Email or username:

Password:

Forgot your password?
q3k :blobcatcoffee:

I can finally reveal some research I've been involved with over the past year or so.

We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.

1/4

@mrtick@infosec.exchange in front of an Impuls.
267 comments
q3k :blobcatcoffee:

We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.

It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.

2/4

A Selectron CPU831 TCMS/PLC on a workbench, being probed and programmed.
Coordinates of a third-party workshop extracted from PLC, overlaid on a map.
q3k :blobcatcoffee:

The key unlock was deleted in newer PLC software versions, but the lock logic remained.

After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

3/4

A NEWAG Impuls HMI complaining about copyright violation on cabin controls.
q3k :blobcatcoffee:

@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.

For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.

@zaufanatrzeciastrona 's article about this: zaufanatrzeciastrona.pl/post/o

DELETED

@q3k @redford @mrtick @zaufanatrzeciastrona is anyone getting sued at least?

Because this is ridiculously anticompetitive behaviour.

John Burns

@q3k @redford @mrtick @zaufanatrzeciastrona

Is that a hack... or something put in place by company or its contractors?

Your post said 3rd party? Is that to mean they were using cheaper service providers?

---
I can only imagine what riders experienced.

wikiyu

@JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on...

John Burns

@wikiyu

Thank you.

Still feels like it should not have been part of operational code in the system.

To easy to abuse.

metal gear remembrance

@JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say)

Cats Who Draw

@q3k That's terrifying! Thank you for sharing (once it was declassified!) 🙀 @redford @mrtick @zaufanatrzeciastrona

Phil M0OFX

@q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG.

qwertyoruiopz

@q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?

Rocketman

@q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations!

I understand there´s no write-up of this available in English at this point? That would be great...

q3k :blobcatcoffee:

@slothrop @redford @mrtick @zaufanatrzeciastrona

We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :).

anedroid

@q3k Jaki ten świat zacofany... wciąż DRM, zamknięty software, to już nie te czasy. Najwyższy czas zaktualizować przestarzałe przepisy o prawach autorskich, które miały sens w w XIX wieku.

patate-gnocchi
@q3k woah. such shady practices from the industry ? I'm surprised /s
Kevin Karhan :verified:

@q3k Does any regulator know of this #Sabotage of #CriticalInfrastructure by the #Manufacturer?

I'm shure these trains ain't exclusive to to one country and regulators from @BNetzA and @kartellamt@social.bund.de to @EU_Commission will likely be very interested in such deliberate acts of #AntiCompetiton, #AntiRepair and basically attacks on #PublicTransport #infrastructure done by #NEWAG to fleece customers!

I mean, this is next-level assholeism and makes #JohnDeere and #Apple look like #RightToRepair fans.

@q3k Does any regulator know of this #Sabotage of #CriticalInfrastructure by the #Manufacturer?

I'm shure these trains ain't exclusive to to one country and regulators from @BNetzA and @kartellamt@social.bund.de to @EU_Commission will likely be very interested in such deliberate acts of #AntiCompetiton, #AntiRepair and basically attacks on #PublicTransport #infrastructure done by #NEWAG to fleece customers!

q3k :blobcatcoffee:

@kkarhan @BNetzA @EU_Commission

Some relevant agencies are aware of the problem and are looking into this - can't say more than that yet.

Raul

@q3k @kkarhan @BNetzA @EU_Commission Some people in that manufacturer's offices ought to be sweating cold right now

Kevin Karhan :verified:

@raulinbonn @q3k @BNetzA @EU_Commission

I hope so, because they should not get away with 'we did it to enshure train safety and compliance' excuses.

This is just flat-out criminal behaviour!

Imagine if MAN were to disable trucks if they did get serviced by fire departments or logistics firms onsite instead of driven to a service center...

Andreas K

@kkarhan @raulinbonn @q3k @BNetzA @EU_Commission

They should be treated as terrorists, or at least accomplices.

They basically installed backdoors that could be used by anyone (including terrorists) to trivially sabotage infrastructure.

Raul

@yacc143 @kkarhan @q3k @BNetzA @EU_Commission Of course as terrorists themselves, not just accomplices. Because they installed backdoors for themselves to surgically (while "invisibly") sabotage infrastructure at will.

Kevin Karhan :verified:

@raulinbonn @yacc143 @q3k @BNetzA @EU_Commission

And that alone should be considered as #Govware #Backdoor for foreign agents unless evidenced otherwise.

Cuz we ain't talking about some "warranty void if removed" kinda sticker thing that would get the owner overcharged the next time they'd seek "authorized" support, but literal attacks of #PublicTransport #infrastructure that could be weaponized to impact #NatSec and #GlobalSec [i.e. blocking train tracks with bricked trains!]...

