College student hacks Taiwan high-speed rail line with software defined radios, stopping four trains — 19 years without crypto key rotation ends in predictable result as hacker sails through 7 layers of protection
Source: Tom’s Hardware
Incident Overview
A 23‑year‑old Taiwanese student hacked the country’s high‑speed rail line using a software‑defined radio (SDR) filter and handheld radios. By remotely broadcasting a General Alarm signal, the attacker triggered a manual emergency braking procedure that halted four trains for 48 minutes. The alarm was later verified as false, and no hard stops were executed.
Technical Details
- The hack exploited the TETRA (Terrestrial Trunked Radio) system, which had not had its cryptographic keys rotated in 19 years.
- The attacker bypassed seven verification layers, allowing the false alarm to be accepted by the rail control system.
- Additional information reportedly existed on how to access communications for the New Taipei Fire Department and the Taoyuan International Airport MRT line.
Political Reaction
Democratic Progressive Party legislator Ho Shin‑chun warned, “If a college student could hack into a system as sophisticated as that of the high‑speed rail system, what would happen if the same thing happened with the Taiwan Railway Corp’s system?”
The incident sparked a debate over responsibility for weak security and prompted a formal review of the affected radio systems.
Ethical Considerations
The student claimed the incident was an accidental press of a button on his radio. Critics argue that a more responsible approach would have been to disclose the vulnerability to authorities, especially given Taiwan’s generally progressive stance toward civil hacking.
Broader Context
Taiwan encourages open and transparent civic tech initiatives, such as the g0v movement, which received official support and proved valuable during the COVID‑19 pandemic. The country also hosts an annual Presidential Hackathon, and the National Institute of Cyber Security recently awarded US$17,000 for 20 reported vulnerabilities across various products.
