Shortly after 11 p.m. on April 5, 2026, four high-speed trains on Taiwan’s flagship rail line came to an abrupt, unscheduled stop. The cause was not a mechanical failure, a collision risk, or a weather emergency — it was a 23-year-old English major from Providence University in Taoyuan, sitting somewhere near a base station with a laptop, a software-defined radio, and eleven handheld walkie-talkies.

The student, identified in Taiwanese media as Lin, transmitted a General Alert — the highest-priority emergency signal recognized by the TETRA communication protocol used by the Taiwan High Speed Rail Corporation (THSRC). The signal automatically commanded trains in the area to engage manual emergency braking. Four trains halted for 48 minutes before operations were restored. No passengers were injured, but the implications of what Lin had just demonstrated reached far beyond Taiwan’s rail network.

The Hack: How It Was Done

According to police and news reports from Taipei Times, UDN, and Newtalk, Lin purchased a software-defined radio (SDR) — an inexpensive device available online that can receive and transmit a wide range of radio frequencies under software control — and connected it between an antenna and a laptop. Using freely available software, he intercepted the THSRC’s TETRA radio communications, identified and decoded the system’s parameters, and then programmed those parameters into one of his eleven commercial handheld walkie-talkies.

A 21-year-old associate — identified as Chen, a former high school classmate from Taoyuan — reportedly provided additional critical THSRC system parameters. Both are now facing charges under Taiwan’s Railway Act and Criminal Code, which carries a maximum sentence of ten years for endangering the operation of core rail communication infrastructure.

▸ Key Facts at a Glance
  • Date of incident: April 5, 2026 at 23:23 local time
  • Effect: Four THSR trains halted for 48 minutes via forged General Alert (GA) signal
  • System targeted: THSRC TETRA communication network, operational for 19 years
  • Tools used: Consumer SDR device, laptop, 11 commercial handheld radios
  • Suspects: Lin, 23, English major (Providence University); Chen, 20, alleged accomplice
  • Bail set: NT$100,000 (Lin) and NT$80,000 (Chen)
  • Search executed: April 28, 2026 — laptop, SDR, and 11 radios seized

Lin’s claim that “the items were in my pocket and I accidentally pressed a button” was dismissed by investigators. Police traced the signal source using TETRA base station uplink logs — which record which towers received a transmission and at what signal strength, allowing triangulation — and then used CCTV footage from the surrounding area to identify and locate him at his rented residence.

The System: 19 Years of Unchanged Parameters

The THSRC TETRA system has reportedly been in operation for 19 years. Though it uses a seven-layer authentication mechanism, investigators believe its parameters had never been substantially updated during that period. This is the central technical vulnerability the incident exposed: not merely that the encryption standard was weak, but that a railway managing millions of passengers annually had left its authentication credentials effectively static for nearly two decades.

Reports suggest two possible failure modes. The first is that the THSRC system may not have been encrypted at all — running in cleartext — in which case Lin’s SDR simply listened and replayed, with no cryptographic attack required. The second, more technically involved possibility is that the system used TEA1 encryption, a TETRA algorithm that security researchers confirmed in 2023 contains a deliberate backdoor reducing its effective key length to a value brute-forceable on a consumer laptop in under a minute.

“By exploiting this issue, attackers can not only intercept radio communications of private security services at airports and railways — they can inject data traffic used for monitoring and control of industrial equipment.”

— Midnight Blue Research, TETRA:BURST Disclosure, 2023

The Wider Crisis: A Vulnerability Three Years Unpatched

To understand how a university student with off-the-shelf hardware could stop four high-speed trains, it is necessary to understand a disclosure that shook the critical infrastructure security world in July 2023 — and that, three years later, remains largely unresolved.

Dutch cybersecurity firm Midnight Blue published findings from over two and a half years of research into the TETRA standard — the dominant radio communication protocol used by law enforcement, military, rail operators, power utilities, and emergency services across more than 100 countries. They named the collection of vulnerabilities TETRA:BURST, and they were alarming.