Kevin Karhan :verified:

@yacc143 @raulinbonn @q3k @BNetzA @EU_Commission Exactly.

This is the kind of shite where @stman wants to scream "I TOLD YA SO!" so loud it could be heard in Poland...

Sean

@kkarhan @q3k @BNetzA @EU_Commission

see the update at the end of the writeup @ zaufanatrzeciastrona.pl/post/o (the "Aktualizacja 2023-12-05 16:00" section, it's in Polish). Basically the "UTK" (transport ministry) appear to have said it's aware of it but it's a civil matter between the train operator and the manufacturer.

Kevin Karhan :verified:

@smcl @q3k @BNetzA @EU_Commission

That's kinda sad and IMHO a big failure of said regulator.

Imagine if car manufacturers were to leverage the same tech to prevent "unauthorized" / 3rd party repair...

I'm pretty shure once politicians have their car refuse to start after a tire change at home they'll instantly start acting...

Andreas K

@kkarhan @q3k @BNetzA @EU_Commission
let's call it what it is, infrastructure #terrorism

Just because the hidden code bombs have not been used yet by terrorists, does not make it less terrorism.

If I read it correctly, this is even distributed in "a gps component broadcasts to the rest of the train if it should stop functioning". Wonder what it would take to emulate such a take down broadcast? Would a Dolphin Flipper be enough or would it need addon hardware?

Kevin Karhan :verified:

@yacc143 @q3k @BNetzA @EU_Commission

Not only that, but it's trivial to not only jam GPS [would be interesting if said trains cease to drive without signal!] and it's likely even possible that a malicious #firmware update could basically "geofence" the entire world, bricking the train in the process...

And that's just the things I could come up at a moments' notice.

Imagine what state-sponsored attackers could do:

How about #Ransomware'ing an entire train + passengers???

Fabian ¯\_(ツ)_/¯

@q3k "One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops."
How the fuck is this legal?

muıııo

@q3k This is something I think @pluralistic will appreciate :)

Martijn van Dijk

@q3k @redford @mrtick That's some awesome stuff. This kind of behaviour from manufacturers should be illegal - if it isn't already!

Manawyrm | Sarah

@martijn @q3k @redford @mrtick
I fail to see how this isn't terrorism!

Interfering with a states critical infrastructure (like train operations) on purpose?

What's the difference between doing this and sabotaging equipment/cutting cables (like has been done in germany recently)?

Manawyrm | Sarah

@martijn @q3k @redford @mrtick

Germany has a law against this, which is pretty clear: gesetze-im-internet.de/stgb/__

Section 88 - Anti-constitutional sabotage
(1) Whoever, [...] intentionally causes, [...], enterprises or facilities which provide public postal services or public transportation services, [...] to cease to function [...] incurs a penalty of imprisonment for a term not exceeding five years or a fine.
(2) The attempt is punishable.

Is there something similar in PL?

@martijn @q3k @redford @mrtick

Germany has a law against this, which is pretty clear: gesetze-im-internet.de/stgb/__

Section 88 - Anti-constitutional sabotage
(1) Whoever, [...] intentionally causes, [...], enterprises or facilities which provide public postal services or public transportation services, [...] to cease to function [...] incurs a penalty of imprisonment for a term not exceeding five years or a fine.
(2) The attempt is punishable.

opliko

@manawyrm @martijn @q3k @redford @mrtick There is article 254a of our criminal code (sip.lex.pl/akty-prawne/dzu-dziennik-ustaw/kodeks-karny-16798683/art-254-a)
quick translation:

> Whoever takes, destroys, damages, or makes unusable an element of a water supply, sewage, heat distribution, electricity, gas, or telecommunications network, or train, tram, trolleybus or metro line, causing a disruption to a part of, or the entire network, incurs a penalty of imprisonment for 6 months to 8 years.

Martijn van Dijk

@manawyrm @q3k @redford @mrtick Terrorism is a bit of a stretch IMO as there does not seem to be a political goal. On the other hand, sabotage of public infrastructure and severe anti-competitive behaviour seem rather straightforward to prove.

Manawyrm | Sarah

@martijn @q3k @redford @mrtick Ah, interesting. The definition of terrorism over here doesn't specifically include political goals, just "disturbing the peace of the public" is enough to meet the criteria (as far as I can tell, NAL of course).

But yes, this is something that should be on every newspaper front page.

Martijn van Dijk

@manawyrm @q3k @redford @mrtick Then it's just a matter of legal semantics. Either way, I think the people responsible for this should be held accountable.

Clark W Griswold until 25-Dec

@q3k @redford @mrtick This is straight up amazing. Bad-ass work. Congrats on being allowed to talk about it.

benedolt

@q3k @redford @mrtick This is absolutely crazy! This *must* be illegal, is it?

