23‑Year‑Old Hacks Taiwan High‑Speed Rail with SDR: TETRA Flaw Exposes 19‑Year Gap

1. Incident Overview

On 5 April 2026 at 23:23, the Taiwan High Speed Rail Corporation (THSRC) dispatch centre received a General Alarm (GA) from a handheld radio belonging to the maintenance department. GA is the highest‑priority TETRA alarm and automatically switches all trains in the area to manual emergency brake, causing four operating trains to stop on the tracks.

2. Attack Methodology

The police reconstruction identified five steps:

Acquire equipment : The suspect purchased a software‑defined radio (SDR) and connected it to an antenna and a laptop.

Capture traffic : Using open‑source software, he recorded THSRC’s TETRA communication stream.

Decode parameters : He extracted the over‑the‑air (OTA) parameters, including encryption keys and configuration, exposing the entire TETRA air‑interface setup.

Program radios : The extracted parameters were written to eleven handheld radios.

Trigger alarm : From a location within signal coverage, he transmitted a GA signal, causing the four trains to halt.

A 21‑year‑old associate reportedly supplied some of the THSRC parameters. The most difficult step was acquiring the SDR; the remaining steps were covered by open‑source tools.

3. About TETRA

Purpose and Design

TETRA (Terrestrial Trunked Radio) is a digital trunked radio standard designed for public‑safety, railway, airport and port infrastructures. It aims for reliability, priority handling and disaster tolerance, which is why GA signals must be acted upon by all devices in the coverage area.

Known Weakness

Early versions of TETRA use the TEA1 encryption algorithm, which was disclosed to contain a backdoor (CVE‑2022‑24402). The backdoor enables full decryption of traffic and injection of forged control commands. An SDR together with the open‑source Osmocom TETRA decoder can exploit this weakness.

4. Stale Parameters

THSRC’s TETRA system is said to have seven layers of verification, but all layers rely on the same set of keys and IDs that have not been rotated since 2019. This illustrates a common flaw in critical‑infrastructure security: designs remain on paper while the operational environment never updates, rotates, or tests its cryptographic material.

5. Investigation and Attribution

Base‑station logs record the uplink source, allowing triangulation of the transmitter. Combined with CCTV footage, investigators located the suspect’s rental apartment, where they seized eleven handheld radios, a laptop and the SDR. The suspect posted a NT$100,000 bail and faces up to ten years in prison under Taiwan’s Railway Act and Criminal Code.

6. Similar Incidents

2016, Slovenia: Student Dejan Ornig used RTL‑SDR and Osmocom TETRA to discover that police TETRA terminals lacked authentication. After reporting the issue, he was prosecuted and eventually received a seven‑month suspended sentence.

Early 2026, United States: Security researchers demonstrated that an SDR could replicate unauthorized brake commands for freight‑train “end‑of‑train” devices, showing a comparable RF attack surface.

Both cases show that security research is often treated as criminal activity rather than an opportunity for improvement.

7. Lessons for Critical Infrastructure

Radio parameters must be rotated on a regular schedule; using a single set of keys for nineteen years is unacceptable.

Physical security alone is insufficient; logical controls such as anomaly detection at the base‑station level are essential.

SDR devices have lowered the barrier to entry for radio attacks, creating a severe asymmetry between attackers and defenders.

Operators should value security researchers and establish responsible‑disclosure processes, otherwise vulnerabilities remain hidden.

8. References

Taipei Times article (2026‑05‑05)

RTL‑SDR coverage of the incident

CVE‑2022‑24402 disclosure

Dejan Ornig case report