Email or username:

Password:

Forgot your password?
Top-level
q3k :blobcatcoffee:

The key unlock was deleted in newer PLC software versions, but the lock logic remained.

After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

3/4

116 comments
q3k :blobcatcoffee:

@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.

For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.

@zaufanatrzeciastrona 's article about this: zaufanatrzeciastrona.pl/post/o

OddOpinions5

@Ifrauding @q3k @redford @mrtick @zaufanatrzeciastrona

thank you
one thing you should learn as you leave your youthful days behind is that the world runs only cause of the incredible amount of work by volunteers, work on everything big and small, from your local library to big stuff like this

DELETED

@q3k @redford @mrtick @zaufanatrzeciastrona is anyone getting sued at least?

Because this is ridiculously anticompetitive behaviour.

Piiieps & Brummm

@AlgorithmWolf
I belive, this could be used by a competitor. Unless they do the same.

@q3k @redford @mrtick @zaufanatrzeciastrona

dukp

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona unfortunately, it is usually the security expert detecting the issue, or the whistleblowers who get sued…

DELETED

@dukp @q3k @redford @mrtick @zaufanatrzeciastrona true indeed...

Hopefully the EU cripples this manufacturer somehow.

Leszek Karlik

@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona

So far, the Polish Railway Transport Authority said that it is a matter for a civil dispute between the purchaser and the manufacturer and is washing its hands of it, but the news only broke, I really hope someone goes to jail pour encourager les autres.

tb

@Leszek_Karlik It feels a little bit like when VW had its cars detect whether they are on a test stand or not. I wonder if in this case the higher-ups will also pretend that they knew nothing about this code.

Moon
@AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona it looks worse to me, it looks like they deliberately sabotaged the operation of public transportation vehicles. I hope it gets elevated to a criminal offense, this is worse than if a passenger got in a train and disabled it, which they would definitely go to jail for.
John Burns

@q3k @redford @mrtick @zaufanatrzeciastrona

Is that a hack... or something put in place by company or its contractors?

Your post said 3rd party? Is that to mean they were using cheaper service providers?

---
I can only imagine what riders experienced.

wikiyu

@JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on...

John Burns

@wikiyu

Thank you.

Still feels like it should not have been part of operational code in the system.

To easy to abuse.

magsafe genitalia

@JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say)

Adam Williamson :fedora:

@outie @JohnJBurnsIII @q3k yeah, I think you're missing the story here, John. It's the train manufacturer doing very sketchy stuff to try and prevent operators from having them maintained anywhere but their shops. Like if your car maker slipped some bogus code in that made your car refuse to start if you had it serviced at the local garage. Or your phone manufacturer doing the same, ahem, Apple.

John Burns

@adamw @outie @q3k

OH. OK. Yes... I did not pick up it was OEM code.

This sounds like HP locking down their printers to only use ORM replacement cartridges. Or Keurig doing similar for coffee pods.

M.S. Bellows, Jr.

@JohnJBurnsIII @adamw @outie @q3k Except this is like HP printers *pretending* they're out of ink when they're not, while warning you that only HP cartridges will work.

John Burns

@msbellows @adamw @outie @q3k

🤔

And given you can't really see into those cartridges - I think I would not be surprised that is not the case.

I dumped my not quite 2 year old OfficeJet in 2012 - for repeated error codes no matter how many OEM new cartridges I stuck in there. In the end... >$100 in unused cartridges.

Happily using Epson since then... so 11 years of use and no repairs needed. Does what I need (rarely print, but need it when I need it).

#NevermoreHP

just adrienne

@JohnJBurnsIII @adamw @outie @q3k Both of which are also terrible and should be illegal, but definitely not on the same scale of badness as being able to REMOTELY DISABLE A PASSENGER VEHICLE!

Matěj Cepl 🇪🇺 🇨🇿 🇺🇦

@adamw @outie @JohnJBurnsIII @q3k And now let's see what @EU_Commission will do about that. It's good to mention, that for the anticompetitive behaviour (and worse) they can fine the manufacturer up to 10% of their worldwide turnover (not profit, turnover).

