Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story:

In the 1980's congress mandated a replacement to the caboose to reduce rail accidents. The industry responded with the 'Flashing Red End Device' or FRED, also known as an End-of-Train (EOT) that wirelessly reports telemetry back to the cab, but can also accept commands.

This RF link is peak 1980's security. Why bother with security when it is just illegal to use the frequencies that the EOT/HOT operate on? So a simple BCH checksum was all that was needed.

I discovered this one day when RTL-SDR's started becoming a thing and I noticed the transmission for EOT/HOT was something I kinda recognized from so many years of listening to APRS burst data.

I reported this in 2012 when I was very active with ICS-CERT doing embedded industrial control security research. ICS-CERT was scrappy and new, but were a great group that did everything they could to help resolve critical infrastructure vulnerabilities.

2012 to 2016 was a stalemate between ICS-CERT and the American Association of Railways (AAR). Everything is just 'theoretical' when you're reversing a protocol in a lab using simulated radio traffic, and the AAR would only acknowledge the vulnerability if we could prove it IRL.

In 2016 I had an article published in the Boston Review that was detailing how the FRA didn't operate its own test track facility, and the AAR blocked all security related testing that it knew would cause them problems. The AAR responded with an article in Fortune magazine dismissing the claims.

I burned out on this for a while after that article. I felt like this was never going to see the light of day and I was not going to win against big corp lobbying.

In 2018 Eric Reuter independently found the same vulnerability, but only gave a talk at defcon on reverse engineering the protocol. I'd highly recommend checking out PyEOT if you want specifics on RE'ing this vulnerability.

In 2024 I noticed that ICS-CERT had re-orged a few times and I decided to open a new ticket with them to see what ever happened to this? Did they just give up?

No one really knows what happened to it, BUT they were 100% behind getting it right this time. We went back and forth with vendors and the AAR for a few months trying to get the right parties involved to address this issue.

AAR's Director of Information Security decided this was not that big of a deal, and they were not going to do anything about it as the devices and protocol were 'end of life' which is ironic because they are still in use today. AAR walked away from talking to CISA multiple times.

CISA finally agreed with me that publication would be the only remaining option to pressure AAR to fix this issue. And it kinda worked. In April they announced 802.16t will replace the EOT/HOT vulnerable protocol. When will this happen by? 2027 at best.

So how bad is this? You could remotely take control over a Train's brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure leading to derailments or you could shutdown the entire national railway system.

These devices are also on passenger rail operations! With that said: DO NOT TRY THIS AT HOME. YOU WILL PROBABLY GET SOMEONE HURT.