Taiwanese authorities have arrested a 23-year-old Providence University student, Lin, for disrupting four high-speed rail trains by hacking a radio communications system.
Operated by Taiwan High Speed Rail Corporation (THSRC), the rail network runs 217 miles (350 km) along the densely populated western coast, with trains reaching a maximum speed of 186 mph (300 km/h). It transports more than 81 million passengers annually, making it an important part of the country’s critical infrastructure.
The disruption occurred after station staff received a priority signal, prompting them to activate emergency protocols and instruct trains to brake manually.
Student disrupted high-speed rail using software-defined radio
On April 5, the suspect used software-defined radio (SDR) equipment to transmit the highest-priority “General Alarm” (GA) signal, triggering emergency braking.
Upon learning of the anomalous activity, the station staff took inventory of all radio communication devices, determined none were missing, and notified law enforcement. Officials initially believed an employee had triggered the priority signal, since only station staff used such radios to communicate with one another and with train drivers.
Over the course of two weeks, police and station staff analyzed network-side TETRA logs and CCTV footage to identify the suspect. They used the Base station logs to identify the transmission source and obtained search warrants for three locations, including the student’s residence and workplace. The search yielded 11 professional two-way radios and other electronic devices, including an SDR and a laptop.
According to authorities, the devices could have enabled Lin to access radio frequencies of the high-speed rail system, the New Taipei City Fire Department, and the Taoyuan International Airport MRT Line.
The prosecution also determined that the suspect allegedly exploited system vulnerabilities and electromagnetic interference to breach the core network infrastructure to disrupt the high-speed rail trains.
Lin faces a 10-year prison sentence under Article 184 of the Criminal Law, but is currently out on bail of $3,280 (NT$100,000). Through his lawyers, he claims the transmission occurred unintentionally after accidentally pressing a button while the device was in his pocket.
Student breached seven layers of security
The suspect intercepted and decoded Trans-European Trunked Radio (TETRA) parameters using the SDR equipment and transformed them into legitimate signals. A 21-year-old accomplice had provided the main suspect with legitimate parameters to intercept and decode the signal.
Lin bought the SDR kit online, connected it to an antenna and a laptop to capture potentially unencrypted HSRC traffic to decode TETRA parameters. The suspect then programmed the parameters into one of his eleven radios.
“Taiwan’s THSRC runs on TETRA, a digital trunked radio standard that supports encryption, but the most widely available commercial cipher, TEA1, is fundamentally broken and was shown back in 2023 to be basically worthless,” stated Denis Calderone, CTO, Suzu Labs. “And that assumes encryption is even enabled, which in many rail deployments it is not. In 2023, Poland’s railway was still running analog VHF when an attacker used it to issue an emergency stop command.”
Surprisingly, the high-speed rail station had not rotated the parameters for 19 years, and the radio equipment used in the attack had not been assigned, suggesting potential cloning.
“This is another example of critical infrastructure depending on protocols that are decades old and were never designed to withstand adversarial interference,” added Calderone. “TETRA was built in the 1990s under the assumption that physical possession of authorized radio equipment would be the security boundary. That assumption collapsed the moment consumer software-defined radios became available for under fifty dollars online. Now anyone can intercept these signals, decode them if even necessary, and transmit a General Alarm that triggers emergency braking on a high-speed rail network.”
According to the legislature’s Transportation Committee, the suspect cracked seven layers of verification to trigger the false braking alarm and disrupt high-speed rail operations for nearly an hour.
Meanwhile, THSRC and the Taiwan Railway Corp are reviewing the incident and considering various mitigations to prevent a similar incident in the future. While the suspect’s motive remains undetermined, the incident has raised questions about the security of critical infrastructure.
“In recent history, we can point to 3 modern rail attacks in 3 different countries, Taiwan, Poland, and the United States,” noted Calderone. “All are dealing with the same fundamental problem across three completely different radio technologies, and all three are broken because this technology was never designed for adversarial resilience.”
