Email or username:

Password:

Forgot your password?
Top-level
q3k :blobcatcoffee:

We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.

It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.

2/4

A Selectron CPU831 TCMS/PLC on a workbench, being probed and programmed.
Coordinates of a third-party workshop extracted from PLC, overlaid on a map.
159 comments
q3k :blobcatcoffee:

The key unlock was deleted in newer PLC software versions, but the lock logic remained.

After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

3/4

A NEWAG Impuls HMI complaining about copyright violation on cabin controls.
q3k :blobcatcoffee:

@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.

For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.

@zaufanatrzeciastrona 's article about this: zaufanatrzeciastrona.pl/post/o

OddOpinions5

@Ifrauding @q3k @redford @mrtick @zaufanatrzeciastrona

thank you
one thing you should learn as you leave your youthful days behind is that the world runs only cause of the incredible amount of work by volunteers, work on everything big and small, from your local library to big stuff like this

DELETED

@q3k @redford @mrtick @zaufanatrzeciastrona is anyone getting sued at least?

Because this is ridiculously anticompetitive behaviour.

Piiieps & Brummm

@AlgorithmWolf
I belive, this could be used by a competitor. Unless they do the same.

@q3k @redford @mrtick @zaufanatrzeciastrona

dukp

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona unfortunately, it is usually the security expert detecting the issue, or the whistleblowers who get sued…

DELETED

@dukp @q3k @redford @mrtick @zaufanatrzeciastrona true indeed...

Hopefully the EU cripples this manufacturer somehow.

John Burns

@q3k @redford @mrtick @zaufanatrzeciastrona

Is that a hack... or something put in place by company or its contractors?

Your post said 3rd party? Is that to mean they were using cheaper service providers?

---
I can only imagine what riders experienced.

wikiyu

@JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on...

John Burns

@wikiyu

Thank you.

Still feels like it should not have been part of operational code in the system.

To easy to abuse.

metal gear remembrance

@JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say)

Adam Williamson :fedora:

@outie @JohnJBurnsIII @q3k yeah, I think you're missing the story here, John. It's the train manufacturer doing very sketchy stuff to try and prevent operators from having them maintained anywhere but their shops. Like if your car maker slipped some bogus code in that made your car refuse to start if you had it serviced at the local garage. Or your phone manufacturer doing the same, ahem, Apple.

John Burns

@adamw @outie @q3k

OH. OK. Yes... I did not pick up it was OEM code.

This sounds like HP locking down their printers to only use ORM replacement cartridges. Or Keurig doing similar for coffee pods.

M.S. Bellows, Jr.

@JohnJBurnsIII @adamw @outie @q3k Except this is like HP printers *pretending* they're out of ink when they're not, while warning you that only HP cartridges will work.

John Burns

@msbellows @adamw @outie @q3k

🤔

And given you can't really see into those cartridges - I think I would not be surprised that is not the case.

I dumped my not quite 2 year old OfficeJet in 2012 - for repeated error codes no matter how many OEM new cartridges I stuck in there. In the end... >$100 in unused cartridges.

Happily using Epson since then... so 11 years of use and no repairs needed. Does what I need (rarely print, but need it when I need it).

#NevermoreHP

Cats Who Draw

@q3k That's terrifying! Thank you for sharing (once it was declassified!) 🙀 @redford @mrtick @zaufanatrzeciastrona

Phil M0OFX

@q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG.

qwertyoruiopz

@q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?

Rocketman

@q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations!

I understand there´s no write-up of this available in English at this point? That would be great...

q3k :blobcatcoffee:

@slothrop @redford @mrtick @zaufanatrzeciastrona

We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :).

AURonline 🏡

@slothrop @q3k @redford @mrtick @zaufanatrzeciastrona I let Edge translate the Polish article to English and it was very readable (machine translation has come a long way...). DeepL or Google Translate will most likely also work very well.

anedroid

@q3k Jaki ten świat zacofany... wciąż DRM, zamknięty software, to już nie te czasy. Najwyższy czas zaktualizować przestarzałe przepisy o prawach autorskich, które miały sens w w XIX wieku.

