A 23-year-old university student in Taiwan recently brought four high-speed trains to a screeching halt for 48 minutes during a busy holiday travel night by transmitting a forged General Alarm signal over the railway’s TETRA radio network. He did it with an SDR purchased online, a laptop, and a collection of handheld radios. The TETRA parameters he exploited had reportedly not been rotated in the system’s 19-year operational lifetime.
This incident is not surprising. It is, however, an excellent case study in several converging realities that the critical infrastructure and security communities need to internalize.
SDR Has Democratized Spectrum Access
Software-defined radio and inexpensive receive-capable hardware have fundamentally changed who can interact with the radio spectrum. What once required thousands of dollars in purpose-built test equipment and specialized knowledge can now be accomplished with a $30 RTL-SDR dongle, a laptop, and open-source software. The barrier to entry for observing, recording, and in many cases decoding signals across wide swaths of the spectrum has dropped to near zero for anyone with a modicum of technical curiosity and the willingness to read a few tutorials.
This is not inherently a bad thing. SDR has enabled incredible citizen science, amateur radio experimentation, satellite tracking, weather monitoring, and legitimate security research. But it also means that systems which were designed under the assumption that “nobody can hear us” are now exposed to a vastly larger audience of potential observers and, inevitably, potential adversaries.
Security Through Obscurity Has an Expiration Date
The TETRA standard is a textbook example of security that leaned heavily on obscurity. Its core cryptographic algorithms (the TEA and TAA1 suites) were proprietary, distributed only under strict NDA, and treated as trade secrets for decades. The assumption was that keeping the algorithms secret provided an adequate layer of protection.
That assumption was thoroughly dismantled. In 2023, Midnight Blue reverse-engineered the TETRA algorithms and disclosed the TETRA:BURST vulnerabilities, including what they characterized as an intentional backdoor in TEA1 that reduced an 80-bit key to a trivially brute-forceable size. Follow-on research in 2025 (2TETRA:2BURST) disclosed additional critical flaws including the ability to inject voice and data traffic into TETRA networks even with authentication and encryption enabled. The broader pattern here is well-established: proprietary, secret cryptography has been a recurring weak point across GSM (A5/1, A5/2), GPRS (GEA-1), DMR, P25, and now TETRA.
In the Taiwan case, the student did not even need to break the cryptography. He captured THSR’s TETRA traffic with an SDR, decoded the operational parameters, and programmed them into handheld radios to impersonate a legitimate station device. The system’s “seven verification layers” were, in practice, insufficient because the underlying parameters had apparently never been meaningfully updated.
Key Management in Legacy Systems Is Onerous by Design
It is not remotely surprising that THSR had not rotated its TETRA parameters in 19 years. Systems like these were not designed with automated key management in mind. Rotating keys or authentication parameters in a railway TETRA deployment likely means coordinating changes across hundreds of handsets and base stations, potentially taking systems offline during the transition, and accepting the risk of misconfiguration that could itself cause service disruptions.
When the cost and operational risk of a key rotation approaches or exceeds the perceived threat level, organizations rationally (if dangerously) choose to leave things as they are. The problem, of course, is that the threat landscape does not remain static while the keys do.
Long Amortization Demands Long-Term Thinking
Critical infrastructure radio systems, railway signaling equipment, SCADA communications, and similar deployments operate on amortization schedules measured in decades. A TETRA system installed in 2007 was likely expected to remain in service well into the 2030s. Ripping it out and replacing it with a modern system that has stronger authentication, automated key management, and resilience against signal injection is enormously expensive and operationally disruptive.
This reality places an outsized burden on the initial procurement and system design decisions. When you are selecting a communications system that will be in service for 20 or 30 years, the security evaluation cannot be limited to current threats. It must account for the inevitable erosion of obscurity, the falling cost of attack tools, and the advancing capabilities of both casual experimenters and determined adversaries.
Furthermore, these systems must be designed with defense in depth. A single layer of radio-level authentication is not sufficient. Layered security becomes increasingly complex with wireless systems because you are, by definition, broadcasting your signals into an environment where anyone with appropriate receive hardware can observe them. But that complexity is not optional. It is the cost of operating safety-of-life systems over a medium you do not control.
Transmitting Without a License Is Illegal. Full Stop.
It needs to be stated plainly: transmitting on portions of the radio spectrum for which you are not licensed is illegal, regardless of where you are on the planet. Every country that is a member of the International Telecommunication Union (and that is effectively every country) has laws governing spectrum use and unauthorized transmission. In this case, the student faces charges under Taiwan’s Railway Act and Criminal Code, with potential penalties of up to ten years imprisonment.
Beyond the transmission itself, anyone working with SDR should be checking with their local regulatory authority about whether SDR hardware is legal to possess in their jurisdiction, whether there are restrictions on its use, and which portions of the spectrum they are permitted to observe. Regulations vary significantly. In some countries, merely receiving certain frequencies without authorization can carry penalties.
Of course, it must be acknowledged that determined adversaries, whether state-sponsored actors, organized criminal groups, or motivated individuals willing to accept legal risk, are not likely to be deterred by licensing requirements. This is precisely why the earlier points about robust system design, proper key management, and defense in depth matter so much. Regulatory frameworks are a necessary component of spectrum governance, but they are not a substitute for technical security controls. The law tells people what they should not do; engineering controls determine what they cannot do.
The Uncomfortable Takeaway
The Taiwan THSR incident is a near-perfect illustration of what happens when these factors converge: a legacy system designed under obsolete threat assumptions, deployed with security mechanisms that were never updated, operating in a world where the tools to exploit it are cheap, widely available, and well-documented. A university student with commercially available equipment managed to trigger safety-of-life emergency procedures on a transit system that carries over 80 million passengers per year.
The uncomfortable truth is that similar vulnerabilities exist in critical infrastructure radio systems around the world. The TETRA:BURST and 2TETRA:2BURST disclosures made that clear at the protocol level. This incident in Taiwan demonstrates what it looks like at the operational level.
For operators of critical infrastructure communications systems, the message is clear: audit your key management practices, evaluate your authentication mechanisms against current (not historical) threat models, plan for the reality that obscurity is not a durable security control, and invest in layered defenses that assume your radio traffic is being observed. Because it very likely is.
Coverage
- Taipei Times: Student who allegedly disrupted rail network on bail
- BleepingComputer: Student hacked Taiwan high-speed rail to trigger emergency brakes
- The Register: Taiwan student pwns rail comms, halts high-speed trains
- RTL-SDR.com: Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack
- Newtalk (original Chinese-language report)