A student equipped with a laptop and a radio was able to halt four high-speed trains. The encryption keys had remained unchanged for 19 years.

      TL;DR: A 23-year-old hacked Taiwan's high-speed rail using a laptop and inexpensive radios, taking advantage of cryptographic keys that hadn’t changed in 19 years. At 23:23 on April 5, a university student named Lin from Taichung sent a false General Alarm signal into the Taiwan High Speed Rail Corporation’s internal radio network. This forced four trains, traveling at speeds of up to 300 km/h, to switch to manual braking, causing a network-wide disruption lasting 48 minutes. Lin managed to bypass seven layers of security with a laptop, a software-defined radio purchased online, and a few handheld radios. The system's cryptographic keys had remained unchanged for nearly two decades.

      The compromised radio system was TETRA (Terrestrial Trunked Radio), which is utilized globally for encrypted voice and data communication by authorities like police, emergency services, airports, and transport networks in about 120 countries. The TETRA system was implemented in THSRC when the rail line opened in 2007, but key rotation—necessary for security—seems to have never been set up. When Lin was just four years old, the keys were established and left unchanged since then.

      The hacking method was surprisingly simple. Lin utilized a software-defined radio to intercept THSRC’s communications, downloaded the traffic to his laptop, decoded the TETRA parameters, and programmed those into handheld radios. He then sent a fake General Alarm signal that seemed to come from a station employee, initiating emergency braking across the network. Law enforcement characterized his approach as basic.

      The vulnerability is not recent. In 2023, cybersecurity researchers from Midnight Blue revealed a intentional backdoor in the TETRA encryption used by radios from manufacturers such as Motorola and Hytera. They demonstrated that the system could be breached in under a minute with consumer-grade hardware, allowing potential attackers to send harmful commands to critical infrastructure or listen in on emergency communications. Numerous entities, including the port of Rotterdam, various European transport networks, and the Dutch emergency services system C2000, operate on TETRA. However, Midnight Blue found that many critical infrastructure operators did not respond to their alerts.

      Taiwan’s situation illustrates the consequences of ignoring such warnings. RTL-SDR, a publication focused on TETRA vulnerabilities, speculates that THSRC might have been using the outdated TEA1 encryption algorithm. However, the simpler explanation, according to the publication, is that key rotation was never set up.

      The political ramifications were immediate. Democratic Progressive Party legislator Ho Shin-chun raised the issue during a state Transportation Committee meeting, questioning what potential risks exist if a college student could breach a sophisticated high-speed rail system. When inquiring if the Taiwan Transportation Safety Board had been informed, she learned it had not.

      The Ministry of Transportation and Communications promised to deliver a report within a month on enhancing railway communication security. THSRC and Taiwan Railway Corp have initiated reviews of their radio systems, with the Railway Bureau directing metro operators to conduct similar assessments. Police confiscated 11 handheld radios, a software-defined radio receiver, a laptop, and two smartphones from Lin’s home. They also discovered he could access the frequencies of the New Taipei City Fire Department and the Taoyuan International Airport MRT Line.

      Lin was arrested on April 28, over three weeks after the incident, with his lawyer asserting the transmission was accidental: “I had [the radio] in my pocket and accidentally pressed the button.” Authorities found this defense unconvincing, especially given the extensive specialized equipment seized and indications that a 21-year-old associate provided him with critical parameters. Lin was released on NT$100,000 bail (approximately $3,200) and faces charges under Article 184 of the Criminal Law, which carries a maximum penalty of 10 years.

      The broader context highlights a global transport infrastructure that has not adapted to current threats. While software supply chain attacks have dominated cybersecurity discussions in 2026, the Taiwan incident serves as a reminder that significant vulnerabilities can exist beyond software; they can reside in outdated two-decade-old radio systems that have never been updated, protected by cryptographic keys set during the Bush administration, and utilizing a protocol with long-acknowledged weaknesses.

      This trend is prevalent across various technology sectors: often, the areas most at risk receive the least focus, with security investments channeled toward newer, trendier threats. Lin’s equipment cost less than a mid-tier smartphone, yet the potential damage could have been enormous.

      THSRC serves 81.8 million passengers each year. Its trains operate at speeds of 300 km/h, and the system designed to protect these passengers from false emergency braking signals was underpinned by cryptographic keys that had not been altered since Lin was in preschool. The Taiwanese government is now facing significant pressure to resolve whether a fix will be implemented before another individual with a laptop and radio attempts the same breach.