Taiwanese High-Speed Rail Hacked by University Student Using SDR, Halting 4 Trains—19-Year-Old Encryption Key Vulnerability Exposed

An incident involving Taiwan High-Speed Rail (THSR) last month saw a 23-year-old university student use Software-Defined Radio (SDR) to launch an attack that triggered the emergency stop of four moving trains. The event exposed a critical vulnerability in the TETRA (Terrestrial Trunked Radio) communication system, which had been operating with the same encryption key for 19 years without any updates. This revelation has prompted Taiwanese authorities to conduct a comprehensive review of their systems.

Remote Transmission of Emergency Alarms via Radio Signals

The incident unfolded approximately a month ago when the suspect, Lin, who resides in Taichung, used an SDR (Software-Defined Radio) filter and a transceiver to illegally access the high-speed rail’s radio communication system from his home. He remotely broadcast a General Alarm signal, which activated the manual emergency braking procedure in four trains. Although the alarms were later deemed false, and no actual emergency stops occurred, the train schedules were significantly disrupted, with delays lasting up to 48 minutes.

A 19-Year-Old Encryption Key—Breaching Seven Layers of Authentication

What makes this case particularly alarming is how Lin managed to bypass the system’s “seven layers of authentication.” The breach was discovered when Lin’s radio device transmitted an unusual response, prompting the rail operator to initiate an investigation. By cross-referencing CCTV footage, authorities traced the activity back to Lin’s home in Taichung, where they seized laptops and several transceivers during a search.

According to experts, the encryption method used in the TETRA system was likely the outdated and already compromised “TEA1” algorithm. It appears that the encryption key rotation, which should have been scheduled during the system’s installation, was simply never implemented. Consequently, the system had been operating with the same key for 19 years. In such a scenario, even low-level cloning attacks could easily break through the system’s security. Security experts argue that this incident was a “predictable outcome” of such negligence.

Impact Extends Beyond High-Speed Rail

Reports suggest that Lin also possessed information allowing him to access the radio communications of the New Taipei City Fire Department and the Taoyuan International Airport MRT. In response, Taiwanese authorities have begun a formal review of all related radio systems. Democratic Progressive Party legislator Ho Hsin-chun raised concerns, stating, “If a university student can hack into a sophisticated system like the high-speed rail, what would happen if something similar occurred in Taiwan Railways?”

Lin is currently released on bail after posting approximately $3,200. He has rather unconvincingly claimed that the radio device in his pocket was accidentally activated, likening the situation to a scene from an anime. However, prosecutors are pursuing a maximum sentence of up to 10 years in prison. Had Lin ethically reported the vulnerability to authorities, the outcome might have been entirely different, as Taiwan generally adopts a progressive stance toward ethical hacking.

This incident highlights the real-world consequences of poor encryption key management in critical infrastructure, culminating in operational disruptions. The 19 years of negligence have resulted in more than just a need for a system update; it serves as a cautionary tale for transportation agencies worldwide about the importance of diligent encryption practices.