Al

@outie @JohnJBurnsIII @q3k
I wouldn't be too sure about that. When your car phones home for update the corp can put anything they want in it. Just wait till you get a speeding ticket based on the recorded speeds of your car.

Cats Who Draw

@q3k That's terrifying! Thank you for sharing (once it was declassified!) 🙀 @redford @mrtick @zaufanatrzeciastrona

Phil M0OFX

@q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG.

qwertyoruiopz

@q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?

Central Illumination Agency

@q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations!

I understand there´s no write-up of this available in English at this point? That would be great...

q3k :blobcatcoffee:

@slothrop @redford @mrtick @zaufanatrzeciastrona

We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :).

AURonline 🏡

@slothrop @q3k @redford @mrtick @zaufanatrzeciastrona I let Edge translate the Polish article to English and it was very readable (machine translation has come a long way...). DeepL or Google Translate will most likely also work very well.

rugk

@AUROnline sidenote: Firefox translations has a privacy-first local translation feature which works in your browser and works quite good, so you can use that too.

DELETED

@gudenau @q3k @redford @mrtick @zaufanatrzeciastrona

Throwing bogus error codes after a hard-coded date sounds extremely suspect to me.

gudenau

@beekir @q3k @redford @mrtick @zaufanatrzeciastrona I was more talking about the geofencing thing but timers are a legitimate thing for some maintenance items. That one really depends on the specific details.

Michał Kowalczyk

@gudenau @beekir @q3k @mrtick @zaufanatrzeciastrona

>

timers are a legitimate thing for some maintenance items

Not if they don't reset after that maintenance ;)

noodlejetski :verified_gay:

@q3k @redford @mrtick @zaufanatrzeciastrona

> Niestety pociąg, którym badacz podąża do serwisu, spóźnia się.

Luke

@q3k @redford @mrtick @zaufanatrzeciastrona Holymoly! 😮​ I am really looking forward to this talk now! 🚃​🔒​

Felix B. Ohmann

@q3k

well done. companies should not be able to get away with this.

stansobczyk

@q3k did you update the software to rerun the train on your own or Newag was forced to do it ?

Michał Kowalczyk

@stansobczyk @q3k No, we found a way to reset the locks without modifying the software :)

Irenes (many)

@q3k @redford @mrtick @zaufanatrzeciastrona wow!!!! amazing to have caught them doing this. GOOD JOB on the research.

rugk

@q3k @redford @mrtick @zaufanatrzeciastrona wow cool, is not that anti-competitive behaviour somehow and likely illegal? I hope it is…

I mean did you somehow report it or so?

anedroid

@q3k Jaki ten świat zacofany... wciąż DRM, zamknięty software, to już nie te czasy. Najwyższy czas zaktualizować przestarzałe przepisy o prawach autorskich, które miały sens w w XIX wieku.

Stéphane Charette

@q3k Google translation of the Polish text in the window:

Copyright infringement
-------
Infringement of copyright to the vehicle control system is subject to civil and criminal liability under the principles set out in Chapters 8, 9 and 15 of the Act of 4 February 1994 on copyright and related rights.

[Return]

Vale@kujike.nai

@q3k@social.hackerspace.pl does none of this count as contract violation by the manufacturer? this is intentional malice

🐧DaveNull🐧 ☣️pResident Evil☣

@q3k The fuck? How can litteral backdoors in freaking public transportation be tolerated!?

ksx4system

@q3k DRM is cancer, especially DRM in fucking public transport vehicles

mirabilos

@q3k where’s 4/4? threads don’t federate well, better put it all into one long post

cibo

@q3k
The audacity to display a copyright notice after they drmed a train. Proprietary software should be illegal, and prison is be a lighter sentence than these people deserve.

NavigatorBR

@q3k - Question, when you mention "GSM" here, do you mean it as a general phrase describing a cell signal, or is it referring to a part of the train's GSM-R system?

Go Up