Third spruce tree on the left

@q3k @redford @mrtick These trains are like $15M USD each.

As costly and painful as it would be I'd put the OEM's CEO on 3-way while I phoned the CEO of a competitor and said "OEM1 just bricked my trains because they were gouging me on maintenance. You were runner up in the original bid, can you do better? If you can you'll have an order by end of week." if they tried this horseshit. Then explain to OEM1 CEO that they can expect their trains back as soon as I have replacement rolling stock.

Third spruce tree on the left

@q3k @redford @mrtick (Im sure there's lots of reasons and penalties that prevent this from happening in real life... is why I don't run a transit company)

pancake :radare2: 🌱

@q3k i was reading the comments for that :3 the lulzboat and the xdtrain ;D

Raul

@q3k @redford @mrtick Clearly shows that supply-chain cyber-insecurity does not just apply to tech from foreign companies or countries. Masterful rev-engineering, well done!

DELETED

@q3k @redford @mrtick

1. Incredibly cool, I don't think I've ever seen anyone reverse engineer a train before (I mean, how did you guys even get permission to do that?).

2. How incredibly stupid is it that private companies are now bullying the transport infrastructure with anti-repair practices like this? This should be considered an attack on the infraestructure, as it would likely cause monetary damage to whoever runs the train, and stop people from getting to places they need to go (and also stop freight transport).

@q3k @redford @mrtick

1. Incredibly cool, I don't think I've ever seen anyone reverse engineer a train before (I mean, how did you guys even get permission to do that?).

2. How incredibly stupid is it that private companies are now bullying the transport infrastructure with anti-repair practices like this? This should be considered an attack on the infraestructure, as it would likely cause monetary damage to whoever runs the train, and stop people from getting to places they need to go (and also...

Jessica's new Main

@q3k@social.hackerspace.pl @redford@infosec.exchange @mrtick@infosec.exchange never have I ever thought People would have to expose DRM on a fucking train
we truly live in the worst reality

coldclimate

@q3k great work. Don't let these buggers grind you down

Paweł Szczur :pix_mastodon:

@q3k @redford @mrtick czy producent poniesie konsekwencje? Czy są sprawy skierowane do sądu przez właścicieli pojazdów?

DELETED

@q3k @redford @mrtick
Really nice. Are there any videos of your talk?

Emmanuele Bassi

@q3k @redford @mrtick I bet the managers and engineers were all proud of this stuff

The Gus Fring "we are not the same" meme:

- You put DRM inside printer ink cartridges
- I put DRM inside trains
- We are not the same
Iván Rivera :veritrek:

@mansr @q3k WOW. Just wow. This is, as Cory Doctorow @pluralistic would put it, the enshittification of trains. These are John Deere-level shenanigans.

Henry

@jon have you seen this story? Apologies if you have.

@q3k @redford @mrtick

n0toose

@q3k @redford @mrtick will definitely give this a watch, congrats and I hope it'll inspire more people to do thatl

ZetaTwo

@q3k @redford @mrtick Really looking forward to this presentation!

Tom 🐻

@q3k @redford @mrtick

This is some crazy shit, really looking forward to your talk guys!

ikanreed

@q3k @redford @mrtick With trains, doesn't "reverse engineering" mean making the engine go backwards?

vxo

@q3k @redford @mrtick holy crap, and I thought the Bob's Space Racers logic bomb case was bad. This is EVIL. Please tell me there will be criminal charges brought on those responsible... at least substantial civil damages for the costs of servicing the disabled trains and getting them reprogrammed to clear out the fake faults.

Cameron Purdy

@q3k @redford @mrtick ^ this is pretty amazing, that companies try pulling crap like this.

Pavel Machek
@q3k @redford @mrtick Wow. Jail time for the manufacturer? Sabotaging a product should not be okay :-(.
DrJackMiller

@q3k @redford @mrtick Genuinely amazing write up of somewhat quasi-DRM affecting…trains. Anticompetitive much!

LisPi
@q3k @mrtick @redford > The manufacturer argued that this was because of malpractice by these workshops
Funny how that goes, from where I'm standing it looks like they were projecting.
elly
@q3k @redford @mrtick Looking forward to seeing your talk, hopefully we won't have them scheduled at the same time!
Cysio :verified_gay:​

@q3k @redford @mrtick holy fucking bingle

I hereby apologize to the old trusty EN57 for making fun of it

Davide_Sandini

@q3k

@redford @mrtick It's really a shame!!
I see that those trains were sold to Italian railways companies: can I have more information on the models on which you made reverse engineering?

Adam Procio

@q3k @redford @mrtick

Hey, it's DRM, but for trains!

- NEWAG, somewhere, sometime, probably

Softwarewolf

@q3k This is absolutely fascinating, and also horrifyingly anticompetitive. I know the EU isn't perfect but I hope they're good at kneecapping companies for practices like this.

