The communications and monitoring platforms for rail networks has come under scrutiny following the recent “hacking” of a Taiwanese railway operators’ radio system, which led to the emergency stoppage of three high-speed bullet trains for nearly an hour.
On April 5, a 23-year-old train enthusiast used a software-defined radio set up and hardware bought online to spoof a general alarm, or GA, alert to the operations center of Taiwan High Speed Rail (THSR). The company issued orders for emergency braking to the three high-speed trains in the vicinity of the signal, resulting in a 48-minute delay in service.
While few details have been reported, the compromise may have been simple — a voice or text that announced an emergency situation, says Wouter Bokslag, a founding partner of Dutch cybersecurity consultancy Midnight Blue, which has studied vulnerabilities in emergency radio systems. THSR reportedly used the emergency radio protocol known as Terrestrial Trunked Radio (TETRA), which can be secure, if set up correctly and maintained assiduously, but is also easy to leave in an insecure configuration, he says.
“These technologies — the core of it definitely is old stuff, but it’s reliable,” he says. “The TETRA Network, under certain conditions, can definitely be secure and could be a suitable solution here, but I suspect they were not running the strongest of configurations for their network.”
Rail systems have increasingly come under scrutiny by cybersecurity researchers and cyberattackers. For two days in August 2023, hackers in Poland — which have a history of targeting trains — used a simple three-tone radio signal to order trains to stop, disrupting transportation in three different regions of the country. A month later, the pro-Iranian hacktivist group Cyber Avengers claimed that it had disrupted trains in Israel, although Israeli officials and cybersecurity firms refuted the claims.
The Taiwan incidents appear to be a more sophisticated version of the Poland Radio-Stop incidents, says Lukasz Olejnik, a cybersecurity consultant who studied the Poland incidents. For Poland, the hackers duplicated legacy analog tones that indicated an emergency, he says.
“For Taiwan, it apparently required understanding the environment and extracting or cloning the necessary parameters to inject them to cause an alarm,” Olejnik says. “The lesson is that communication protocols add resilience only if deployed well and that everything — authentication, key rotation, terminal control, anomaly detection, et cetera — are actually enforced.”
From End-of-Train to TETRA
Many facets of railway operations are open to cyberattacks and electronic spoofing. In July 2025, for example, the Cybersecurity and Infrastructure Security Agency (CISA) warned that US rail systems had a vulnerability that could allow the easy spoofing of communications to the end-of-train and head-of-train devices, leading to sudden train stoppage or even derailment.
The TETRA communications protocol is widely used by emergency responders, police, military, industrial applications, and of course, in rail systems. In 2023, and again in 2025, researchers at Midnight Blue discovered significant vulnerabilities in how the TETRA protocol was implemented, essentially leaving a low-security backdoor accessible to attackers.
Following those revelations, the European Telecommunications Standards Institute (ETSI) followed through on a pledge two years ago to publish the security algorithms for TETRA. While allowing public scrutiny of TETRA encryption is good, their accessibility allows attackers to analyze the security, while defenders have the more onerous job of upgrading and maintaining their network, says Midnight Blue’s Bokslag.
“We have provided the public with all the information that’s needed to be able to identify that [a network is insecure], but acting upon that is a complicated process,” he says. “What probably exacerbates this is that we’ve had multiple reports of the system integrators, or even the vendors and equipment manufacturers, giving incorrect recommendations to their clients.”
Rail systems have to deal with the fundamental problem that they have large attack surface areas, are geographically spread out, rely on decades-old legacy systems, and have many remote and hard-to-protect digital communications points, says Sean Tufts, field chief technology officer (CTO) for operational-technology security firm Claroty.
“Getting to that last switching station in the middle of a rail line and having the right communications with it and having cybersecurity bolted around it — that is a challenge for every single rail operator in the world,” he says.
To protect their far-flung assets, rail companies need secure and reliable communications and the ability to collect telemetry from across their network, he says.
Drive-By Attacks, For Now …
For the most part, rail disruption has been caused by hobbyist radio hackers and train enthusiasts, rather than by serious cybercriminals or nation-state actors. If that changes and rail systems come under sophisticated attacks, national economies cold be impacted, as demonstrated by the impact of the Strait of Hormuz and the 20% drop in oil flows, Tufts says.
“If we had that in the United States — a 20% degradation in rail service — that would have cascading impacts into manufacturing, into goods, into food and beverage,” he says. “That one singular pinch point can cause some massive disruptions.”
Both the Taiwan and Poland rail-stop incidents highlight that attacks on transportation can have significant impact, even when the cause is simple, says consultant Olejnik. Rail operators need to put a greater focus on not only adopting secure technologies, but making sure they are securely deployed.
“Railways should migrate away from unauthenticated systems,” he says. “Any safety-relevant radio command should be cryptographically and secured against replay and injection attacks.”
Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!
