College student hacks Taiwan high-speed rail line with software defined radios, stopping four trains — 19 years without crypto key rotation ends in predictable result as hacker sails through 7 layers of protection

Techies and trains have always had a fairly close relationship, but some people seem to take that relationship to toxic levels. About a month ago, a 23-year-old Taiwanese student "hacked" the country's high-speed rail line using an SDR (Software-Defined Radio) filter and radios, remotely broadcasting a General Alarm sign, and triggering a manual emergency braking procedure.

The event brought four trains to a standstill for 48 minutes until the situation was verified as a false alarm, with reportedly no hard stops executed. Lin, the mind behind the operation, sailed through "seven verification layers" thanks to the fact that the TETRA (Terrestrial Trunked Radio) system in use hadn't had its cryptographic keys rotated in 19 years.

The extracurricular activity was quickly traced back to Lin, who seemingly answered the radio in an awkward manner and hung up. This prompted the train network to immediately review all beacons in use, followed by its CCTV footage. Working with the police, they followed the trail to Lin's home in Taichung. There, they found a laptop alongside several radios. Lin is now out on $3,200 bail while waiting for a trial and a judgment that could have him behind bars for 10 years.

Latest Videos From

Despite Lin's apparent lack of forethought, the "hack" didn't take much effort, as any radio system that goes 19 years without key rotation easily falls to a low-grade cloning attack. RTL-SDR speculates that the system in question used now-broken TEA1 encryption. However, we believe that since key rotation in TETRA needs to be configured and scheduled at installation, the likely answer is that it just wasn't implemented.

Lin reportedly also had information on how to access the comms of the New Taipei Fire City Department and the Taoyuan International Airport MRT Line. The incident triggered a round of political ping-pong to assess responsibilities for the weak security and a formal review of all aforementioned radio systems.

Democratic Progressive Party Legislator Ho Shin-chun clearly stated, "If a college student could hack into a system as sophisticated as that of the high-speed rail system, what would happen if the same thing happened with the Taiwan Railway Corp’s system?"

As for Lin, he's using the Looney Tunes defense that it was an accidental press of a button on the radio he had in his pocket. It would have been easy for him to conduct himself better and take the ethical route by disclosing the vulnerability to the relevant authorities, as Taiwan appears to have a highly progressive attitude towards civil hacking in all forms.

This is exemplified by the g0v initiative, which calls for open and transparent operations from regular citizens, an ethos that has official government support and was most useful during the COVID-19 pandemic. There's a yearly Presidential Hackathon, too, and Taiwan's National Institute of Cyber Security recently awarded $17,000 for 20 reported vulnerabilities across a range of products.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.