Delays on Taiwan’s high-speed rail system are so uncommon that they immediately stand out.
So when three Taiwan High Speed Rail Corp (THSRC) trains were stopped for 48 minutes during the Qingming holiday, the event was quickly flagged and investigated as a possible security breach.
What first looked like a mysterious signalling problem has now been traced by officials to a 23-year-old university student. Authorities claim he used off-the-shelf software-defined radio (SDR) equipment to fake railway communications and activate emergency braking on several trains at once.
As reported by The Taipei Times, the event took place at 11:23 PM on April 5th, 2026. It involved sending a forged “General Alarm” (GA) signal into THSRC’s TETRA-based operational radio system near Taichung Station.
Prosecutors say the suspect managed to copy the communication settings used within the rail operator’s internal radio network, essentially producing a signal that the system accepted as a genuine safety-critical command.
While some public discussion has labeled this type of attack “hackjacking” — a term for cyber-enabled interference that causes real-world operational disruption — the actual method is more accurately described as software-defined radio spoofing of railway operational communications.
What exactly is software-defined radio spoofing?
Software-defined radio (SDR) spoofing is a radio-level attack method where software-controlled radio hardware is used to capture, copy, and rebroadcast legitimate wireless signals, tricking receiving systems into accepting fake communications.
In industrial and transportation settings, this doesn’t involve breaking into a network in the traditional sense. Instead, it exploits the inherent trust placed in radio signals themselves — especially in older operational technology (OT) systems where authentication, encryption, or parameter management may be patchy across infrastructure that has been in place for years.
In the Taiwan incident, the spoofed signal was apparently accepted by the system as a valid emergency command, causing automated braking on the affected trains.
Older rail communications face fresh scrutiny
The event has brought renewed attention to older railway communication systems, particularly those still using TETRA (Terrestrial Trunked Radio) standards. Although TETRA does support encryption and authentication, how these features are implemented varies widely between deployments. Security researchers have long warned about risks tied to outdated configurations, poor key management, or signalling formats that can be replayed.
Experts note that the growing availability of SDR technology has dramatically lowered the barrier for radio-layer attacks against critical infrastructure, effectively putting this capability within reach of anyone with commodity tools rather than just specialized actors.
Denis Calderone, CTO at Suzu Labs, said the incident highlights a fundamental flaw in how legacy radio systems were originally conceived.
“This is yet another case of critical infrastructure relying on protocols that are decades old and were never built to resist deliberate interference,” he said. “TETRA was developed in the 1990s on the assumption that simply possessing authorized radio equipment would serve as the security boundary. That assumption fell apart the moment consumer-grade software-defined radios became available online for under fifty dollars.”
Calderone said today’s tools now make it possible to directly mimic operational signalling behavior.
“Now anyone can intercept these signals, decode them if needed, and broadcast a General Alarm that triggers emergency braking on a high-speed rail network,” he added. “The system’s parameters hadn’t been changed in 19 years.”
He also cited comparable incidents in other countries as evidence of a widespread problem in rail communications security.
“In recent years we’ve seen three modern rail attacks across three different countries — Taiwan, Poland, and the United States,” Calderone said. “All three are grappling with the same core issue across three entirely different radio technologies, and all three are vulnerable because this technology was never engineered to withstand adversarial threats.”
“Security through obscurity no longer works”
Damon Small, a member of the Board of Directors at Xcape, said the attack shows how SDR has dismantled long-held beliefs about radio security.
“The disruption of Taiwan’s high-speed rail through software-defined radio proves that ‘security through obscurity’ is no longer a defensible strategy for critical infrastructure,” he said. “By copying static TETRA parameters and bypassing seven layers of verification, a hobbyist was able to turn the system’s own fail-safe protocols against it and shut down operations.”
“This wasn’t a sophisticated network intrusion — it was a signal replay attack enabled by the widespread availability of cheap RF exploitation tools and known flaws in legacy encryption such as TEA1,” he added. “Any safety-critical system that depends on unencrypted or unchanging radio signals is an active risk.”
“Legacy assumptions no longer hold up”
Larry Pesce, VP of Services at Finite State, said the incident reflects a broader collapse in how legacy threat models apply to industrial systems.
“The Taiwan THSR incident is a textbook example of what happens when these factors come together: a legacy system built under outdated threat assumptions, deployed with security measures that were never updated, operating in a world where the tools to exploit it are inexpensive, widely available, and thoroughly documented,” he said. “A university student with commercially available equipment managed to trigger life-safety emergency procedures on a transit system that serves over 80 million passengers annually.”
Pesce pointed to earlier disclosures as proof that similar vulnerabilities are already well understood at the protocol level.
“The TETRA:BURST and 2TETRA:2BURST disclosures made that clear from a protocol perspective. This Taiwan incident shows what that looks like in real-world operations,” he said.
For operators, he said the takeaway is now impossible to ignore.
“Review your key management practices, test your authentication mechanisms against today’s threat landscape, and invest in layered defenses that operate under the assumption that your radio traffic is being monitored. Because chances are, it already is.”
