A student with a laptop and a radio stopped four high-speed trains. The crypto keys hadn’t been changed in 19 years.

At 23:23 on 5 April, a 23-year-old university student in Taichung transmitted a falsified General Alarm signal into the Taiwan High Speed Rail Corporation’s internal radio system. Four trains travelling at up to 300 km/h received the highest-priority emergency alert and switched to manual braking. The entire high-speed rail network was disrupted for 48 minutes. The student, identified only by his surname Lin, had cracked through seven layers of verification using a laptop, a software-defined radio he bought online, and a handful of handheld radios. The cryptographic keys protecting the system had not been changed in 19 years.

The radio system Lin compromised is TETRA (Terrestrial Trunked Radio), a standard developed in the 1990s for encrypted voice and data communication, used by police, emergency services, airports, and transport networks in approximately 120 countries. THSRC’s TETRA deployment dates to the rail line’s opening in 2007. According to Tom’s Hardware, the system’s cryptographic key rotation, which needs to be configured and scheduled at installation, appears never to have been implemented. When Lin was four years old, someone set the keys. Nobody changed them.

The attack itself was straightforward. Lin used a software-defined radio, a device that replaces hardware-based radio components with software, to intercept THSRC’s radio traffic. He downloaded the captured signals to his laptop, decoded the TETRA parameters, and programmed the same codes into handheld radios. He then transmitted a cloned General Alarm signal that appeared to originate from a station employee, triggering emergency braking procedures across the network. Police described the method as rudimentary.

The underlying vulnerability is not new. In 2023, Dutch cybersecurity researchers at Midnight Blue disclosed a deliberate backdoor in the TETRA encryption algorithm, affecting radios manufactured by Motorola, Damm, Hytera, and others. The researchers found that the system could be cracked in under a minute using consumer-grade hardware, potentially allowing attackers to send malicious commands to critical infrastructure or eavesdrop on emergency services. The port of Rotterdam, several European public transport systems, the Dutch emergency services network C2000, and numerous equivalent entities in the US all run on TETRA. Despite the disclosure, Midnight Blue reported that many critical infrastructure operators were unresponsive to their warnings.

Taiwan’s case demonstrates what happens when those warnings go unheeded. RTL-SDR, a specialist publication that has tracked TETRA vulnerabilities for years, speculates that THSRC’s system may have been using TEA1, a now-broken TETRA encryption algorithm. But the more likely explanation, the publication suggests, is simpler: key rotation was never configured at all.

The political fallout has been immediate. Democratic Progressive Party legislator Ho Shin-chun raised the incident in a state Transportation Committee meeting. “If a college student could hack into a system as sophisticated as that of the high-speed rail system, what would happen if the same thing happened with the Taiwan Railway Corp’s system?” she asked. When Ho asked whether the Taiwan Transportation Safety Board had been notified, the board said it had not been informed.

The Ministry of Transportation and Communications has pledged to submit a report within a month on hardening railway communication security. THSRC and Taiwan Railway Corp have begun reviewing the security of their radio systems, and the Railway Bureau has instructed metro operators to conduct the same review. Police seized 11 handheld radios, an SDR receiver, a laptop, and two smartphones from Lin’s residence. They also found that he could access the radio frequencies of the New Taipei City Fire Department and the Taoyuan International Airport MRT Line.

Lin was arrested on 28 April, more than three weeks after the incident. His lawyer claimed the transmission was accidental: “I had [the radio] in my pocket and accidentally pressed the button.” Authorities found the defence unconvincing, particularly given the volume of specialised equipment recovered and evidence that a 21-year-old accomplice provided Lin with critical THSRC parameters. Lin was released on NT$100,000 bail (approximately $3,200) and faces charges under Article 184 of the Criminal Law, with a maximum sentence of 10 years.

The broader context is a global transport infrastructure that has not kept pace with the tools available to compromise it. Software supply chain attacks have dominated the cybersecurity conversation in 2026, but the Taiwan incident is a reminder that some of the most consequential vulnerabilities are not in software at all. They are in radio systems installed two decades ago and never updated, protected by cryptographic keys that have not been rotated since the Bush administration, running on a protocol whose weaknesses have been publicly documented for years.

The pattern is consistent across technology sectors: the attack surface that matters most is often the one that receives the least attention, the legacy system running quietly in the background while security budgets flow toward newer, more fashionable threats. Lin’s equipment cost less than a mid-range smartphone. The damage could have been catastrophic.

THSRC carries 81.8 million passengers annually. Its trains run at 300 km/h. The system that protects those passengers from a falsified emergency braking signal was defended by cryptographic keys that had not been changed since Lin was in preschool. Whether the fix arrives before the next person with a laptop and a radio decides to test the same vulnerability is a question the Taiwanese government is now under considerable pressure to answer.