 I can finally reveal some research I've been involved with over the past year or so. We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties. 1/4 267 comments
The key unlock was deleted in newer PLC software versions, but the lock logic remained. After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational. The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely. 3/4 @redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow. For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings. @zaufanatrzeciastrona 's article about this: https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ @q3k @redford @mrtick @zaufanatrzeciastrona is anyone getting sued at least? Because this is ridiculously anticompetitive behaviour.   @q3k @redford @mrtick @zaufanatrzeciastrona Is that a hack... or something put in place by company or its contractors? Your post said 3rd party? Is that to mean they were using cheaper service providers? ---  @JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on... Thank you. Still feels like it should not have been part of operational code in the system. To easy to abuse. @JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say)  @q3k That's terrifying! Thank you for sharing (once it was declassified!) 🙀 @redford @mrtick @zaufanatrzeciastrona  @q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG.  @q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?  @q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations! I understand there´s no write-up of this available in English at this point? That would be great... @slothrop @redford @mrtick @zaufanatrzeciastrona We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :).    @kkarhan @BNetzA @EU_Commission Some relevant agencies are aware of the problem and are looking into this - can't say more than that yet.  @q3k @kkarhan @BNetzA @EU_Commission Some people in that manufacturer's offices ought to be sweating cold right now  @raulinbonn @q3k @BNetzA @EU_Commission I hope so, because they should not get away with 'we did it to enshure train safety and compliance' excuses. This is just flat-out criminal behaviour! Imagine if MAN were to disable trucks if they did get serviced by fire departments or logistics firms onsite instead of driven to a service center...  @kkarhan @raulinbonn @q3k @BNetzA @EU_Commission They should be treated as terrorists, or at least accomplices. They basically installed backdoors that could be used by anyone (including terrorists) to trivially sabotage infrastructure. @raulinbonn @yacc143 @q3k @BNetzA @EU_Commission And that alone should be considered as #Govware #Backdoor for foreign agents unless evidenced otherwise. Cuz we ain't talking about some "warranty void if removed" kinda sticker thing that would get the owner overcharged the next time they'd seek "authorized" support, but literal attacks of #PublicTransport #infrastructure that could be weaponized to impact #NatSec and #GlobalSec [i.e. blocking train tracks with bricked trains!]... @yacc143 @raulinbonn @q3k @BNetzA @EU_Commission Exactly. This is the kind of shite where @stman wants to scream "I TOLD YA SO!" so loud it could be heard in Poland... @kkarhan @q3k @BNetzA @EU_Commission see the update at the end of the writeup @ https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ (the "Aktualizacja 2023-12-05 16:00" section, it's in Polish). Basically the "UTK" (transport ministry) appear to have said it's aware of it but it's a civil matter between the train operator and the manufacturer. @smcl @q3k @BNetzA @EU_Commission That's kinda sad and IMHO a big failure of said regulator. Imagine if car manufacturers were to leverage the same tech to prevent "unauthorized" / 3rd party repair... I'm pretty shure once politicians have their car refuse to start after a tire change at home they'll instantly start acting... @kkarhan @q3k @BNetzA @EU_Commission Just because the hidden code bombs have not been used yet by terrorists, does not make it less terrorism. If I read it correctly, this is even distributed in "a gps component broadcasts to the rest of the train if it should stop functioning". Wonder what it would take to emulate such a take down broadcast? Would a Dolphin Flipper be enough or would it need addon hardware? @yacc143 @q3k @BNetzA @EU_Commission Not only that, but it's trivial to not only jam GPS [would be interesting if said trains cease to drive without signal!] and it's likely even possible that a malicious #firmware update could basically "geofence" the entire world, bricking the train in the process... And that's just the things I could come up at a moments' notice. Imagine what state-sponsored attackers could do: How about #Ransomware'ing an entire train + passengers??? @q3k "One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops."   @manawyrm @martijn @q3k @redford @mrtick There is article 254a of our criminal code (sip.lex.pl/akty-prawne/dzu-dziennik-ustaw/kodeks-karny-16798683/art-254-a) > Whoever takes, destroys, damages, or makes unusable an element of a water supply, sewage, heat distribution, electricity, gas, or telecommunications network, or train, tram, trolleybus or metro line, causing a disruption to a part of, or the entire network, incurs a penalty of imprisonment for 6 months to 8 years. @martijn @q3k @redford @mrtick Ah, interesting. The definition of terrorism over here doesn't specifically include political goals, just "disturbing the peace of the public" is enough to meet the criteria (as far as I can tell, NAL of course). But yes, this is something that should be on every newspaper front page.   @q3k @redford @mrtick These trains are like $15M USD each. As costly and painful as it would be I'd put the OEM's CEO on 3-way while I phoned the CEO of a competitor and said "OEM1 just bricked my trains because they were gouging me on maintenance. You were runner up in the original bid, can you do better? If you can you'll have an order by end of week." if they tried this horseshit. Then explain to OEM1 CEO that they can expect their trains back as soon as I have replacement rolling stock.  @q3k@social.hackerspace.pl @redford@infosec.exchange @mrtick@infosec.exchange never have I ever thought People would have to expose DRM on a fucking train   @mansr @q3k WOW. Just wow. This is, as Cory Doctorow @pluralistic would put it, the enshittification of trains. These are John Deere-level shenanigans.      @q3k @redford @mrtick holy crap, and I thought the Bob's Space Racers logic bomb case was bad. This is EVIL. Please tell me there will be criminal charges brought on those responsible... at least substantial civil damages for the costs of servicing the disabled trains and getting them reprogrammed to clear out the fake faults.      @q3k This is absolutely fascinating, and also horrifyingly anticompetitive. I know the EU isn't perfect but I hope they're good at kneecapping companies for practices like this. i am very much looking forward to this talk. :* @q3k @redford@infosec.exchange @mrtick@infosec.exchange @bert_hubert Excited to be able to go to 37C3 and hear your train hacking story live!   @cstanhope Is this the future we all are looking forward to?  Polecam informacje o hackowaniu "samopsujących" się pociągów Newag od hackerów 👆 Olejcie pierdoły Onetu i innych klikbajciarzy 😉   This is super cool! I have not thought train controllers can be hacked and be revealed so much shady logic. @q3k Another example of why we should ensure FOSS firmware and software for critical public infrastructure. To read out the binary code from a device and converted it back to something human-understandable is very hard even with the best tools. Big thanks to @q3k @redford @mrtick for their painstaking efforts, it's inspirational work! @q3k @redford @mrtick may Louis Rossmann be on your side, good work! @q3k@social.hackerspace.pl @redford@infosec.exchange @mrtick@infosec.exchange How is this different from racketeering? Incredible work, the manufacturers of this EMU endangered lives and should face the full brunt of the law for this antisocial rent-seeking
@q3k pre-installed ransomware. Any clue on the legality of incorporating such a system, either with or without disclosing it to the customer? |
Gregory's Server
We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.
It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.
2/4