Taiwan Incident Highlights Cybersecurity Gaps in Rail Systems TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAttackers Weaponize RubyGems for Data Dead DropsAttackers Weaponize RubyGems for Data Dead DropsbyAlexander CulafiMay 13, 20264 Min ReadСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryICS/OT SecurityCyber RiskCybersecurity OperationsVulnerabilities & ThreatsNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificTaiwan Incident Highlights Cybersecurity Gaps in Rail SystemsA Taiwanese student experimenting with software-defined radio technology shut down three bullet trains for nearly an hour, leading to an anti-terrorism response.Robert Lemos,Contributing WriterMay 15, 20265 Min ReadSource eric107cvb via ShutterstockThe communications and monitoring platforms for rail networks has come under scrutiny following the recent "hacking" of a Taiwanese railway operators' radio system, which led to the emergency stoppage of three high-speed bullet trains for nearly an hour.On April 5, a 23-year-old train enthusiast used a software-defined radio set up and hardware bought online to spoof a general alarm, or GA, alert to the operations center of Taiwan High Speed Rail (THSR). The company issued orders for emergency braking to the three high-speed trains in the vicinity of the signal, resulting in a 48-minute delay in service.While few details have been reported, the compromise may have been simple — a voice or text that announced an emergency situation, says Wouter Bokslag, a founding partner of Dutch cybersecurity consultancy Midnight Blue, which has studied vulnerabilities in emergency radio systems. THSR reportedly used the emergency radio protocol known as Terrestrial Trunked Radio (TETRA), which can be secure, if set up correctly and maintained assiduously, but is also easy to leave in an insecure configuration, he says.Related:AI-Driven Cyberattack on Mexico Couldn't Breach OT Systems"These technologies — the core of it definitely is old stuff, but it's reliable," he says. "The TETRA Network, under certain conditions, can definitely be secure and could be a suitable solution here, but I suspect they were not running the strongest of configurations for their network."Rail systems have increasingly come under scrutiny by cybersecurity researchers and cyberattackers. For two days in August 2023, hackers in Poland — which have a history of targeting trains — used a simple three-tone radio signal to order trains to stop, disrupting transportation in three different regions of the country. A month later, the pro-Iranian hacktivist group Cyber Avengers claimed that it had disrupted trains in Israel, although Israeli officials and cybersecurity firms refuted the claims.The Taiwan incidents appear to be a more sophisticated version of the Poland Radio-Stop incidents, says Lukasz Olejnik, a cybersecurity consultant who studied the Poland incidents. For Poland, the hackers duplicated legacy analog tones that indicated an emergency, he says."For Taiwan, it apparently required understanding the environment and extracting or cloning the necessary parameters to inject them to cause an alarm," Olejnik says. "The lesson is that communication protocols add resilience only if deployed well and that everything — authentication, key rotation, terminal control, anomaly detection, et cetera —  are actually enforced."Related:Serial-to-IP Devices Hide Thousands of Old & New BugsFrom End-of-Train to TETRAMany facets of railway operations are open to cyberattacks and electronic spoofing. In July 2025, for example, the Cybersecurity and Infrastructure Security Agency (CISA) warned that US rail systems had a vulnerability that could allow the easy spoofing of communications to the end-of-train and head-of-train devices, leading to sudden train stoppage or even derailment.The TETRA communications protocol is widely used by emergency responders, police, military, industrial applications, and of course, in rail systems. In 2023, and again in 2025, researchers at Midnight Blue discovered significant vulnerabilities in how the TETRA protocol was implemented, essentially leaving a low-security backdoor accessible to attackers.Following those revelations, the European Telecommunications Standards Institute (ETSI) followed through on a pledge two years ago to publish the security algorithms for TETRA. While allowing public scrutiny of TETRA encryption is good, their accessibility allows attackers to analyze the security, while defenders have the more onerous job of upgrading and maintaining their network, says Midnight Blue's Bokslag."We have provided the public with all the information that's needed to be able to identify that [a network is insecure], but acting upon that is a complicated process," he says. "What probably exacerbates this is that we've had multiple reports of the system integrators, or even the vendors and equipment manufacturers, giving incorrect recommendations to their clients."Related:Empty Attestations: OT Lacks the Tools for Cryptographic ReadinessRail systems have to deal with the fundamental problem that they have large attack surface areas, are geographically spread out, rely on decades-old legacy systems, and have many remote and hard-to-protect digital communications points, says Sean Tufts, field chief technology officer (CTO) for operational-technology security firm Claroty."Getting to that last switching station in the middle of a rail line and having the right communications with it and having cybersecurity bolted around it — that is a challenge for every single rail operator in the world," he says.To protect their far-flung assets, rail companies need secure and reliable communications and the ability to collect telemetry from across their network, he says.Drive-By Attacks, For Now ...For the most part, rail disruption has been caused by hobbyist radio hackers and train enthusiasts, rather than by serious cybercriminals or nation-state actors. If that changes and rail systems come under sophisticated attacks, national economies cold be impacted, as demonstrated by the impact of the Strait of Hormuz and the 20% drop in oil flows, Tufts says."If we had that in the United States — a 20% degradation in rail service — that would have cascading impacts into manufacturing, into goods, into food and beverage," he says. "That one singular pinch point can cause some massive disruptions."Both the Taiwan and Poland rail-stop incidents highlight that attacks on transportation can have significant impact, even when the cause is simple, says consultant Olejnik. Rail operators need to put a greater focus on not only adopting secure technologies, but making sure they are securely deployed."Railways should migrate away from unauthenticated systems," he says. "Any safety-relevant radio command should be cryptographically and secured against replay and injection attacks."Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!Read more about:DR Global Asia PacificAbout the AuthorRobert LemosContributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert LemosWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The recent incident involving the disruption of the Taiwan High Speed Rail's communications system underscores significant cybersecurity gaps within rail network infrastructure, particularly concerning communication protocols. A Taiwanese student utilized software-defined radio technology to spoof a general alarm alert, causing an emergency stop for three high-speed bullet trains and resulting in a substantial delay in service. This event brought to light the fragility inherent in the communications and monitoring platforms used by rail networks.

