|
Top-level
The key unlock was deleted in newer PLC software versions, but the lock logic remained. After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational. The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely. 3/4 116 comments
@Ifrauding @q3k @redford @mrtick @zaufanatrzeciastrona thank you @q3k @redford @mrtick @zaufanatrzeciastrona is anyone getting sued at least? Because this is ridiculously anticompetitive behaviour.  @AlgorithmWolf @AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona unfortunately, it is usually the security expert detecting the issue, or the whistleblowers who get sued… @AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona So far, the Polish Railway Transport Authority said that it is a matter for a civil dispute between the purchaser and the manufacturer and is washing its hands of it, but the news only broke, I really hope someone goes to jail pour encourager les autres. @Leszek_Karlik It feels a little bit like when VW had its cars detect whether they are on a test stand or not. I wonder if in this case the higher-ups will also pretend that they knew nothing about this code.  @AlgorithmWolf @q3k @redford @mrtick @zaufanatrzeciastrona it looks worse to me, it looks like they deliberately sabotaged the operation of public transportation vehicles. I hope it gets elevated to a criminal offense, this is worse than if a passenger got in a train and disabled it, which they would definitely go to jail for.
  @q3k @redford @mrtick @zaufanatrzeciastrona Is that a hack... or something put in place by company or its contractors? Your post said 3rd party? Is that to mean they were using cheaper service providers? ---  @JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on... Thank you. Still feels like it should not have been part of operational code in the system. To easy to abuse.  @JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say) @outie @JohnJBurnsIII @q3k yeah, I think you're missing the story here, John. It's the train manufacturer doing very sketchy stuff to try and prevent operators from having them maintained anywhere but their shops. Like if your car maker slipped some bogus code in that made your car refuse to start if you had it serviced at the local garage. Or your phone manufacturer doing the same, ahem, Apple. OH. OK. Yes... I did not pick up it was OEM code. This sounds like HP locking down their printers to only use ORM replacement cartridges. Or Keurig doing similar for coffee pods.  @JohnJBurnsIII @adamw @outie @q3k Except this is like HP printers *pretending* they're out of ink when they're not, while warning you that only HP cartridges will work. 🤔 And given you can't really see into those cartridges - I think I would not be surprised that is not the case. I dumped my not quite 2 year old OfficeJet in 2012 - for repeated error codes no matter how many OEM new cartridges I stuck in there. In the end... >$100 in unused cartridges. Happily using Epson since then... so 11 years of use and no repairs needed. Does what I need (rarely print, but need it when I need it).  @JohnJBurnsIII @adamw @outie @q3k Both of which are also terrible and should be illegal, but definitely not on the same scale of badness as being able to REMOTELY DISABLE A PASSENGER VEHICLE!  @adamw @outie @JohnJBurnsIII @q3k And now let's see what @EU_Commission will do about that. It's good to mention, that for the anticompetitive behaviour (and worse) they can fine the manufacturer up to 10% of their worldwide turnover (not profit, turnover). @outie @JohnJBurnsIII @q3k  @q3k That's terrifying! Thank you for sharing (once it was declassified!) 🙀 @redford @mrtick @zaufanatrzeciastrona  @q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG. @q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?  @q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations! I understand there´s no write-up of this available in English at this point? That would be great... @slothrop @redford @mrtick @zaufanatrzeciastrona We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :). @slothrop @q3k @redford @mrtick @zaufanatrzeciastrona I let Edge translate the Polish article to English and it was very readable (machine translation has come a long way...). DeepL or Google Translate will most likely also work very well.  @AUROnline sidenote: Firefox translations has a privacy-first local translation feature which works in your browser and works quite good, so you can use that too.  Ugh. This gross, abusive violation of social contract brings Unauthorized Bread to mind: @q3k @redford @mrtick @zaufanatrzeciastrona @kkarhan @raulinbonn @yacc143 @muiiio   @q3k @redford @mrtick @zaufanatrzeciastrona fascinating work! looking forward to the talk  @q3k @redford @mrtick @zaufanatrzeciastrona Dang, that really should be straight up illegal... @gudenau @beekir @q3k @mrtick @zaufanatrzeciastrona > timers are a legitimate thing for some maintenance items Not if they don't reset after that maintenance ;)  @q3k @redford @mrtick @zaufanatrzeciastrona > Niestety pociąg, którym badacz podąża do serwisu, spóźnia się. @q3k @redford @mrtick @zaufanatrzeciastrona Holymoly! 😮 I am really looking forward to this talk now! 🚃🔒 @q3k did you update the software to rerun the train on your own or Newag was forced to do it ? @stansobczyk @q3k No, we found a way to reset the locks without modifying the software :)  @q3k @redford @mrtick @zaufanatrzeciastrona wow!!!! amazing to have caught them doing this. GOOD JOB on the research. @q3k @redford @mrtick @zaufanatrzeciastrona wow cool, is not that anti-competitive behaviour somehow and likely illegal? I hope it is… I mean did you somehow report it or so?  @q3k Google translation of the Polish text in the window: Copyright infringement [Return] @q3k@social.hackerspace.pl does none of this count as contract violation by the manufacturer? this is intentional malice  @q3k The fuck? How can litteral backdoors in freaking public transportation be tolerated!? @q3k - Question, when you mention "GSM" here, do you mean it as a general phrase describing a cell signal, or is it referring to a part of the train's GSM-R system? |
Gregory's Server
@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.
For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.
@zaufanatrzeciastrona 's article about this: https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/