Student Hacks Taiwan Rail with $50 Radio: 4 Trains Stopped

Key Takeaways

• A student bypassed 7 security layers using software-defined radio equipment
• The TETRA radio system's encryption keys hadn't been rotated since installation 19 years ago
• The incident has triggered a national review of rail and airport communication security

A 23-year-old college student in Taiwan brought four high-speed trains to a standstill last month using little more than a laptop and some radio equipment. The student, identified only as Lin, remotely broadcast a General Alarm signal that triggered emergency braking procedures across the line.

The trains sat idle for 48 minutes while operators verified the alarm was false. No hard stops were executed, and no injuries were reported. But the breach exposed something far more troubling than one student's reckless experiment.

Seven Security Layers, Zero Key Rotation

Lin sailed through seven verification layers designed to protect the rail system's communications. The reason? The TETRA (Terrestrial Trunked Radio) system controlling train communications hadn't had its cryptographic keys changed since installation. That's 19 years of using the same digital locks.

RTL-SDR, a community focused on software-defined radio technology, speculates the system used TEA1 encryption. TEA1 has known vulnerabilities. But the more likely explanation is simpler: key rotation requires configuration at installation. The Taiwan rail system apparently never set it up.

Software-defined radios are widely available consumer devices. They can cost as little as $20 to $50 for basic models. Combined with freely available software, they can intercept and transmit on radio frequencies that older systems assumed were secure through obscurity.

How Lin Got Caught

The trail back to Lin was short. When the rail network detected the false alarm, operators attempted to verify its source over radio. Lin apparently answered in an awkward manner and hung up. That was enough to trigger a full review.

The rail network checked all beacons in use, then reviewed CCTV footage. Working with police, investigators followed the signal trail to Lin's home in Taichung. There they found a laptop and several radios.

Lin is currently out on bail of approximately $3,200. He faces up to 10 years in prison. His defense? He claims he accidentally pressed a button on a radio in his pocket. Investigators are not buying it.

The Bigger Problem

Lin's laptop reportedly contained information on how to access communications for the New Taipei Fire City Department and the Taoyuan International Airport MRT Line. The discovery has triggered a national security review extending well beyond the rail system.

“If a college student could hack into a system as sophisticated as that of the high-speed rail system, what would happen if the same thing happened with the Taiwan Railway Corp's system?”

— Ho Shin-chun, Democratic Progressive Party Legislator

The incident has sparked political finger-pointing over who bears responsibility for the security lapse. A formal review of all affected radio systems is now underway.

A Missed Opportunity for Responsible Disclosure

Taiwan has a progressive attitude toward security research. The country's g0v (gov-zero) movement has built a culture of civic hacking, where citizens identify government vulnerabilities and report them through proper channels. Lin could have disclosed his findings responsibly and potentially been thanked rather than prosecuted.

Instead, he chose to test his discovery on live infrastructure. The 48-minute delay affected thousands of passengers. And Lin now faces a decade behind bars for what amounts to a preventable stunt.

Infrastructure Security Cannot Age in Place

The core lesson here is not about one student's poor judgment. It's about what happens when critical infrastructure security is configured once and never revisited. Encryption key rotation exists for a reason. Attackers get 19 years of opportunities to crack static keys. Computing power increases. Vulnerabilities in encryption schemes are discovered and published.

TETRA systems are used worldwide for emergency services, public transportation, and critical infrastructure. Many were installed in the early 2000s. Taiwan is unlikely to be the only country where key rotation was skipped at installation.

Frequently Asked Questions

What is a software-defined radio (SDR)?

An SDR is a radio system where components traditionally implemented in hardware are instead handled by software. This makes them flexible, cheap, and capable of operating across many frequencies. Basic SDR receivers cost $20 to $50.

What is TETRA and why is it used for rail systems?

TETRA (Terrestrial Trunked Radio) is a professional mobile radio standard used globally by emergency services, transportation, and critical infrastructure. It offers group communication, encryption, and reliable coverage in challenging environments.

What is cryptographic key rotation?

Key rotation is the practice of regularly replacing encryption keys. This limits the damage if a key is compromised and makes it harder for attackers to crack keys through long-term analysis. Most security standards recommend rotating keys annually or more frequently.

Could this attack happen on other rail systems?

Potentially. Many TETRA systems worldwide were installed in the same era. If key rotation was not configured at installation, similar vulnerabilities may exist. The Taiwan incident has prompted calls for global review of legacy radio infrastructure.

What penalties does Lin face?

Lin is out on $3,200 bail and faces up to 10 years in prison. The exact charges have not been fully detailed, but they relate to disrupting critical infrastructure.

Source: Latest from Tom's Hardware