Executive Summary
In April 2026, a 23-year-old university student in Taiwan exploited vulnerabilities in the Taiwan High Speed Rail Corporation's (THSRC) TETRA communication system. Utilizing software-defined radio (SDR) equipment and handheld radios, the student transmitted a forged 'General Alarm' signal, causing four high-speed trains to halt operations for 48 minutes. The attack was facilitated by the static nature of the system's parameters, which had remained unchanged for 19 years, allowing the student to bypass multiple verification layers. Authorities arrested the individual, who now faces charges under Article 184 of the Criminal Law, with potential imprisonment of up to 10 years. This incident underscores the critical need for regular security assessments and updates in communication systems, especially those integral to public safety and infrastructure. The exploitation of longstanding vulnerabilities in the TETRA protocol highlights the urgency for organizations to proactively address potential security gaps to prevent similar disruptions in the future.
Why This Matters Now
The incident highlights the critical need for regular security assessments and updates in communication systems, especially those integral to public safety and infrastructure. The exploitation of longstanding vulnerabilities in the TETRA protocol underscores the urgency for organizations to proactively address potential security gaps to prevent similar disruptions in the future.
Attack Path Analysis
The attacker intercepted and decoded TETRA radio parameters using software-defined radio equipment, then programmed handheld radios to transmit unauthorized 'General Alarm' signals, triggering emergency braking procedures on Taiwan's high-speed rail system.
Kill Chain Progression
Initial Compromise
Description
The attacker intercepted and decoded TETRA radio parameters using software-defined radio equipment.
Related CVEs
CVE-2022-24401
CVSS 8.1An information disclosure vulnerability in the TETRA air-interface encryption protocol allows adversaries to induce keystream re-use through manipulation of TDMA frame counters.
Affected Products:
TETRA Air-Interface Encryption Protocol – All versions prior to fix
Exploit Status:
exploited in the wildCVE-2025-52940
CVSS 8.1A vulnerability in the TETRA end-to-end encrypted voice stream allows replay attacks and injection of fake audio indistinguishable from legitimate communications.
Affected Products:
TETRA End-to-End Encrypted Voice Stream – All versions prior to fix
Exploit Status:
exploited in the wildCVE-2025-52941
CVSS 9.1A deliberately weakened AES-128 variant in TETRA reduces key entropy from 128 bits to 56 bits, making brute-force attacks feasible.
Affected Products:
TETRA Encryption Algorithm – All versions prior to fix
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Wireless Compromise
Wireless Sniffing
Unauthorized Command Message
Traffic Signaling
Network Sniffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
CISA Zero Trust Maturity Model 2.0 – Network and Environment
Control ID: Pillar 3
DORA – ICT Risk Management Framework
Control ID: Article 5
ISO/IEC 27001 – Network Controls
Control ID: A.13.1.1
NIST SP 800-53 – Cryptographic Key Establishment and Management
Control ID: SC-12
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Transportation
High-speed rail systems vulnerable to TETRA communication attacks enabling emergency brake manipulation, requiring encrypted traffic protection and east-west segmentation capabilities.
Railroad Manufacture
Railway infrastructure and signaling systems exposed to SDR-based attacks on legacy TETRA protocols, necessitating zero trust segmentation and anomaly detection.
Telecommunications
TETRA communication networks compromised through unencrypted traffic interception, demanding multicloud visibility controls and egress security policy enforcement for critical infrastructure.
Government Administration
State-supported transportation infrastructure targeted via physical attacks on communication systems, requiring threat detection capabilities and secure hybrid connectivity for resilience.
Sources
- Student hacked Taiwan high-speed rail to trigger emergency brakeshttps://www.bleepingcomputer.com/news/security/student-hacked-taiwan-high-speed-rail-to-trigger-emergency-brakes/Verified
- Student who allegedly disrupted rail network on bailhttps://www.taipeitimes.com/News/taiwan/archives/2026/05/01/2003856571Verified
- CVE-2022-24401: Tetra Information Disclosure Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2022-24401/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit radio communications, thereby reducing the potential impact on railway operations.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to intercept and decode radio parameters could have been limited, reducing the likelihood of unauthorized access to communication channels.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to impersonate legitimate beacons could have been constrained, reducing the risk of unauthorized signal transmission.
Control: East-West Traffic Security
Mitigation: The attacker's ability to propagate unauthorized signals within the network could have been limited, reducing the potential for widespread disruption.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain control over unauthorized transmissions could have been constrained, reducing the duration and impact of the attack.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive communication parameters could have been limited, reducing the risk of future attacks.
The attacker's ability to cause operational disruptions could have been constrained, reducing the overall impact on railway services.
Impact at a Glance
Affected Business Functions
- Train Operations
- Passenger Services
- Safety Systems
Estimated downtime: N/A
Estimated loss: N/A
No sensitive data exposure reported.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Encrypted Traffic (HPE) to secure TETRA communications and prevent unauthorized interception.
- • Deploy Zero Trust Segmentation to enforce strict access controls and prevent unauthorized device impersonation.
- • Utilize Threat Detection & Anomaly Response to monitor for and respond to unauthorized signal transmissions.
- • Establish Multicloud Visibility & Control to gain comprehensive oversight of network communications and detect anomalies.
- • Conduct regular security assessments and update communication protocols to address potential vulnerabilities.
