|
Top-level
We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops. It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented. 2/4 159 comments
@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow. For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings. @zaufanatrzeciastrona 's article about this: https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ @Ifrauding @q3k @redford @mrtick @zaufanatrzeciastrona thank you @q3k @redford @mrtick @zaufanatrzeciastrona is anyone getting sued at least? Because this is ridiculously anticompetitive behaviour.  @AlgorithmWolf @AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona unfortunately, it is usually the security expert detecting the issue, or the whistleblowers who get sued…   @q3k @redford @mrtick @zaufanatrzeciastrona Is that a hack... or something put in place by company or its contractors? Your post said 3rd party? Is that to mean they were using cheaper service providers? ---  @JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on... Thank you. Still feels like it should not have been part of operational code in the system. To easy to abuse.  @JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say) @outie @JohnJBurnsIII @q3k yeah, I think you're missing the story here, John. It's the train manufacturer doing very sketchy stuff to try and prevent operators from having them maintained anywhere but their shops. Like if your car maker slipped some bogus code in that made your car refuse to start if you had it serviced at the local garage. Or your phone manufacturer doing the same, ahem, Apple. OH. OK. Yes... I did not pick up it was OEM code. This sounds like HP locking down their printers to only use ORM replacement cartridges. Or Keurig doing similar for coffee pods.  @JohnJBurnsIII @adamw @outie @q3k Except this is like HP printers *pretending* they're out of ink when they're not, while warning you that only HP cartridges will work. 🤔 And given you can't really see into those cartridges - I think I would not be surprised that is not the case. I dumped my not quite 2 year old OfficeJet in 2012 - for repeated error codes no matter how many OEM new cartridges I stuck in there. In the end... >$100 in unused cartridges. Happily using Epson since then... so 11 years of use and no repairs needed. Does what I need (rarely print, but need it when I need it).  @q3k That's terrifying! Thank you for sharing (once it was declassified!) 🙀 @redford @mrtick @zaufanatrzeciastrona  @q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG. @q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?  @q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations! I understand there´s no write-up of this available in English at this point? That would be great... @slothrop @redford @mrtick @zaufanatrzeciastrona We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :). @slothrop @q3k @redford @mrtick @zaufanatrzeciastrona I let Edge translate the Polish article to English and it was very readable (machine translation has come a long way...). DeepL or Google Translate will most likely also work very well.  Ugh. This gross, abusive violation of social contract brings Unauthorized Bread to mind: @q3k @redford @mrtick @zaufanatrzeciastrona @kkarhan @raulinbonn @yacc143 @muiiio   @q3k @redford @mrtick @zaufanatrzeciastrona fascinating work! looking forward to the talk  @q3k @redford @mrtick @zaufanatrzeciastrona Dang, that really should be straight up illegal...  @q3k Google translation of the Polish text in the window: Copyright infringement [Return] @q3k@social.hackerspace.pl does none of this count as contract violation by the manufacturer? this is intentional malice  @q3k The fuck? How can litteral backdoors in freaking public transportation be tolerated!?  @kkarhan @BNetzA @EU_Commission Some relevant agencies are aware of the problem and are looking into this - can't say more than that yet.  @q3k @kkarhan @BNetzA @EU_Commission Some people in that manufacturer's offices ought to be sweating cold right now  @raulinbonn @q3k @BNetzA @EU_Commission I hope so, because they should not get away with 'we did it to enshure train safety and compliance' excuses. This is just flat-out criminal behaviour! Imagine if MAN were to disable trucks if they did get serviced by fire departments or logistics firms onsite instead of driven to a service center...  @kkarhan @raulinbonn @q3k @BNetzA @EU_Commission They should be treated as terrorists, or at least accomplices. They basically installed backdoors that could be used by anyone (including terrorists) to trivially sabotage infrastructure. @raulinbonn @yacc143 @q3k @BNetzA @EU_Commission And that alone should be considered as #Govware #Backdoor for foreign agents unless evidenced otherwise. Cuz we ain't talking about some "warranty void if removed" kinda sticker thing that would get the owner overcharged the next time they'd seek "authorized" support, but literal attacks of #PublicTransport #infrastructure that could be weaponized to impact #NatSec and #GlobalSec [i.e. blocking train tracks with bricked trains!]... @yacc143 @raulinbonn @q3k @BNetzA @EU_Commission Exactly. This is the kind of shite where @stman wants to scream "I TOLD YA SO!" so loud it could be heard in Poland... @kkarhan @q3k @BNetzA @EU_Commission see the update at the end of the writeup @ https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/ (the "Aktualizacja 2023-12-05 16:00" section, it's in Polish). Basically the "UTK" (transport ministry) appear to have said it's aware of it but it's a civil matter between the train operator and the manufacturer. @smcl @q3k @BNetzA @EU_Commission That's kinda sad and IMHO a big failure of said regulator. Imagine if car manufacturers were to leverage the same tech to prevent "unauthorized" / 3rd party repair... I'm pretty shure once politicians have their car refuse to start after a tire change at home they'll instantly start acting... @kkarhan @q3k @BNetzA @EU_Commission Just because the hidden code bombs have not been used yet by terrorists, does not make it less terrorism. If I read it correctly, this is even distributed in "a gps component broadcasts to the rest of the train if it should stop functioning". Wonder what it would take to emulate such a take down broadcast? Would a Dolphin Flipper be enough or would it need addon hardware? @yacc143 @q3k @BNetzA @EU_Commission Not only that, but it's trivial to not only jam GPS [would be interesting if said trains cease to drive without signal!] and it's likely even possible that a malicious #firmware update could basically "geofence" the entire world, bricking the train in the process... And that's just the things I could come up at a moments' notice. Imagine what state-sponsored attackers could do: How about #Ransomware'ing an entire train + passengers???  @kkarhan It's what i say for years, now for electronics cars, before to be on the market, the source code *must* be available to customers (and all updates) of every components before to authorize it to be on a road, and on a track for a train. Without source code, our public services *must* refuse completely to buy trains (and a lot of others things). @q3k "One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops."    @q3k This really makes you wonder what other manufacturers are doing. After all Apple has admitted to throttling the speed of their older devices. No wonder the environment is in such bad shape.  @q3k@social.hackerspace.pl Oh my god, companies doing fucked up evil shit for profit and lying about it? No way! @q3k I once worked with a programmer who said that at a prior job they had had to repeatedly re-hire an expensive consultant to fix their code. Eventually they dug into it and discovered code literally named TimeBomb!    @q3k Is this behavior illegal in Poland? It would be considered anti-competitive here in the US. @q3k @glassbottommeg Looks like the train manufacturer is a subsidy of a inkjet printer manufacturer. They have this kind of vendor lock-in business practices. |
Gregory's Server
The key unlock was deleted in newer PLC software versions, but the lock logic remained.
After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.
The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.
3/4