On Taiwan’s high-speed rail network, delays are rare enough to be operationally notable.
So when three Taiwan High Speed Rail Corp (THSRC) services were halted for 48 minutes during the Qingming holiday period, the incident was immediately escalated and investigated as a potential systems compromise.
What initially appeared to be an unexplained signalling fault has now been attributed by authorities to a 23-year-old university student, who is alleged to have used commercially available software-defined radio (SDR) equipment to spoof railway communications and trigger emergency braking procedures across multiple trains.
According to The Taipei Times, the incident occurred at 23:23 on 5th April 2026 and involved the transmission of a falsified “General Alarm” (GA) signal into THSRC’s TETRA-based operational communications system near Taichung Station.
Prosecutors allege that the suspect was able to replicate operational communication parameters used within the rail operator’s internal radio network, effectively generating a signal that the system interpreted as a legitimate safety-critical command.
While some public commentary has referred to this category of attack as “hackjacking”, a shorthand for cyber-enabled interference that produces physical operational effects, the underlying mechanism is more precisely described as software-defined radio spoofing of operational railway communications.
What is software-defined radio spoofing?
Software-defined radio (SDR) spoofing is a radio-layer attack technique in which software-controlled radio hardware is used to analyse, replicate, and retransmit legitimate wireless signals in order to deceive receiving systems into accepting falsified communications.
In industrial and transport environments, this does not involve traditional network intrusion. Instead, it targets the trust placed in radio signals themselves, particularly in legacy operational technology (OT) systems where authentication, encryption deployment, or parameter management may be inconsistent across long-lived infrastructure.
In the Taiwan case, the spoofed signal was reportedly interpreted by the system as a valid emergency instruction, triggering automated braking across affected trains.
Legacy rail communications under scrutiny
The incident has renewed scrutiny of legacy railway communications systems, particularly those still reliant on TETRA (Terrestrial Trunked Radio) standards. While TETRA includes support for encryption and authentication, implementation varies significantly across deployments, and security researchers have long highlighted risks associated with outdated configurations, weak key management, or replayable signalling structures.
Experts say the increasing accessibility of SDR technology has significantly lowered the barrier to entry for radio-layer attacks against critical infrastructure, effectively shifting threat capability from specialist actors to commodity tooling.
Denis Calderone, CTO at Suzu Labs, said the incident reflects a structural failure in how legacy radio systems were originally designed.
“This is another example of critical infrastructure depending on protocols that are decades old and were never designed to withstand adversarial interference,” he said. “TETRA was built in the 1990s under the assumption that physical possession of authorised radio equipment would be the security boundary. That assumption collapsed the moment consumer software-defined radios became available for under fifty dollars online.”
Calderone said modern tooling now enables direct replication of operational signalling behaviour.
“Now anyone can intercept these signals, decode them if even necessary, and transmit a General Alarm that triggers emergency braking on a high-speed rail network,” he added. “This system’s parameters had not been rotated in 19 years.”
He also pointed to similar failures across multiple jurisdictions as evidence of a systemic issue in rail communications security.
“In recent history we can point to three modern rail attacks in three different countries, Taiwan, Poland, and the United States,” Calderone said. “All are dealing with the same fundamental problem across three completely different radio technologies, and all three are broken because this technology was never designed for adversarial resilience.”
“Security through obscurity is no longer viable”
Damon Small, Board of Directors at Xcape, said the attack demonstrates how SDR has removed long-standing assumptions about radio security.
“The disruption of Taiwan’s high-speed rail via software-defined radio proves that ‘security through obscurity’ is no longer a viable defence for critical infrastructure,” he said. “By replicating static TETRA parameters and bypassing seven layers of verification, a hobbyist was able to weaponise the system’s own fail-safe protocols to halt operations.”
“This was not a sophisticated network breach, but a signal replay attack made possible by the democratisation of inexpensive RF exploitation tools and known weaknesses in legacy encryption like TEA1,” he added. “Any safety-critical system relying on unencrypted or static radio signals is an active liability. ”
“Legacy assumptions no longer hold”
Larry Pesce, VP of Services at Finite State, said the incident reflects a wider breakdown in legacy threat modelling across industrial systems.
“The Taiwan THSR incident is a near-perfect illustration of what happens when these factors converge: a legacy system designed under obsolete threat assumptions, deployed with security mechanisms that were never updated, operating in a world where the tools to exploit it are cheap, widely available, and well-documented,” he said. “A university student with commercially available equipment managed to trigger safety-of-life emergency procedures on a transit system that carries over 80 million passengers per year.”
Pesce pointed to prior disclosures as evidence that similar weaknesses are already well understood at the protocol level.
“The TETRA:BURST and 2TETRA:2BURST disclosures made that clear at the protocol level. This incident in Taiwan demonstrates what it looks like at the operational level,” he said.
For operators, he said the lesson is now unavoidable.
“Audit your key management practices, evaluate your authentication mechanisms against current threat models, and invest in layered defences that assume your radio traffic is being observed. Because it very likely is.”
