A recently published CVE (Common Vulnerabilities and Exposures) states that a software-defined radio can be used to remotely send a brake command signal to the End-Of-Train wirelessly linked control box.

Security researcher Neil Smith reported the vulnerability. Neil explains more in X, explicitly noting that he has been trying to get this published for 12 years and how no one from the American Association of Railroads (AAR) seems to consider this vulnerability a significant issue.

US trains use wireless RF communications devices, called "End-of-Train" (EoT) and "Head-of-Train" (HoT), to enable data communication between the head and end of the train. The two systems interface with the train's braking and control system, allowing the engineer to view information from both sides of the train, and command systems at ends of a long train instantaneously. Such signals can easily be received with an RTL-SDR and the softEOT decoder, or the PyEOT decoder.

The vulnerability stems from the fact that a software-defined radio can easily be used to replicate an EoT RF signal that can command braking. The signal could be transmitted over a long distance with an appropriate amplifier and antenna. Unexpected braking could cause derailment, amongst other problems.

As of right now, the vulnerability is still unpatched, but AAR have noted that they intend to replace the system with the 802.16t standard. However, in the X thread, Neil notes that this replacement won't be in place until 2027 in the best-case scenario.

If you're interested, another security researcher did a talk about railroad telemetry systems back at DEF CON 26, 6 years ago.