A Decade of Inaction: The Critical Cybersecurity Vulnerability in U.S. Train Systems

In an age where cybersecurity threats loom larger than ever, a critical vulnerability affecting American train systems has remained unaddressed for over a decade. This issue, tied to End-of-Train (EoT) modules that wirelessly transmit telemetry data from the rear to the front of freight trains, was first identified by hardware security researcher Neils in 2012. Despite early warnings, the Association of American Railroads (AAR) has been slow to act, raising serious concerns about risk management in critical infrastructure sectors.

The Vulnerability Unveiled

The vulnerability centers around the remote linking protocol used between EoT and Head-of-Train (HoT) devices. This protocol relies on a BCH checksum for packet creation, making it susceptible to exploitation. With the advent of software-defined radios (SDRs), attackers can intercept or spoof EoT communications with hardware costing less than $500. This could allow malicious actors to remotely take control of a train’s brake controller, potentially leading to catastrophic outcomes such as derailments or a nationwide railway shutdown.

CISA (Cybersecurity and Infrastructure Security Agency) recently issued a formal advisory, compelling the AAR to publicly acknowledge the issue. The vulnerability has been assigned CVE-2025-1727 and carries a high severity rating, with a CVSS v3 base score of 8.1.

AAR’s Reluctance to Act

Despite the clear risks, the AAR has historically downplayed the threat. As recently as 2024, the AAR’s Director of Information Security argued that the devices were nearing the end of their life cycle and did not warrant urgent attention. This dismissive attitude has frustrated cybersecurity experts and raised questions about the organization’s commitment to safeguarding critical infrastructure.

Neils, who first reported the vulnerability, expressed his frustration over the years of inaction. He noted that between 2012 and 2016, there was a stalemate between ICS-CERT and the AAR, with the latter only acknowledging the vulnerability under pressure to prove it in real-world scenarios.

The Role of CISA and Public Pressure

The recent advisory from CISA has forced the AAR to finally take action, announcing plans to replace vulnerable systems by April. However, the implementation timeline is alarmingly slow, with the earliest deployment date projected for 2027. This delay raises critical questions about the effectiveness of risk management strategies in sectors that are vital to national security.

CISA identified a ‘weak authentication’ vulnerability in the remote linking protocol, affecting all versions currently deployed across U.S. rail systems. Successful exploitation could allow an attacker to send unauthorized brake control commands, leading to severe operational disruptions.

The Path Forward

The AAR is now pursuing new equipment and protocols to replace traditional EoT and HoT devices. Standards committees involved in these updates are aware of the vulnerability and are actively investigating mitigating solutions. However, the slow pace of change is concerning, especially given that around 25,000 freight locomotives will require upgrades.

Neils and Eric Reuter, who independently discovered the same vulnerability in 2018, have been vocal about the need for immediate action. Their efforts highlight the importance of collaboration between cybersecurity experts and industry stakeholders to address vulnerabilities before they lead to catastrophic incidents.

A Broader Context

The situation in U.S. rail systems is not isolated. Earlier this year, a major cyberattack on Ukraine’s state-owned railway operator, Ukrzaliznytsia, disrupted digital services and caused long lines at ticket counters. This incident underscores the growing threat of cyberattacks on critical infrastructure worldwide, emphasizing the need for robust cybersecurity measures.

Conclusion

The decade-long inaction regarding the cybersecurity vulnerability in U.S. train systems serves as a cautionary tale about the importance of proactive risk management in critical infrastructure. As the AAR finally begins to address the issue, the focus must remain on timely implementation and the development of more secure protocols. The stakes are high, and the potential consequences of inaction are too severe to ignore. The time for decisive action is now, before a preventable disaster becomes a reality.