720-891-1663

Alerts, Best Practices, Safety

Profits Over Safety – American Rail Industry

Leave a comment

CISA disclosed a vulnerability that can be exploited to tamper with both passenger and freight train brakes.

The railroad industry has known about the weakness for 20 years but even though the government approached them multiple times, they declined to fix it.

Basically, there is a box at the end of the train called a FRED or Flashing Rear End Device. This End-of-Train device (EoT) communicates with a device at the Head of the Train (HoT) in the locomotive. The EoT device replaces the caboose and the person in the caboose.

The EoT device collects data about what is going on a mile away from the locomotive.

This these devices are old, they have no encryption and no authentication.

All a hacker has to do is have a software defined radio within radio range of the train to tell, for example, the end of train to slam on the emergency brakes, likely causing the train to derail.

One researcher discovered the issue in 2012 (13 years ago). He tried to get the American Association of Railroads to fix it with no success.

Potentially, with a handful of less than $500 radios, you could trigger derailments that would shut down the US rail system.

The Boston Review published a story in 2016 accusing the industry of risking safety so as to maximize profits.

Another researcher discovered the problem in 2018 and presented a paper at DefCon which included technical details.

Still the Railroad trade group would not fix the problem.

It turns out the vulnerability was first discovered and reported to the railroad trade group in 2005 – 20 years ago.

A recent press release said that there are around 25,000 locomotive HoT devices and 45,000 Caboose EoT devices.

This is not a theoretical problem. In 2023, 20 trains were disrupted by a hacker who did exactly what could be done to American trains. The hacker sent control signals over an unencrypted radio frequency.

Railroads a regulated. At least in theory. The Department of Transportation’s Federal Railroad Administration. The FRA’s stated purpose is to promulgate and enforce rail safety regulations …and conduct research and development in support of improved railroad safety.

All passenger and freight rail travel in the United States on the national interconnected rail infrastructure is subject to regulation by the FRA.

Most notably, the FRA enforces safety regulations, such as speed limits and requirements for safety features such as positive train control (PTC).

Why the Department of Transportation has allowed this vulnerability to remain for 20 years without being fixed makes you wonder whether the FRA is just incompetent or whether they are on the take. I don’t know whether either of these is true, but I can’t think of a better explanation.

Credit: Security Week

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2025 CyberCecurity, All rights reserved. Privacy Policy