▸ Timeline: From Discovery to Taiwan HSR
1995–98
TETRA standard developed by ETSI. TEA1 encryption algorithm created with an intentionally reduced key space to comply with export control regulations — a backdoor by design.
~2007
Early warning signs: A 2006 US diplomatic cable (later published by Wikileaks) noted that Italian officials acknowledged TETRA’s TEA1 had less than 40 bits of effective encryption — suggesting the weakness was an open secret in some government circles.
Jul 2023
TETRA:BURST disclosed. Midnight Blue reveals five CVEs. Most critical: CVE-2022-24402, the TEA1 backdoor, which reduces an 80-bit key to ~32 bits — brute-forceable in under a minute on consumer hardware. ETSI and national CERTs notified.
Aug 2023
Black Hat USA presentation. Researchers demonstrate live exploits, release previously secret TEA algorithm source code. Global press coverage. Industry urged to audit systems immediately.
2023–25
Patching stalls. Some software updates released by vendors, but TEA1’s structural backdoor cannot be fixed without replacing hardware or migrating to a new algorithm. Many operators, especially in critical infrastructure, do not update.
Aug 2025
2TETRA:2BURST — new vulnerabilities found. Midnight Blue reveals additional flaws at Black Hat 2025: packet injection possible regardless of authentication, ETSI’s original patch for CVE-2022-24401 is ineffective, and one flaw (MBPH-2025-003) is classified as architecturally unfixable.
Apr 5, 2026
Taiwan HSR breach. A student exploits THSRC’s 19-year-old, never-updated TETRA system, halting four trains for 48 minutes with a forged General Alert signal using consumer hardware.

The Vulnerability Record: What Was Found, What Was Fixed

The TETRA:BURST research identified five vulnerabilities. Two were classified as critical. In 2025, Midnight Blue returned with a second set of disclosures, named 2TETRA:2BURST, revealing that prior remediation efforts had been insufficient, and introducing additional novel attack vectors.

▸ TETRA Vulnerability Register — TETRA:BURST & 2TETRA:2BURST
CVE / ID Description Severity Status
CVE-2022-24402 TEA1 backdoor: 80-bit key reduced to ~32 bits, brute-forceable in under a minute on consumer hardware. Affects all critical infrastructure using TEA1 (rail, power, ports). Critical No software patch possible. Requires migration away from TEA1.
CVE-2022-24401 Decryption oracle attack: AIE keystream generator uses publicly broadcast, unauthenticated network time, enabling interception of encrypted traffic. Critical Vendor patches issued — but 2025 research showed the fix was ineffective.
CVE-2022-24400 Authentication flaw allows attackers to set the Derived Cipher Key (DCK) to zero, bypassing encryption on some devices. Critical Partially mitigated by firmware updates.
CVE-2022-24403 Weak identity obfuscation scheme allows real-time de-anonymization and tracking of radio users. Medium Mitigated by migrating to TEA5–7 (TEA Set B).
CVE-2022-24404 Lack of ciphertext authentication enables malleability attacks — messages can be modified in transit. Critical Partially addressed; requires E2EE layered on top.
CVE-2025-52944 TETRA protocol lacks message authentication — arbitrary voice and data messages can be injected even with encryption enabled. Affects all TETRA operators. Critical No comprehensive patch available as of publication.
CVE-2025-52943 Networks supporting multiple AIE algorithms share a network key. A recovered TEA1 key can decrypt TEA2/TEA3 traffic on the same network. Critical Requires disabling TEA1 and rotating all AIE keys.
MBPH-2025-003 Architectural flaw in Sepura E2EE radios allows exfiltration of all TETRA key materials except device key K. Unfixable Architecturally unfixable. No patch possible.

