Stop a Train for $30? FRED Vulnerability Could Freeze Key Lines

For a few tens of dollars, anyone from a hall, park or garage can send a command to emergency-stop a train. U.S. railways warn — the FRED system is unprotected and vulnerable.

At the beginning of August, the U.S. cybersecurity authority issued a warning that the protocol used in the United States for wireless communication between the rear and front of a train consist has a fundamental weakness. With equipment costing a few tens of dollars, anyone can issue a command to bring the consist to an emergency stop.

Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story: //t.co/MKRFSOa3XY

— neils (@midwestneil) July 11, 2025

Weakened FRED Favors Robbers and Terrorists

U.S. freight rail has for decades used the standard wireless EoT/HoT (End-of-Train / Head-of-Train) system, also known under the trade name FRED. It serves to transmit simple status information and emergency brake commands between the locomotive and the end of the train. The signal is neither encrypted nor authenticated — it contains only a checksum. This means that anyone with a software-defined radio, which can be "cobbled together" for a few tens of dollars or bought for a few hundred, can stop a train.

Catastrophic scenarios for exploiting this vulnerability immediately appeared in online discussions. Fortunately, the reality is not so dramatic. Above all because a successful attack on this vulnerability truly allows only the issuance of a command to activate the brakes. The opposite command — to take the brakes out of service — cannot be spoofed or issued in this way. That does not mean, however, that a "hostile emergency stop" could not cause problems.

For example, stopping a train at a preselected location for the purpose of a train robbery. History knows a number of such cases, but they did without exploiting vulnerabilities in wireless communication: a train can be stopped in a number of other ways. The same applies to stopping a train for other purposes — for example, a terrorist attack using dangerous cargo such as chemicals or fuel.

Emergency Stops Can Cause Delays and Track Damage

Coordinated disruption of traffic could be problematic. The combination of a larger number of stopped trains could not only delay traffic but also deliberately block key lines and cause overloading of transport infrastructure. In essence, it would be analogous to DoS (Denial of Service) attacks known from the IT world.

One can also imagine a risk associated with emergency braking itself. In exceptional conditions (a sharp curve, poor track condition, heavy cargo with a high, perhaps uneven centre of gravity) abrupt emergency stopping could lead to damage to cargo, rolling stock or the permanent way. Confirmed data are lacking, however, so this is rather a theoretical concern.

Life Sentences for Abusing the Security Weakness

According to CISA and the Association of American Railroads (AAR), the problem has been known since at least 2012. The FRED protocol is used by tens of thousands of end devices, so immediate replacement is unrealistic.

Until a new, authenticated protocol is introduced — which will not be before 2027 — there is no effective preventive solution. Monitoring is merely reactive (it detects an attack only by its consequence) and physical guarding is out of the question (it does not protect against a radio command from tens to hundreds of metres away).

U.S. railroads therefore have no choice but to rely on the deterrent effect of penalties for those who attempt to exploit this vulnerability. Above all, "railway sabotage" or "endangering transport" falls under federal laws, including the Patriot Act adopted in response to the attacks of 11 September 2001. For terrorism against mass transport, it prescribes up to life imprisonment — it is enough that there was an "endangerment of persons".

A cyber attack on a critical system falls under the Computer Fraud and Abuse Act (CFAA). A first offence can mean up to 10 years in prison, a repeat offence up to 20 years; if injuries occur, a life sentence is possible.

Finally, even mere obstruction of railway operations (vandalism, interference) is punished extremely harshly in some states. For example, in Louisiana, if safety is endangered or injuries occur, a fine of up to one thousand dollars and up to 20 years in prison can be imposed; in the event of death, life imprisonment or even the death penalty is possible.