Student Hacks Taiwan High-Speed Rail, Halts 4 Trains

Key Takeaways

• The student used software-defined radio to intercept and clone TETRA radio signals
• The railway's security parameters had not been updated in 19 years
• The attacker bypassed seven verification layers and faces up to 10 years imprisonment

What Happened

Taiwanese police arrested a 23-year-old university student on April 28 for hacking into the country's high-speed railway communication system. The student, identified by his surname Lin, used software-defined radio (SDR) equipment to transmit a fake emergency signal that triggered automatic braking on four trains.

The incident occurred on April 5. Lin transmitted a high-priority "General Alarm" signal that mimicked legitimate railway communications. Four trains stopped for 48 minutes while operators investigated what they believed was a genuine emergency.

Taiwan High Speed Rail (THSR) serves 81.8 million passengers annually along a 350-kilometer route on the island's western coast. Trains reach speeds up to 300 km/h. The system receives state financial support due to its critical role in Taiwan's transportation infrastructure.

How the Attack Worked

Lin purchased SDR equipment online and used it to intercept TETRA (Trans-European Trunked Radio) communications from the railway network. TETRA is a digital trunked radio standard used by emergency services and transportation systems across Europe and Asia.

After capturing the radio parameters, Lin decoded them and programmed the data into handheld radios. This allowed him to impersonate legitimate railway beacons. A 21-year-old accomplice provided some critical THSR parameters that made the attack possible.

The railway's TETRA system had been in operation for 19 years. According to reports, security parameters had not been rotated during that entire period. This failure allowed Lin to bypass what should have been seven layers of verification.

How THSR Detected the Breach

After the trains stopped, THSR engineers examined system logs. They found that the emergency signal came from a radio beacon that was not assigned for duty that day. A physical check confirmed the legitimate device was still in place and had not been used.

This pointed to unauthorized cloning. THSR alerted police, who traced the transmission using CCTV footage and TETRA network logs.

Investigators tracked the signal to Lin's residence. Police seized 11 handheld radios, an SDR device, and a laptop during the arrest.

Legal Consequences

Lin faces charges under Article 184 of Taiwan's Criminal Law. The maximum penalty is 10 years imprisonment. He was released on NT$100,000 ($3,280) bail following his April 28 arrest.

Lin's lawyer claims the April 5 transmission was accidental. Authorities have expressed skepticism about this defense, given the technical complexity required to intercept, decode, and retransmit TETRA signals.

Infrastructure Security Failures

The incident has drawn criticism from Taiwanese politicians. Some have called out the bodies responsible for railway communications for negligence. The core issue: critical security parameters remained unchanged for nearly two decades.

TETRA systems, while encrypted, rely on proper key management and parameter rotation to remain secure. Static credentials become increasingly vulnerable as hardware prices drop and SDR technology becomes more accessible. SDR equipment capable of intercepting such signals is now available for a few hundred dollars online.

This attack demonstrates a broader risk to transportation infrastructure worldwide. Many railways, metros, and emergency services still use legacy TETRA deployments. Without regular security audits and credential rotation, these systems remain exposed to similar attacks.

Frequently Asked Questions

What is TETRA and why is it used for railways?

TETRA (Trans-European Trunked Radio) is a digital radio standard designed for mission-critical communications. Railways, emergency services, and public transit systems use it for reliable, encrypted voice and data transmission. It supports group calls, emergency signaling, and priority communications.

What is software-defined radio (SDR)?

SDR uses software to process radio signals instead of dedicated hardware. This flexibility allows a single device to transmit and receive across many frequencies. SDR equipment has become affordable and accessible, making it useful for researchers, hobbyists, and unfortunately, attackers.

Could this attack happen on other railway systems?

Potentially yes. Many transportation systems worldwide use TETRA or similar radio technologies. Systems that have not regularly rotated security parameters or audited their radio infrastructure may be vulnerable to similar interception and spoofing attacks.

How can organizations protect against this type of attack?

Regular rotation of encryption keys and authentication parameters is essential. Organizations should also monitor for unauthorized radio transmissions, conduct periodic security audits of communication systems, and implement anomaly detection for unusual signal patterns.

Source: BleepingComputer