In a revealing report, independent security researcher Neil Smith has highlighted a significant vulnerability in the communication standard utilized by the US freight rail system. The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued CVE-2025-1727, underscoring a weak authentication issue with the end-of-train to head-of-train linking protocol, which could potentially allow malicious actors to take control of train braking systems.
The communication system, known colloquially as FRED, or the post-caboose Flashing Rear-End Device, has been in use but relies on outdated technology susceptible to spoofing. According to Smith, this protocol can be exploited using common software-defined radios (SDRs). “You could remotely take control over a train’s brake controller from a very long distance,” he warned, indicating that such an exploit could lead to catastrophic events, including derailments and widespread disruptions across the national railway system.
Despite the serious implications of this vulnerability, a viable solution appears distant. The Association of American Railroads (AAR), which represents the freight rail industry, has acknowledged the issue but is currently working on implementing a more secure communication method—the 802.16t protocol—which Smith estimates may not be in place until 2027 at best. In the meantime, CISA has advised freight operators to engage in basic cybersecurity measures, although experts like Smith doubt these measures will be effective against determined attackers.
Smith’s concerns are compounded by the lengthy timeline of this vulnerability’s discovery and subsequent reporting. Having first alerted the US government in 2012, the lack of urgency in addressing the problem raises significant questions about the oversight and response capabilities of organizations involved in the security of US infrastructure. Neither the AAR nor the Federal Railroad Administration has provided comments regarding the ongoing risks posed by this security issue.