The infrastructure relied on the Terrestrial Trunked Radio (TETRA) protocol for emergency communication. While TETRA has the potential for security when correctly configured and maintained, the vulnerability stemmed from the fact that it is often left in an insecure configuration. Experts note that communication protocols only confer resilience if deployed with rigorous security measures, including effective authentication, key rotation, terminal control, and anomaly detection. The incident suggests that in many deployments, these essential security mechanisms were not adequately enforced across the network architecture.

The analysis draws parallels with previous incidents, such as the disruptions in Poland, where attackers duplicated legacy analog tones to order trains to stop. The context suggests that the Taiwanese event involved a more sophisticated methodology, requiring an adversary to understand the operational environment to extract or clone necessary parameters for injection. This highlights a crucial lesson: the strength of communication protocols is not inherent but depends entirely on the quality of their deployment and the enforcement of fundamental security principles throughout the entire system.

Further research into TETRA systems has revealed existing vulnerabilities. Researchers have found significant flaws in the implementation of the TETRA protocol in both 2023 and 2025, which left low-security backdoors accessible to potential attackers. Although organizations like the European Telecommunications Standards Institute (ETSI) have released security algorithms for public scrutiny, the complexity of applying these standards and the difficulty encountered by system integrators and vendors in providing correct recommendations exacerbate the difficulty for defenders in ensuring robust security.

Rail systems face a multitude of cybersecurity challenges because they involve large attack surface areas, rely on legacy systems, and possess numerous geographically dispersed and difficult-to-protect digital communication points. This foundational issue means that securing every segment of the railway, from the end-of-train systems to remote switching stations, remains a complex endeavor for rail operators globally.

The potential ramifications of successful attacks on transportation networks are severe, potentially causing cascading impacts across national economies by disrupting manufacturing, supply chains, and essential goods. If rail systems were compromised by sophisticated actors, the resulting economic fallout could be massive, illustrating how a single point of disruption can trigger widespread systemic failure. Consequently, operators must move beyond merely adopting new technologies to ensuring that all deployed systems are secured rigorously.

To mitigate future risks, consultants emphasize the necessity for railways to migrate away from unauthenticated systems. Safety-relevant radio commands must be cryptographically secured to guard against replay and injection attacks. Ultimately, protecting these critical assets requires a shift in focus toward secure deployment practices, ensuring that all aspects of the operational technology, including communication channels, are inherently secure rather than relying on peripheral defenses alone.