A student with a laptop and a radio stopped four high-speed trains. The crypto keys had not been changed in 19 years.

At 23:23 on April 5, a 23-year-old university student in Taichung broadcast a false General Alarm signal on the Taiwan High Speed ​​Rail Corporation’s internal radio system. Four trains traveling at speeds of up to 300 km/h received a critical emergency warning and switched to manual braking. The entire high-speed rail network was disrupted for 48 minutes. The student, identified only by his last name, Lin, tested seven layers of authentication using a laptop, a software-defined radio he bought online, and a handful of handheld radios. The cryptographic keys protecting the system had not been changed in 19 years.

The radio system Lin is vulnerable to is TETRA (Terrestrial Trunked Radio), a standard developed in the 1990s for encrypted voice and data communications, used by police, emergency services, airports, and transportation networks in about 120 countries. THSRC’s TETRA supply dates for the railway opening in 2007. According to Tom’s Hardware, the system’s cryptographic key rotation, which needs to be set up and configured at installation, appears to have not been implemented. When Lin was four years old, someone put away the keys. No one changed them.

The attack itself was straightforward. Lin used a software-defined radio, a device that replaces hardware-based radio components with software, to intercept THSRC radio traffic. He downloaded the captured signals to his laptop, extracted the TETRA parameters, and programmed the same codes into the portable radios. He then transmitted a designed General Alarm signal that was visible from station staff, triggering emergency braking procedures across the network. The police described this method as reasonable.

Hidden vulnerabilities are not new. In 2023, Dutch cybersecurity researchers at Midnight Blue exposed a deliberate backdoor in the TETRA encryption algorithm, affecting radios manufactured by Motorola, Damm, Hytera, and others. The researchers found that the system could be cracked in less than a minute using consumer-grade hardware, potentially allowing attackers to send malicious commands to critical infrastructure or eavesdrop on emergency services. The Port of Rotterdam, several European public transport systems, the Dutch C2000 emergency network, and many similar organizations in the US all operate on TETRA. Despite these disclosures, Midnight Blue reported that most critical infrastructure workers did not heed their warnings.

The case of Taiwan shows what happens when those warnings are ignored. RTL-SDR, an expert publication that has tracked TETRA vulnerabilities for years, speculated that the THSRC system may have been using TEA1, the now-broken TETRA encryption algorithm. But the most likely explanation, the publication suggests, is simple: the key rotation was not stopped at all.

The political upheaval was immediate. Democratic Progressive Party legislator Ho Shin-chun raised the incident at a meeting of the provincial Transportation Committee. “If a college student could enter a system as complex as that of a high-speed train, what would happen if the same thing happened to the system of Taiwan Railway Corp?” he asked.” When Ho asked if the Taiwan Transportation Safety Board had been notified, the board said it had not.

The Ministry of Transport and Communications has promised to deliver a report within a month about strengthening the security of communications on trains. THSRC and Taiwan Railway Corp have begun reviewing the safety of their radio systems, and the Railway Bureau has ordered metro operators to conduct a similar review. Police confiscated 11 handheld radios, an SDR receiver, a laptop, and two smartphones from Lin’s residence. They also discovered that he has access to the radio frequencies of the New Taipei City Fire Department and the Taoyuan International Airport MRT Line.

Lin was arrested on April 28, more than three weeks after the incident. His lawyer said the transmission was accidental: “I had it [the radio] in my pocket and accidentally pressed the button.“The authorities found the defense unfounded, especially given the volume of special materials found and the evidence that the 21-year-old provided Lin with important THSRC parameters. Lin was released on NT$100,000 bail (about $3,200) and is facing charges under Article 184 of the Criminal Law with an age limit.

The broader context is that the global transport infrastructure has not kept up with the tools available to disrupt it. Software supply chain attacks have dominated the cybersecurity discourse in 2026, but the incident in Taiwan is a reminder that some of the most significant risks are not in software at all. They are in radio programs that were installed two decades ago and have never been updated, protected by cryptographic keys that have not been rotated since the Bush administration, which operates on a protocol whose weaknesses have been publicly documented for years.

The pattern is consistent across all technology sectors: the most important attack surface is often the one that gets the least attention, the legacy system that works quietly in the background while security budgets flow towards newer, more fashionable threats. Lin’s devices cost less than a mid-range smartphone. The damage could have been catastrophic.

THSRC carries 81.8 million passengers annually. Its trains travel at a speed of 300 km/h. The system that protects those passengers from a wrong brake signal has been protected with cryptographic keys that haven’t been changed since Lin was in kindergarten. Whether a fix comes before the next person with a laptop and a radio decides to test for the same vulnerability is a question Taiwan’s government is now under great pressure to answer.