Why Critical Infrastructure Remains Exposed

The question asked immediately after the THSRC incident — “why is this not fixed?” — has a depressingly familiar answer in critical infrastructure security. Fixing TEA1 is not a matter of pushing a software update. Because the backdoor is embedded in the algorithm’s mathematical design, it can only be remediated by abandoning TEA1 entirely and migrating to a new encryption algorithm. For operators with 19-year-old hardware installations, that means capital expenditure, regulatory approvals, system downtime, and extensive re-certification — none of which happen quickly.

There is also a legal constraint that has trapped infrastructure operators. TEA1 was designed specifically for commercial, non-emergency-service use as part of export control compliance. Because TEA2 and TEA3 — the stronger alternatives — are reserved for emergency services, a railway or power utility that does not share its TETRA infrastructure with national emergency networks must use TEA1, or operate in cleartext. There has been no adequate middle path for many operators.

⚠ Still Unresolved: The Structural Trap

As of the THSRC incident in April 2026, TEA1’s backdoor remains present in any system that has not fully migrated away from it. Additionally, the 2025 research finding CVE-2025-52944 — that message injection is possible “regardless of whether client authentication is enforced by the network” — means that even operators who have hardened their authentication remain vulnerable to signal spoofing of the type executed in this incident.

The Investigation and Arrests

When the General Alert signal reached THSRC’s control center, operators called back to verify the emergency. The person who answered gave contradictory responses and then switched off the walkie-talkie — a move that itself constituted critical evidence. THSRC immediately inventoried all issued handsets, confirmed every authorized device was in its storage locker, and concluded that an unauthorized device had been cloned with their system parameters.

Working from TETRA base station uplink logs — which record the towers that received an uplink signal and the relative signal strength, enabling a rough triangulation of the transmitter’s location — police narrowed the geographic area. CCTV footage was then used to identify Lin and track him to his residence. On April 28, 2026, a search warrant was executed. Police seized eleven handheld radios, a laptop, and the software-defined radio.

Chen, the 20-year-old repeat student who allegedly supplied the critical network parameters, was arrested the following day. Both Lin and Chen reportedly attended the same high school in Taoyuan. Providence University confirmed a fourth-year English major by Lin’s name is enrolled and stated it would fully cooperate with police.

What Needs to Happen Now

Security researchers and industry bodies have outlined a consistent set of recommended actions since 2023. The THSRC incident illustrates, with painful precision, the cost of not acting on them. For any organization operating TETRA infrastructure, the minimum steps include auditing which encryption algorithm is active and treating any TEA1 deployment as a critical-priority replacement target.

Longer term, the incident points toward a structural rethink. TETRA’s proprietary, secret-algorithm model — in which security depended on obscurity rather than open peer review — is exactly the failure mode that security researchers have warned about for decades. The Midnight Blue team noted explicitly that keeping cryptographic algorithms secret is a violation of Kerckhoffs’ Principle, which states that a cipher should be secure even if everything about it except the key is public knowledge. Nineteen years of operational security predicated on “nobody will find this” ended on a single April night.

▸ Recommended Actions for TETRA Operators
  • Audit immediately: Identify which encryption algorithm (TEA1–4) is active on your network.
  • Disable TEA1: If TEA1 is in use, treat it as an unfixed critical vulnerability and prioritize migration.
  • Rotate parameters: Update all network keys and system parameters; never allow static credentials to persist for years.
  • Layer E2EE: Add end-to-end encryption above the TETRA air interface for sensitive data channels.
  • Monitor traffic anomalies: Base station uplink logs (as used in this investigation) can detect and geolocate unauthorized transmissions.
  • Plan migration: Long-term, plan transition to systems using TEA5–7 or modern, openly peer-reviewed cryptographic standards.

Lin faces a maximum of ten years in prison under Taiwan’s Railway Act. Chen faces lesser charges for providing system parameters. But the more consequential verdict will be rendered not in a Taiwanese courtroom, but in the board meetings and procurement offices of rail operators, utility companies, and public safety agencies worldwide who have still not acted on warnings that are now approaching three years old — and that a 23-year-old with consumer electronics just proved correct.