Tagged: train

Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack

The Taipei Times has reported that a 23-year-old university student in Taiwan has been arrested after using a software-defined radio and hand held radio to hack into Taiwan High Speed Rail Corporation's (THSRC) internal radio communications and halt four trains mid-service.

Chinese-language coverage from UDN and Newtalk fills in some details omitted in the English Taipei Times article. The system the student compromised is TETRA, and at 23:23 on April 5, 2026, the student transmitted a "General Alarm" (GA) signal, the highest-priority TETRA alert, which automatically instructs trains in the area to switch to manual emergency braking. Four trains were stopped for 48 minutes. THSRC's radio system has reportedly been in service for 19 years with seven verification layers, but parameters were apparently never meaningfully rotated over that period.

Police describe the suspect as buying an SDR online, connecting it between an antenna and a laptop, capturing THSRC traffic, and decoding the relevant parameters in software, then programming those parameters into one of his eleven handheld radios. A 21-year-old friend also allegedly supplied some critical THSRC parameters. The actual details of the 'hack' aren't entirely clear from the news articles. We suspect that the THSRC TETRA system is simply unencrypted, and that the student was able to spoof a legitimate signal. It's also possible that the THSRC TETRA system used TEA1 encryption, which is known to be broken

Police located the student through a combination of network-side TETRA logs and CCTV. When the THSRC control center called back to verify the alarm, the person on the other end gave contradictory answers and then powered the radio off, prompting THSRC to audit their handheld fleet, confirm every issued radio was accounted for in its storage locker, and report to police that the parameters had been cloned.

Base station logs from the THSRC TETRA infrastructure (which record which sites received the uplink, with multi-site signal strength narrowing the origin) were used to localize the transmission source, and CCTV from around the coverage area was then used to identify the student and trace him to his rental unit. Search warrants on 28 April seized 11 handheld radios, a laptop, and the SDR. 

He is currently out on NT$100,000 (3,200 USD) bail and faces up to ten years under Taiwan's Railway Act and Criminal Code, with an unconvincing "had it in my pocket and accidentally pressed the button" defense.

Stories like this are a reminder that experimenting with operational safety-of-life radio systems carries serious legal consequences. Back in 2016, we covered the case of Dejan Ornig, a Slovenian university student who used an RTL-SDR and the open source Osmocom TETRA decoder to discover that his country's police TETRA terminals were running unauthenticated, despite official documents stating otherwise. After seven years of court hearings, he ended up with a seven-month suspended sentence. More recently, we posted on the End of Train (EoT) vulnerability, where a security researcher demonstrated that an SDR can replicate the unauthenticated braking command on US freight trains.

The Equipment Seized by Police
The Equipment Seized by Police
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
Translated news graphic from https://udn.com/news/story/7315/9475450
Translated news graphic from https://udn.com/news/story/7315/9475450
 

DragonOS: Decoding Train Telemetry with SoftEOT and RTL-SDR

Over on his YouTube channel Aaron who created and maintains the DragonOS SDR Linux distribution, has uploaded a video demonstrating how to use an RTL-SDR and SoftEOT/PyEOT to decode North American wireless train telemetry.

HOT (Head of Train), EOT (End of Train) and DPU (Distributed Power Unit) telemetry is sent from various parts of a train and contains information about things like voltages, brake line pressure and to monitor for accidental separation of the train.

In his video Aaron uses his DragonOS Linux distribution, SDR++ with an RTL-SDR Blog V4 dongle and the SoftEOT and SoftDPU decoders. SoftEOT and SoftDPU are both Windows programs, however Aaron shows how to use WINE to run them in Windows. Later he shows how to use an alterative decoder called PyEOT which is based on GNU Radio.

DragonOS FocalX Decoding Train Telemetry w/ SoftEOT/PyEOT (RTLSDR V4, WINE AppImage, GR 3.10)

Decoding the ARES Train Protocol with an RTL-SDR

Over on YouTube user JellyImages has uploaded a video demonstrating his Windows based ARESrcvr software. ARES is a railway control communications protocol used by some trains in the USA. His code connects to an RTL-SDR dongle, and demodulates the ARES protocol, providing decoded packets to ATSCMon via UDP on localhost.

ATSCMon allows you to view train telemetry data, and see on a rail map where that control indication came from. It appears that ATSCMon actually already supports ARES decoding via audio piping, but the decoder by JellyImages is a cleaner solution that doesn't require audio piping. In the past we've posted about one other YouTube user whose uploaded videos on using ATSCMon to monitor trains [Post 1][Post 2].

JellyImages also notes that his software only supports the ARES protocol which is used mostly around former Burlington Northern (BN) territory in the USA.

Monitoring Train Railway Lines with an RTL-SDR and ATCS Monitor

Back in June Gus Gorman showed us via a YouTube tutorial and demo how to monitor ATCS (Advanced Train Control System) signals from trains. ATCS is found in the USA and is used for things like communications between trains, rail configuration data, train location data, speed enforcement, fuel monitoring, train diagnostics and general instructions and messages. Gus used an RTL-SDR and the ATCS Monitor software to decode the signals and give us a view of the current state of the railway line.

In his latest video Gus gives a better demonstration of the software by parking outside a train station so that he can receive many more signals from the trains. At the start of the video he shows the track view of BNSF trains, and then later switches over to the Union Pacific track view.

ATCS Monitor RTL-SDR at Omaha Train Station

Tracking Trains: Monitoring Railroad ATCS Control Signals with an RTL-SDR

Over on his YouTube channel GusGorman402 has uploaded a tutorial which shows how he monitors ATCS (Advanced Train Control System) signals from trains. ATCS signals are found in the USA, and is used for things like communications between trains, rail configuration data, train location data, speed enforcement, fuel monitoring, train diagnostics and general instructions and messages.

In the video he first shows how to determine the frequency of trains signals in your area by using the US FCC database. He then shows how to download and install the ATCSMonitor software which is used for decoding the signals, and then walks us through configuring the correct settings within the software. The train signal audio is piped from SDR# to ATCSMonitor via VBCable, and received with an RTL-SDR and simple whip antenna.

Later in the video he shows how to fully set up the software with train databases so that the actual spotted train names show up. He also shows how to set up the dispatcher display which visually shows the current train locations and track configurations.

GusGorman402 has uploaded the tutorial in two videos. The first shows the full tutorial, configuration and demo for trains in the BNSF fleet. The second video shows how to monitor the Union Pacific fleet which uses a different protocol, which requires a slightly different set up in ATCSMonitor.

RTL-SDR Railroad ATCS Monitor BNSF Omaha

RTL-SDR Railroad ATCS Monitor Union Pacific Omaha