Taiwan Bullet Train Hack Highlights Cybersecurity Gaps in Rail Systems

Taiwan Bullet Train Hack Shows Cybersecurity Gaps in Rail Systems

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryICS/OT SecurityCyber RiskCybersecurity OperationsVulnerabilities & ThreatsNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificTaiwan Bullet Train Hack Highlights Cybersecurity Gaps in Rail SystemsA Taiwanese student experimenting with software-defined radio technology shut down three bullet trains for nearly an hour, leading to an anti-terrorism response.Robert Lemos,Contributing WriterMay 15, 20265 Min ReadSource eric107cvb via ShutterstockThe communications and monitoring platforms for rail networks has come under scrutiny following the recent "hacking" of a Taiwanese railway operators' radio system, which led to the emergency stoppage of three high-speed bullet trains for nearly an hour.On April 5, a 23-year-old train enthusiast used a software-defined radio set up and hardware bought online to spoof a general alarm, or GA, alert to the operations center of Taiwan High Speed Rail (THSR). The company issued orders for emergency braking to the three high-speed trains in the vicinity of the signal, resulting in a 48-minute delay in service.While few details have been reported, the compromise may have been simple — a voice or text that announced an emergency situation, says Wouter Bokslag, a founding partner of Dutch cybersecurity consultancy Midnight Blue, which has studied vulnerabilities in emergency radio systems. THSR reportedly used the emergency radio protocol known as Terrestrial Trunked Radio (TETRA), which can be secure, if set up correctly and maintained assiduously, but is also easy to leave in an insecure configuration, he says.Related:AI-Driven Cyberattack on Mexico Couldn't Breach OT Systems"These technologies — the core of it definitely is old stuff, but it's reliable," he says. "The TETRA Network, under certain conditions, can definitely be secure and could be a suitable solution here, but I suspect they were not running the strongest of configurations for their network."Rail systems have increasingly come under scrutiny by cybersecurity researchers and cyberattackers. For two days in August 2023, hackers in Poland — which have a history of targeting trains — used a simple three-tone radio signal to order trains to stop, disrupting transportation in three different regions of the country. A month later, the pro-Iranian hacktivist group Cyber Avengers claimed that it had disrupted trains in Israel, although Israeli officials and cybersecurity firms refuted the claims.The Taiwan incidents appear to be a more sophisticated version of the Poland Radio-Stop incidents, says Lukasz Olejnik, a cybersecurity consultant who studied the Poland incidents. For Poland, the hackers duplicated legacy analog tones that indicated an emergency, he says."For Taiwan, it apparently required understanding the environment and extracting or cloning the necessary parameters to inject them to cause an alarm," Olejnik says. "The lesson is that communication protocols add resilience only if deployed well and that everything — authentication, key rotation, terminal control, anomaly detection, et cetera —  are actually enforced."Related:Patch Now: Critical Flaw in OT Robot OS Gives Attackers ControlFrom End-of-Train to TETRAMany facets of railway operations are open to cyberattacks and electronic spoofing. In July 2025, for example, the Cybersecurity and Infrastructure Security Agency (CISA) warned that US rail systems had a vulnerability that could allow the easy spoofing of communications to the end-of-train and head-of-train devices, leading to sudden train stoppage or even derailment.The TETRA communications protocol is widely used by emergency responders, police, military, industrial applications, and of course, in rail systems. In 2023, and again in 2025, researchers at Midnight Blue discovered significant vulnerabilities in how the TETRA protocol was implemented, essentially leaving a low-security backdoor accessible to attackers.Following those revelations, the European Telecommunications Standards Institute (ETSI) followed through on a pledge two years ago to publish the security algorithms for TETRA. While allowing public scrutiny of TETRA encryption is good, their accessibility allows attackers to analyze the security, while defenders have the more onerous job of upgrading and maintaining their network, says Midnight Blue's Bokslag."We have provided the public with all the information that's needed to be able to identify that [a network is insecure], but acting upon that is a complicated process," he says. "What probably exacerbates this is that we've had multiple reports of the system integrators, or even the vendors and equipment manufacturers, giving incorrect recommendations to their clients."Related:Serial-to-IP Devices Hide Thousands of Old & New BugsRail systems have to deal with the fundamental problem that they have large attack surface areas, are geographically spread out, rely on decades-old legacy systems, and have many remote and hard-to-protect digital communications points, says Sean Tufts, field chief technology officer (CTO) for operational-technology security firm Claroty."Getting to that last switching station in the middle of a rail line and having the right communications with it and having cybersecurity bolted around it — that is a challenge for every single rail operator in the world," he says.To protect their far-flung assets, rail companies need secure and reliable communications and the ability to collect telemetry from across their network, he says.Drive-By Attacks, For Now ...For the most part, rail disruption has been caused by hobbyist radio hackers and train enthusiasts, rather than by serious cybercriminals or nation-state actors. If that changes and rail systems come under sophisticated attacks, national economies cold be impacted, as demonstrated by the impact of the Strait of Hormuz and the 20% drop in oil flows, Tufts says."If we had that in the United States — a 20% degradation in rail service — that would have cascading impacts into manufacturing, into goods, into food and beverage," he says. "That one singular pinch point can cause some massive disruptions."Both the Taiwan and Poland rail-stop incidents highlight that attacks on transportation can have significant impact, even when the cause is simple, says consultant Olejnik. Rail operators need to put a greater focus on not only adopting secure technologies, but making sure they are securely deployed."Railways should migrate away from unauthenticated systems," he says. "Any safety-relevant radio command should be cryptographically and secured against replay and injection attacks."Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!Read more about:DR Global Asia PacificAbout the AuthorRobert LemosContributing WriterRob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity. A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports.Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major).See more from Robert LemosWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsMore