Taiwan high-speed rail halted by SDR and 19 years of unrotated TETRA keys

A 23-year-old university student in Taiwan, identified by his surname Lin, has been arrested for halting four high-speed trains on Taiwan High Speed Rail (THSR) for 48 minutes on 5 April. He did it with a software-defined radio bought online, two handheld radios, and the cooperation of a 21-year-old accomplice who supplied the THSR-specific TETRA parameters. The mechanism was straightforward: intercept and decode the TETRA radio parameters used by the network’s trackside communications, programme them into handheld radios so they impersonate legitimate beacons, then transmit a high-priority “General Alarm” signal — the trigger for emergency braking. Lin was arrested on 28 April and now faces charges under Article 184 of Taiwan’s Criminal Law, carrying up to ten years’ imprisonment. He is currently out on NT$100,000 (about £2,600) bail. His lawyer’s claim that the emergency-signal transmission was accidental has not impressed the authorities.

The headline number, and the bit worth dwelling on, is reported as 19 years. That is how long the TETRA system had reportedly been running on THSR, and the parameters allegedly had not been rotated in that time. Twenty years is more than the working life of most of the engineers who originally deployed it. The reporting indicates that this absence of rotation is exactly what allowed the cloned radio to defeat what is described as seven verification layers. Seven sounds reassuring until you read the next clause: they were all gated by the same static secrets. That is not defence in depth. That is the same wall, painted seven different colours.

There is a wider point about TETRA itself. The protocol has been under serious cryptographic scrutiny since the TETRA:BURST disclosures in 2023, which documented backdoor-grade weaknesses in the standardised TEA1 encryption algorithm and authentication weaknesses in adjacent components. Operators of TETRA networks have known for two and a half years that the protocol stack is not a strong cryptographic foundation by modern standards. The Taiwan story is not a TETRA-novel attack — it is what happens when a protocol with known issues meets parameters that were set in 2007 and never touched again.

The defender’s lesson is unglamorous and exactly the same in operational technology as it is in IT. Rotation matters. “Multiple verification layers” is a meaningless statement if every layer depends on the same static root; if one rotation event would invalidate all of them at once, they are the same control. And the cost barrier on radio-frequency attacks has collapsed. What used to require a national signals laboratory now fits in a backpack and costs less than a decent laptop. Operators who relied on the implicit assumption that radio-spectrum attacks were the preserve of state actors should treat that assumption as expired. The attacker pool now includes anyone with a curious weekend, an SDR, and access to internal documentation.

The honest take. This is not the most technically sophisticated story of the year. It is, however, an unusually clean illustration of a problem that critical-infrastructure operators across rail, utilities, and industrial wireless are sitting on right now: long-lived deployments running on credentials and parameters that were last reviewed during a different decade, defended by control stacks whose layers all share a single point of failure. The attack window on those systems does not close on its own.