Railroad industry first warned about this nasty vulnerability in  2005.

BCH vs. SDR, AAR vs. CISA

What’s the craic? Jowi Morales reports: Security vulnerability on U.S. trains … known for 13 years

“Anyone with an SDR could mimic these packets”
A security vulnerability on American trains was discovered in 2012, but the American Association of Railways (AAR) has refused to act on it until the Cybersecurity & Infrastructure Security Agency (CISA) published an advisory a few days ago. … Wireless hardware [needed] to seriously disrupt rail transport costs less than $500.
…
All American trains [are] equipped with an End-of-Train (EoT) module attached to the last carriage, which reports telemetry data to the front of the train wirelessly. … The system only used the BCH checksum for packet creation. Unfortunately, anyone with an SDR could mimic these packets, allowing them to send false signals … without the train driver’s knowledge, potentially compromising … safety.

13 years? How about 20? Eduard Kovacs looks further back: Train Brakes Can Be Hacked Over Radio—And the Industry Knew for 20 Years

“The threat is not just theoretical”
CISA last week published an advisory describing CVE-2025-1727. [A] FRED is placed at the end of a train, being designed to transmit data to a device in the locomotive. … But it can also receive commands to apply the brakes at the rear of the train.
…
CISA’s advisory [says] the protocol … is not secure (no authentication or encryption are used). … The same weakness was actually first discovered and reported to the AAR 20 years ago, in 2005. … The cybersecurity industry has long warned about trains being vulnerable to hacker attacks and the threat is not just theoretical.

Horse’s mouth? Neil Smith is back on track:

“DO NOT TRY THIS AT HOME”
FRED … is peak 1980s security. … I reported this in 2012. … AAR would only acknowledge the vulnerability if we could prove it. [But] AAR blocked all security related testing that it knew would cause them problems. … In 2018 Eric Reuter independently found the same vulnerability [and] the Craven brothers published the same vulnerability in 2005. So the AAR has been aware of it for 20 years.
…
In 2024 I noticed that ICS-CERT had re-orged. … They were 100% behind getting it right this time. [But] AAR’s Director of Information Security decided this was not that big of a deal, and they were not going to do anything about it. … CISA finally agreed with me that publication would be the only remaining option.
…
So how bad is this? … You could shutdown the entire national railway system. … DO NOT TRY THIS AT HOME.

20 years is a heck of a long time. NoPicklez pulls a vinegar face:

Whilst its not uncommon for vulnerabilities to be known for a long time without being fixed, this is one that sounds like it should be fixed. … There’s always a worst case scenario with vulnerabilities, likelihood and consequence becomes a fairly important metric to measure the risk. However the fact that you don’t need to be “near” the train to do it makes it all the more opportunistic.

What can we learn from other safety-critical transportation types? bazza takes off:

This nicely illustrates the reasons why aircraft don’t use radio systems for control of bits of the aircraft. … A radio link from control stick to aileron would be lighter and … damage resistant, but it has that fatal vulnerability: Interference.
…
There’s a lot to learn from the world of mobile telephony or … enterprise-scale Wi-Fi. These are both systems whereby specific devices can join a network, and it’s difficult for non-permitted devices to be on the network.

Too wishy-washy. Get off the fence. This Anonymous Coward happily obliges:

What the ****ing ****?? Why is it even possible for a train to receive radio signals that can do something with the brakes? That makes no sense.

But surely applying the brakes is a failsafe? Yes and no, thinks cojofojo:

Applying any sort of emergency brake system initiates a controlled stop where all the brakes on all the cars are activated. … Activating the brakes on a single rear car in an uncontrolled manner is more likely to derail the train.

Is that it? No, asserts Isamu:

It’s not the brakes on the rear car, it’s doing an emergency brake of the entire train from the last car. It dumps the brake line that runs through the length of the train. … The brakes on all cars are activated.

Oh! So, “derailment” is a non-story? “What is the real threat?” asks Marty McFly:

FRED can be commanded to dump the air pressure out of the brake line, [which] will bring the train to an emergency stop. Trains don’t derail when they emergency stop. Couplers fail on a daily basis, … causing loss of air pressure and emergency stops. The trains don’t derail. … A miscreant could easily stop a train today: … Some large hose cutting shears should do it. … So what is the real threat? … Derail trains on demand? Not likely.

TL;DR? persolb puts it slightly more succinctly:

I work on trains. This is FUD.

Meanwhile, gweihir visualizes Clueless Padme:

Fortunately, the US has no enemies and nobody would ever think to use this for anything bad. Right?

And Finally:

Possibly Pete Atkin’s best song

And here are the lyrics.

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Kevin Panzera (via Unsplash; leveled and cropped)