Stéphane Charette

@q3k Google translation of the Polish text in the window:

Copyright infringement
-------
Infringement of copyright to the vehicle control system is subject to civil and criminal liability under the principles set out in Chapters 8, 9 and 15 of the Act of 4 February 1994 on copyright and related rights.

[Return]

Vale@kujike.nai

@q3k@social.hackerspace.pl does none of this count as contract violation by the manufacturer? this is intentional malice

🐧DaveNull🐧 ☣️pResident Evil☣

@q3k The fuck? How can litteral backdoors in freaking public transportation be tolerated!?

patate-gnocchi
@q3k woah. such shady practices from the industry ? I'm surprised /s
Kevin Karhan :verified:

@q3k Does any regulator know of this #Sabotage of #CriticalInfrastructure by the #Manufacturer?

I'm shure these trains ain't exclusive to to one country and regulators from @BNetzA and @kartellamt@social.bund.de to @EU_Commission will likely be very interested in such deliberate acts of #AntiCompetiton, #AntiRepair and basically attacks on #PublicTransport #infrastructure done by #NEWAG to fleece customers!

I mean, this is next-level assholeism and makes #JohnDeere and #Apple look like #RightToRepair fans.

@q3k Does any regulator know of this #Sabotage of #CriticalInfrastructure by the #Manufacturer?

I'm shure these trains ain't exclusive to to one country and regulators from @BNetzA and @kartellamt@social.bund.de to @EU_Commission will likely be very interested in such deliberate acts of #AntiCompetiton, #AntiRepair and basically attacks on #PublicTransport #infrastructure done by #NEWAG to fleece customers!

q3k :blobcatcoffee:

@kkarhan @BNetzA @EU_Commission

Some relevant agencies are aware of the problem and are looking into this - can't say more than that yet.

Raul

@q3k @kkarhan @BNetzA @EU_Commission Some people in that manufacturer's offices ought to be sweating cold right now

Kevin Karhan :verified:

@raulinbonn @q3k @BNetzA @EU_Commission

I hope so, because they should not get away with 'we did it to enshure train safety and compliance' excuses.

This is just flat-out criminal behaviour!

Imagine if MAN were to disable trucks if they did get serviced by fire departments or logistics firms onsite instead of driven to a service center...

Andreas K

@kkarhan @raulinbonn @q3k @BNetzA @EU_Commission

They should be treated as terrorists, or at least accomplices.

They basically installed backdoors that could be used by anyone (including terrorists) to trivially sabotage infrastructure.

Raul

@yacc143 @kkarhan @q3k @BNetzA @EU_Commission Of course as terrorists themselves, not just accomplices. Because they installed backdoors for themselves to surgically (while "invisibly") sabotage infrastructure at will.

Kevin Karhan :verified:

@raulinbonn @yacc143 @q3k @BNetzA @EU_Commission

And that alone should be considered as #Govware #Backdoor for foreign agents unless evidenced otherwise.

Cuz we ain't talking about some "warranty void if removed" kinda sticker thing that would get the owner overcharged the next time they'd seek "authorized" support, but literal attacks of #PublicTransport #infrastructure that could be weaponized to impact #NatSec and #GlobalSec [i.e. blocking train tracks with bricked trains!]...

Kevin Karhan :verified:

@yacc143 @raulinbonn @q3k @BNetzA @EU_Commission Exactly.

This is the kind of shite where @stman wants to scream "I TOLD YA SO!" so loud it could be heard in Poland...

Sean

@kkarhan @q3k @BNetzA @EU_Commission

see the update at the end of the writeup @ zaufanatrzeciastrona.pl/post/o (the "Aktualizacja 2023-12-05 16:00" section, it's in Polish). Basically the "UTK" (transport ministry) appear to have said it's aware of it but it's a civil matter between the train operator and the manufacturer.

