The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last week warning that a key train system could be hacked using nothing but a radio and a little know-how. 

The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED), also known as an End-of-Train (EOT) device, is attached to the back of a train and sends data via radio signals to a corresponding device in the locomotive called the Head-of-Train (HOT). Commands can also be sent to the FRED to apply the brakes at the rear of the train.

These devices were first installed in the 1980s as a replacement for caboose cars, and unfortunately, they lack encryption and authentication protocols. Instead, the current system uses data packets sent between the front and back of a train that include a simple BCH checksum to detect errors or interference. But now, the CISA is warning that someone using a software-defined radio could potentially send fake data packets and interfere with train operations.

“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” the CISA wrote in its advisory. 

The CISA credits researchers Neil Smith and Eric Reuter for reporting this vulnerability to the agency.

However, Smith wrote in a post on X (formerly Twitter) that he first alerted the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is now part of CISA, of the risk in 2012 and no action was taken to address the issue at the time. 

“So how bad is this? You could remotely take control over a Train’s brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure leading to derailments or you could shutdown the entire national railway system,” Smith wrote on X. 

According to Smith, there was a stalemate between ICS-CERT and the Association of American Railroads (AAR) between 2012 and 2016. He claims that the AAR found the risk too theoretical and required proof that it could actually happen in the real world before taking action. 

In 2024, Smith brought the issue up again with the agency. Smith wrote on X that the AAR still felt the issue was not a big deal, but in April, the industry group announced that it would finally start upgrading the outdated system in 2026. 

Acting Executive Assistant Director for Cybersecurity Chris Butera downplayed any current risks stemming from the EOT’s vulnerabilities in a statement emailed to Gizmodo. 

“The End-of-Train (EOT) and Head-of-Train (HOT) vulnerability has been understood and monitored by rail sector stakeholders for over a decade,” wrote Butera. “To exploit this issue, a threat actor would require physical access to rail lines, deep protocol knowledge, and specialized equipment, which limits the feasibility of widespread exploitation—particularly without a large, distributed presence in the U.S.” 

Butera added that CISA is working with industry partners on mitigation strategies and confirmed that a fix is on the way. 

The AAR did not immediately respond to a request for comment from Gizmodo.