A radio signal spoofing attack halted multiple high-speed trains in Taiwan during a peak holiday period, exposing systemic vulnerabilities in the TETRA (Terrestrial Trunked Radio) communications standard used by rail and emergency services operators in more than 100 countries. The April 5 incident at Taiwan High Speed Rail (THSR) has intensified industry and regulatory calls for harmonized, sector-specific cybersecurity standards - and for more rigorous operational discipline around legacy operational technology (OT) systems.
Background
THSR operates a 350-kilometer high-speed rail corridor along Taiwan's western coast, carrying approximately 81.8 million passengers annually, making it a nationally critical service with a high public safety mandate. The incident occurred during the Qingming Festival holiday, one of Taiwan's busiest travel periods.
The TETRA protocol, which THSR relies on for secure two-way operational communications, was developed in the 1980s and 1990s. In 2023 and again in 2025, researchers at Dutch cybersecurity consultancy Midnight Blue disclosed significant implementation vulnerabilities in TETRA, including weaknesses that could expose systems to unauthorized signal injection. According to The Register, much of the global installed TETRA base "is old, lacks over-the-air updates for security," and budget constraints routinely deprioritize radio hardware upgrades for public-sector operators.
The Taiwan incident is not the first of its kind. A comparable attack disrupted Polish rail operations when attackers duplicated legacy analog emergency tones. The THSR breach, however, required a more sophisticated method - extracting and cloning TETRA parameters before injecting them to trigger a network-wide alarm, according to cybersecurity consultant Lukasz Olejnik, who studied both incidents.
Details
On April 5, a 23-year-old university student identified by the surname Lin used a software-defined radio (SDR) filter and commercially purchased handheld radios to decode and clone THSR's TETRA radio parameters, according to prosecutors. Lin bypassed seven security verification layers within the TETRA system, which had reportedly not had its encryption keys rotated in 19 years. The spoofed General Alarm (GA) signal appeared to originate from Taichung Station at 11:23 PM, prompting THSR's operations control center to issue emergency braking orders. Up to four high-speed trains were stopped for 48 minutes.
Police also determined that a 21-year-old accomplice had provided Lin with critical THSR system parameters, adding an insider-access dimension to the incident. Following raids on April 28 at three locations - including the suspect's residence and workplace - police seized multiple wireless broadcasting devices and eleven handheld radios. Lin was released on NT$100,000 bail and faces charges under Taiwan's Railway Act and Criminal Code, including unauthorized system intrusion and endangering public transportation.
Crystal Tu, a research fellow cited by Domino Theory, assessed that the breach "stems less from a sophisticated cyberattack and more from weaknesses in physical device management and operational discipline." Felix Wu, dean of the College of Electrical Engineering and Computer Science at National Cheng Kung University, noted that critical infrastructure operators routinely defer OT upgrades until system failure, and that cyber readiness is difficult to assess because relevant information is often closely guarded.
Taiwan faces approximately 2.63 million cyber intrusion attempts against its critical infrastructure every day, according to reported figures from the National Institute of Cyber Security. Ying-Dar Lin, the institute's president, has stated publicly that attacks on critical infrastructure create cascading failures across other sectors - a risk the THSR incident, though caused by a lone student, underscores in operational terms.
Outlook
The incident has accelerated calls for harmonized, rail-specific cybersecurity standards. IEC 63452 - a global railway cybersecurity standard built on IEC 62443 and intended to replace the European CENELEC TS 50701 - is planned for publication in July 2026. The standard aims to provide consistent requirements across asset owners, integrators, suppliers, and maintainers - roles that the THSR breach demonstrated carry distinct and unequal security obligations.
Industry experts cited by Industrial Cyber argue that procurement documents for rail systems should mandate compliance with standards such as IEC 62443, CENELEC 50701, and IEC 63452, and that cross-border information sharing through mechanisms like the EU's ER-ISAC - still nascent relative to aviation - must be strengthened. Taiwan's Ministry of Transportation and Communications has announced a one-month audit of rail communications systems in response.
Olejnik summarized the structural lesson plainly: "Communication protocols add resilience only if deployed well and that everything - authentication, key rotation, terminal control, anomaly detection - are actually enforced."