Psentee

@q3k @redford @mrtick Oh, wow. That's the one #37c3 talk I'll have to watch live. Kudos!

GNU/overflo

@q3k @redford @mrtick

i am very much looking forward to this talk.
excellent work!
please visit me at the hardware hacking area (day 1&2), i have a gift for you guys

:*

Axel

@q3k @redford@infosec.exchange @mrtick@infosec.exchange @bert_hubert

Excited to be able to go to 37C3 and hear your train hacking story live!

Al

@q3k @redford @mrtick
a good reason to support FLOSS software. We, the people, need to see the code and to stop this kind of corporate abuse.

Kermode

@cstanhope
I did see this also on HN earlier today at work. Cool to see the actual ppl on fedi now though :-)
news.ycombinator.com/item?id=3

@q3k @redford @mrtick

Joachim Tuchel

@q3k @redford @mrtick

Is this the future we all are looking forward to?
"Sorry, I detected you are using uncertified wiper blades from a third party. Cannot start the engine. Please contact a local contract workshop to order original wiper blades. Press here to continue"

Edi'Hael :verified:

@q3k @redford @mrtick Amazing work! really disappointing behaviour by the manufacturer, though. Definitely looking forward to the talk :)

m0bi

@q3k

Polecam informacje o hackowaniu "samopsujących" się pociągów Newag od hackerów 👆

Olejcie pierdoły Onetu i innych klikbajciarzy 😉

@redford @mrtick

sxpert
@q3k @HonkHase what comes next ? The state sueing Newag ?
Apicultor 🐝

@q3k @redford @mrtick No PPE in a rail yard? Naughty boy!

Srsly tho, fucking impressive work, and despicable behaviour on the part of NEWAG.

Markus Vervier 👾

Very cool research! This kind of logic bomb was apparently standard in the 80s and 90s....do you know how old the code in question is? @q3k @redford @mrtick

Xian Wang

This is super cool! I have not thought train controllers can be hacked and be revealed so much shady logic.

Dima Pasechnik 🇺🇦 🇳🇱

@q3k @redford @mrtick
Very interesting. Can you do UK Hitachi trains? They are notoriously unreliable on the software side. E.g. pressing the emergency button in a toilet can basically disable a train. I experienced that once myself, when a small child pressed such a button while the train was at a station, and after 40 minutes of frantic activity, even involving engineers called from a depot nearby, we were told to disembark and board another train.

Maybe it's symptoms of the same disease, Hitachi wanting more maintenance contracts?

@q3k @redford @mrtick
Very interesting. Can you do UK Hitachi trains? They are notoriously unreliable on the software side. E.g. pressing the emergency button in a toilet can basically disable a train. I experienced that once myself, when a small child pressed such a button while the train was at a station, and after 40 minutes of frantic activity, even involving engineers called from a depot nearby, we were told to disembark and board another train.

🕊:verified:

@q3k @redford @mrtick has the customer sued the manufacturer for conspiracy to commit fraud? If the manufacturer argued that this was malpractice by the third party workshops while being aware of their own sabotage, that should easily meet the bar for conspiracy to commit fraud.

ITpony :bh_g_u:

@q3k @redford @mrtick Great work analyzing this. First I saw it here, then I saw that Louis Rossmann made a video about this... We need more awareness about this kind of stuff

Xesxen

@q3k
@redford @mrtick
Unsure if you saw this already, but Louis Rossmann published a video on your findings: youtu.be/w8NqBXT6Kos

xWood 🏳️‍🌈

@q3k @redford @mrtick I'm just a layman, but remotely disabling trains sounds like a safety and security issue

Eric Herman

Another example of why we should ensure FOSS firmware and software for critical public infrastructure.

To read out the binary code from a device and converted it back to something human-understandable is very hard even with the best tools.

Big thanks to @q3k @redford @mrtick for their painstaking efforts, it's inspirational work!

Bruno Ranieri

@q3k @redford @mrtick I was involved in the development of a similar train from a competitor. So I am not surprised that they put such a kill switch in the software. I am surprised that it worked in a way, meaning without too many false positives.

ketchup71

@q3k @redford @mrtick This will probably a very interesting talk on 37C3… 😃

Wintermute

@q3k@social.hackerspace.pl @redford@infosec.exchange @mrtick@infosec.exchange How is this different from racketeering?

This shouldn't be a civil issue. This should be criminal with all of the C-Suite of the company doing this facing criminal liability.

Rheristies
Incredible work, the manufacturers of this EMU endangered lives and should face the full brunt of the law for this antisocial rent-seeking
Timo Kramer

@q3k pre-installed ransomware. Any clue on the legality of incorporating such a system, either with or without disclosing it to the customer?

Go Up