressure AAR to fix this issue," Smith said. He noted that the CVE publication "kinda worked" and saw the AAR commit to the 802.16t replacement mentioned earlier and, as noted, not coming for at least a couple of years.
In the meantime, the American rail network, Smith suggested - remains vulnerable.
[13]
Neither the AAR nor the Federal Railroad Administration responded to questions for this story. ®
Get our [14]Tech Resources
[1] https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-10
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aHV99Ofv4Vt4M14MboOVvwAAAFg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://x.com/midwestneil/status/1943708133421101446
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHV99Ofv4Vt4M14MboOVvwAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHV99Ofv4Vt4M14MboOVvwAAAFg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.bostonreview.net/articles/bryce-emley-technology-railway-safety/
[7] https://www.theregister.com/2025/06/08/exnsc_official_not_sure_us/
[8] https://www.theregister.com/2024/03/12/network_rail_pulls_geofencing_over/
[9] https://www.theregister.com/2025/06/30/deutsche_bahn_test/
[10] https://www.theregister.com/2024/03/20/darpa_moon_train/
[11] https://www.youtube.com/watch?v=vloWB0LHT_4
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHV99Ofv4Vt4M14MboOVvwAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHV99Ofv4Vt4M14MboOVvwAAAFg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Re: Remotely take over a brake controller
Glad to know that your experience not working on US freight trains has been so useful in teaching you all about the protections built into things that are not US freight trains.
Meanwhile, for everyone who does work on, or just lives near to, US freight trains, TFA has something relevant to say.
This nicely illustrates the reasons why aircraft don't use radio systems for control of bits of the aircraft. If it ain't a control wire or hydraulic pipe, it's going to be an electronic or optical connection between the pilot. A radio link from control stick to aileron would be lighter and - in many important ways - more damage resistant, but it has that fatal vulnerability; interference and jamming.
One of the problems they're going to face going forward is, how secure to make it? It's perfectly possible to come up with a scheme that is very security robust, but that then makes it difficult to use. You want to be able to put together any old train of engines, trucks, and carriages, but with the strongest possible security that becomes difficult. Make it too weak and, in only a few years, it's uselessly insecure again.
There's a lot to learn from the world of mobile telephony. Or perhaps, enterprise-scale WiFi. These are both systems whereby specific devices can join a network, and it's difficult for non-permitted devices to be on the network. The biggest lesson is that whilst the actual tech is quite straightforward, the device management becomes a very big part of the job even with good, mature tools. I mean, look at the SIM swapping scourge...
Perhaps one way of doing it would be to have a method of dynamically keying the network nodes on each truck of a train. Here, there railway has an advantage; trains all leave the depot on the same track, brakes and such are less critical when the train is already going slowly. Howabout some sort of NCF comms between a "key gate" at the exit of the depot and each truck that passes underneath. They key gate dreams up a new keys when it first feels weight on its rails. It transmits this (over short range) to each truck that passes underneath. Maybe a light lights up green to say, "keyed". That way, each truck gets a train-unique key with no internode key negotiation or the need for identity confirmation (beyond position-based identity of being a truck on the rails). When the last one goes past and there's no more weight on the gate's rails, it stops transmitting.
It's quite a good way to identify a rail truck as being a rail truck that should be there. To spoof it, you'd need to place several 10s of tons of metal, moving at the right speed, into a specific part of a (presumably) fenced off rail depot whilst there's a train trying to pass through the same space. Sure, someone might try and sniff the keyloading, but with careful mechanical design one could make it very difficult to conceal the requisite sniffer in the right place without it being evidently there and easily inspected for. It's not perfect, but it might be good enough.
You lost me at "going forward".
Or they can just use a robust comms cable with Ethernet over it between cars.
I think what is missing from FRED is WPA2. The article states that the only security is a checksum.
And crtitcally, in many parts of NA, Passenger and freight routes share tracks.
I wouldn't hold out too much hope about freight trains being less risky here than passenger trains, or only if mixed with passenger trains.
Lake Megantic - where a brake malfunction caused a parked fuel train to roll downhill and blow up in a town - 47 dead.
Easy enough to imagine really toxic chemicals causing problems if they leaked in, or upwind of, a big city. Maybe even chemicals that are individually relatively inert, but combine problematically.
FRED?
Pretty much everyone in the rail industry will tell you that stands for "Fucking Rear End Device," and the jokes for (ab)using one to slam a train to a stop just write themselves.
FRED only
What the article said is that the communication is only between the controlling locomotive and the FRED. The FRED is only on the last car of the train. So, only that one radio link needs to be updated. What I don't know is how the FRED actually controls all of the freight cars ahead of it. My guess is that its the same way as the brakeman in the caboose/brake-van did - open the valve on the air line, letting all the air spew out. With no air pressure, all the brakes in the train will activate - eventually.
My understanding of this comes from being a model railroad fan, and so watching lots of YouTube videos. At least here in North America big trucks are the same setup - let the air out and the brakes all activate. You have to connect the air hoses before the brakes on a trailer will release.
The days of manual brake wheels on top of boxcars, etc. are long gone.
Re: FRED only
"What I don't know is how the FRED actually controls all of the freight cars ahead of it."
Sounds like a train-ing issue to me.
(sorry...)
Re: FRED only
Come on, let’s try and keep this thread on track…
Excuse me
It's the railroad industry in the US.
They already don't give a fuck.
Remotely take over a brake controller
"You could remotely take control over a train's brake controller from a very long distance," he explained. "You could induce brake failure leading to derailments or you could shut down the entire national railway system."
Not in any passenger CBTC system I've ever worked on, and I've worked on many of them.
First off, CBTC systems have to meet CENELEC compliance, and that includes a cyber safety assessment.
No train I worked on ever had brakes connected directly to a radio. The radios were connected to OBC (on board computers/controllers) that decoded incoming telegrams from the wayside and station operators. Even if an attacker knew the telegram format (which tend to be very complicated) and knew the correct IP address of the sender and spoofed it and sent a valid command to EB (emergency brake) the train, the telegram would have to be WPA2 (or better) encrypted.
So this may very well be an issue for freight vehicles, which is bad, but if anyone's worried that the London tube is going to be taken over by kids with cell phones, I wouldn't worry too much about it.