戻る

We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.

It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.

2/4

The key unlock was deleted in newer PLC software versions, but the lock logic remained.

After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

3/4

@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.

For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.

@zaufanatrzeciastrona 's article about this: https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/

@q3k @redford @mrtick @zaufanatrzeciastrona

A talk which takes the #37c3 motto "unlocked" literally.

@Ifrauding @q3k @redford @mrtick @zaufanatrzeciastrona

thank you
one thing you should learn as you leave your youthful days behind is that the world runs only cause of the incredible amount of work by volunteers, work on everything big and small, from your local library to big stuff like this

@failedLyndonLaRouchite

+1 Agree. The economic impact of people who do things, not because of economics, but because they should be done, cannot be overstated.

Thank you!

@Ifrauding @q3k @redford @mrtick @zaufanatrzeciastrona

@failedLyndonLaRouchite
@Ifrauding @q3k @redford @mrtick @zaufanatrzeciastrona

For example, I seem to vaguely recall that, a generation ago, they did some study somewhere (was it Canada?) that healthcare cost such-and-such a dollar figure annually. Then women entered the workforce, kids moved away from parents, working hours expanded past the traditional workday, and they found: Holy crap, half the healthcare economy had actually been people taking care of family members for free.

#Volunteers

@q3k @redford @mrtick @zaufanatrzeciastrona ohhh, that is one talk i CANNOT miss!!

@q3k @redford @mrtick @zaufanatrzeciastrona is anyone getting sued at least?

Because this is ridiculously anticompetitive behaviour.

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona unfortunately, it is usually the security expert detecting the issue, or the whistleblowers who get sued…

@dukp @q3k @redford @mrtick @zaufanatrzeciastrona true indeed...

Hopefully the EU cripples this manufacturer somehow.

@AlgorithmWolf @dukp @q3k @redford @mrtick @zaufanatrzeciastrona Yes, the manufacturer should be excluded from EU contracts for the next 10 years.

@UlrikNyman @AlgorithmWolf @dukp @q3k @redford @mrtick @zaufanatrzeciastrona - was Volkswagen crippled or excluded from the EU contracts after they cheated on pollution tests?

@tom_andraszek @AlgorithmWolf @dukp @q3k @redford @mrtick @zaufanatrzeciastrona No.

I am only saying what I think would be a fair consequence.

@tom_andraszek @UlrikNyman @dukp @q3k @redford @mrtick @zaufanatrzeciastrona

Yes, actually https://www.nbcnews.com/business/autos/judge-approves-largest-fine-u-s-history-volkswagen-n749406

The US also fined them.

In addition to this fine, they were forced to recall vehicles and fix them for free, which generates additional obvious costs while simultaneously undoing all the damage.

Maybe this manufacturer should be fined and forced to physically service every train unit for free to disable their DRM permanently. That would prevent them from having silly ideas in the future.

@UlrikNyman @AlgorithmWolf @dukp @q3k @redford @mrtick @zaufanatrzeciastrona Better twenty years!

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona

So far, the Polish Railway Transport Authority said that it is a matter for a civil dispute between the purchaser and the manufacturer and is washing its hands of it, but the news only broke, I really hope someone goes to jail pour encourager les autres.

@Leszek_Karlik It feels a little bit like when VW had its cars detect whether they are on a test stand or not. I wonder if in this case the higher-ups will also pretend that they knew nothing about this code.

@Moon@shitposter.club Absolutely. Executives and employees overseeing this should face criminal prosecution. @AlgorithmWolf@ioc.exchange @q3k@social.hackerspace.pl @redford@infosec.exchange @mrtick@infosec.exchange @zaufanatrzeciastrona@infosec.exchange

@Moon @mrtick @redford @zaufanatrzeciastrona @AlgorithmWolf @q3k And if it's not prosecuted, it may imply that there needs to be a bribery investigation too.

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona Bordering on sabotage, methinks.

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona sounds anti-consumer too. Manufacturer's just straight up sabotaging these trains?

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona yes, Newag, the company that made the trains is talking about suing the hackers

@Knurek @q3k @redford @mrtick @zaufanatrzeciastrona classic

@q3k @redford @mrtick @zaufanatrzeciastrona nice research, really looking forward to this!

@jomo @q3k @redford @mrtick @zaufanatrzeciastrona If not, I hope EU will focus on it during this decade

@q3k @redford @mrtick @zaufanatrzeciastrona

Is that a hack... or something put in place by company or its contractors?

Your post said 3rd party? Is that to mean they were using cheaper service providers?

---
I can only imagine what riders experienced.

@JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say)

@outie @JohnJBurnsIII @q3k yeah, I think you're missing the story here, John. It's the train manufacturer doing very sketchy stuff to try and prevent operators from having them maintained anywhere but their shops. Like if your car maker slipped some bogus code in that made your car refuse to start if you had it serviced at the local garage. Or your phone manufacturer doing the same, ahem, Apple.

@adamw @outie @q3k

OH. OK. Yes... I did not pick up it was OEM code.

This sounds like HP locking down their printers to only use ORM replacement cartridges. Or Keurig doing similar for coffee pods.

@JohnJBurnsIII @adamw @outie @q3k Except this is like HP printers *pretending* they're out of ink when they're not, while warning you that only HP cartridges will work.

@msbellows @adamw @outie @q3k

And given you can't really see into those cartridges - I think I would not be surprised that is not the case.

I dumped my not quite 2 year old OfficeJet in 2012 - for repeated error codes no matter how many OEM new cartridges I stuck in there. In the end... >$100 in unused cartridges.

Happily using Epson since then... so 11 years of use and no repairs needed. Does what I need (rarely print, but need it when I need it).

#NevermoreHP

@JohnJBurnsIII @adamw @outie @q3k Both of which are also terrible and should be illegal, but definitely not on the same scale of badness as being able to REMOTELY DISABLE A PASSENGER VEHICLE!

@adamw @outie @JohnJBurnsIII @q3k And now let's see what @EU_Commission will do about that. It's good to mention, that for the anticompetitive behaviour (and worse) they can fine the manufacturer up to 10% of their worldwide turnover (not profit, turnover).

@adamw @outie @JohnJBurnsIII @q3k checking against a blacklist of the GPS coordinates of third party repair shops is really out there compared to previously known hardware DRM shenanigans. what were the managers who authorised that thinking?! let's hope such examples lead to vigorous change in legislation. never thought we'd need "right to repair" for effing trains!

@outie @JohnJBurnsIII @q3k
I wouldn't be too sure about that. When your car phones home for update the corp can put anything they want in it. Just wait till you get a speeding ticket based on the recorded speeds of your car.

@mral @outie @JohnJBurnsIII @q3k

Hold yer horses there buckaroo.

Don't try to threaten me with the one GOOD outcome scenario...

@apressler @outie @JohnJBurnsIII @q3k
I'm not sure what I said that was good. do you really want a ticket everytime you speed up to safely pass another car. There are a lot of times when your doing 55 and the guy ahead is doing 54 so you speed up to pass without taking a mile.

@mral @apressler @outie @JohnJBurnsIII @q3k I'm sure there are ways to detect if you was just passing somebody or if you were speeding.

@mral @outie @JohnJBurnsIII @q3k

Such a method as proposed is frankly stupid since it only punishes after the fact and preventing speeding is the desirable goal. A mandatory geo-gated speed limiter on all motor vehicles would be much more efficient and effective solution. But if fines after the fact are all that are on offer, then yes. Give it to me.

But not for you, of course. You are special and deserve to be treated as such. I think you should be given lights and a siren.

@apressler @outie @JohnJBurnsIII @q3k
and so end productive discussion.

@outie
There might also be good reasons why its there.

Contract of purchase that maintenance has to be proformed by train manufacturer. Ie they might have paid less upfront as the profit is from the later maintenance over x years of contract.

Critical safety systems such as Automatic Train Control that should only be touched by suitably qualified staff. Mess with this and the safety certification goes, which might mean the train isn't allowed to run on the network, not have insurance or mass fatalities.

@JohnJBurnsIII @q3k

@SuperMoosie @outie @JohnJBurnsIII @q3k this not some random dude servicing the train. It's a train service yard with huge infrastructure and a huge contract. In this story they describe going through the huge maintenance manual and finding no mention of these things. If it's a certification thing then it should clearly state this.
https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking

@Niall
Thanks for the translated article. Yeah, agree
@outie @JohnJBurnsIII @q3k

@SuperMoosie @outie @JohnJBurnsIII @q3k

Nope.

Critical safety / infrastructure systems can only be serviced by authorized service providers - valid concept.

Authorized by the manufacturer? Sketchy.

Enforced through secret code that locks the train using bogus fault codes? No excuses, that needs to be a heavy financial penalty for the company.

@outie @JohnJBurnsIII @q3k These trains are owned by governments right?

Ohhh I think there will be laws against this soon.

@q3k That's terrifying! Thank you for sharing (once it was declassified!) @redford @mrtick @zaufanatrzeciastrona

@q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG.

@q3k O.M.G.

@q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?

@q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations!

I understand there´s no write-up of this available in English at this point? That would be great...

@slothrop @redford @mrtick @zaufanatrzeciastrona

We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :).

@q3k @slothrop @redford @mrtick @zaufanatrzeciastrona Respect!