Kevin Karhan :verified:

@smcl @q3k @BNetzA @EU_Commission

That's kinda sad and IMHO a big failure of said regulator.

Imagine if car manufacturers were to leverage the same tech to prevent "unauthorized" / 3rd party repair...

I'm pretty shure once politicians have their car refuse to start after a tire change at home they'll instantly start acting...

Andreas K

@kkarhan @q3k @BNetzA @EU_Commission
let's call it what it is, infrastructure #terrorism

Just because the hidden code bombs have not been used yet by terrorists, does not make it less terrorism.

If I read it correctly, this is even distributed in "a gps component broadcasts to the rest of the train if it should stop functioning". Wonder what it would take to emulate such a take down broadcast? Would a Dolphin Flipper be enough or would it need addon hardware?

Kevin Karhan :verified:

@yacc143 @q3k @BNetzA @EU_Commission

Not only that, but it's trivial to not only jam GPS [would be interesting if said trains cease to drive without signal!] and it's likely even possible that a malicious #firmware update could basically "geofence" the entire world, bricking the train in the process...

And that's just the things I could come up at a moments' notice.

Imagine what state-sponsored attackers could do:

How about #Ransomware'ing an entire train + passengers???

Siegi 🇺🇦 🇬🇪 💜 🇨🇭

@kkarhan It's what i say for years, now for electronics cars, before to be on the market, the source code *must* be available to customers (and all updates) of every components before to authorize it to be on a road, and on a track for a train.

Without source code, our public services *must* refuse completely to buy trains (and a lot of others things).
@yacc143 @q3k @BNetzA @EU_Commission

Fabian ¯\_(ツ)_/¯

@q3k "One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops."
How the fuck is this legal?

muıııo

@q3k This is something I think @pluralistic will appreciate :)

Valentijn Sessink

@q3k btw lovely workbench photo, wrenches and all...

Elizabeth Burgess

@q3k This really makes you wonder what other manufacturers are doing. After all Apple has admitted to throttling the speed of their older devices. No wonder the environment is in such bad shape.

ティージェーグレェ

@q3k wow, evil.

The anti right to repair folks are horrible, clearly.

:verified_2:防空識別區𝒔𝒐𝒄𝟶

@q3k@social.hackerspace.pl Oh my god, companies doing fucked up evil shit for profit and lying about it? No way!

James Lavin

@q3k I once worked with a programmer who said that at a prior job they had had to repeatedly re-hire an expensive consultant to fix their code. Eventually they dug into it and discovered code literally named TimeBomb!

DELETED

@q3k Report this to the countries antitrust authority, the EUs antitrust authority and the USA's antitrust authority at the DoJ and FTC. I say never buy repair services from the official workshops ever again and launch a lawsuit for undocumented malicious anti features that cost the public transport system and the taxpayers more money than they should have been charged for routine maintenance. A DDOS attack on the company that made the black box should also teach them a lesson. No more wagging the finger, groveling and complaining when you get screwed over.

@q3k Report this to the countries antitrust authority, the EUs antitrust authority and the USA's antitrust authority at the DoJ and FTC. I say never buy repair services from the official workshops ever again and launch a lawsuit for undocumented malicious anti features that cost the public transport system and the taxpayers more money than they should have been charged for routine maintenance. A DDOS attack on the company that made the black box should also teach them a lesson. No more wagging the...

Hugo Melder

@q3k

> None of this was documented.

I wonder why...

Congratulations for the great work!

James Akers

@q3k wow, so anti right to repair! Nice research!

Martin Piper (he/him) 💙💛🌻💉

@q3k so sue the manufacturer for making deliberately defective products.

Alex Rosenberg

@q3k Is this behavior illegal in Poland? It would be considered anti-competitive here in the US.

Adam

@q3k what y’all did is super impressive. What a story.

Matthias Bürcher

@q3k @glassbottommeg Looks like the train manufacturer is a subsidy of a inkjet printer manufacturer. They have this kind of vendor lock-in business practices.

Go Up