37C3 - Breaking "DRM" in Polish trains
433,578
Published 2023-12-28
Reverse engineering a train to analyze a suspicious malfunction
We've all been there: the trains you're servicing for a customer suddenly brick themselves and the manufacturer claims that's because you've interfered with a security system.
This talk will tell the story of a series of Polish EMUs (Electric Multiple Unit) that all refused to move a few days after arriving at an “unauthorized” service company. We'll go over how a train control system actually works, how we reverse-engineered one and what sort of magical “security” systems we actually found inside of it.
Reality sometimes is stranger than the wildest CTF task. Reality sometimes is running `unlock.py` on a dozen trains.
The talk will be a mix of technical and non-technical aspects of analysis which should be understandable for anyone with a technical background. We’ll briefly explain how modern EMUs look like inside, how the Train Control & Monitoring System works, and how to analyze TriCore machine code.
Redford
q3k
MrTick
events.ccc.de/congress/2023/hub/event/breaking_drm…
#37c3 #HardwareMaking
All Comments (21)
-
Mad props to the one employee at SPS who was smart enough to realize something weird was going on, and smart enough to realize they couldn't tackle it alone.
-
"International compressor failure day" this is great! LMAO
-
Such undocumented blocking functions can have most serious consequences in the event of a national emergency, whether due to natural disasters or war. Therefore, criminal law should be applied accordingly, taking full advantage of the appropriate penalty framework.
-
The 61-minute-session was more exciting than anything I've watched on Netflix in 2023.
-
wow this is wild, another example of why right to repair and open hardware are SO important
-
Amazing work. You guys are heros for publicising this and presenting it so clearly for everyone to see. I hope that Newag loses a lot of business for this. I'd like to see a requirement to provide source code from public transits infrastructure manufacturers in the future, because I strongly suspect that Newag is not the only company doing anti-competitive things like this in their code.
-
These updates done by Newag days before the maintenance sound like a clear case of computer sabotage. That's not only "doing updates" without re-certification, that's doing updates with malicious intent also known as "installing malware"
-
26 non-incremental code versions for 30 identical(??) trains... It seems to me that the Newag Agile Release Train is fully functional... 😬
-
This is the exact same reason why a lot of icecream machines are broken at Mc Donald's in america. While the main Mc Donald's company has secret agreements with the icecream machine manufacturer, it is a pain in the ass for the actual franchise owners to service their icecream machines, because they frequently stop working and basically every other step in the manual for the Mc Donald's employees states "call certified repair technician". Over 40% of the revenue of the icecream manufacturer comes from "servicing" for Mc Donald's and there are secret codes to unlock the machines.
-
As Polish citizen I'm proud of them! That's like movie story, 43 minutes before deadline they started it
-
Awesome presentation. Newag should not just get fined. This warrants an investigation of the company internals and the people responsible for such malpractice should pay with some of their time. Community service or some jail time. Dissolving such companies would surely be a deterrent for others to follow suit.
-
Time to add full source code disclosure to the bid specifications…
-
Incredible work. Those PLC binaries are an absolute nightmare to work with and I generally tell clients that any useful black-box assessment is going to cost them way more than they would ever want to pay. Getting this quality and depth of reverse engineering done on such a challenging platform within such a short space of time is extraordinarily impressive. The fact that you were doing this to defeat predatory DRM is the icing on the cake. Huge props to all of you.
-
It was a good question at the end: Do they sell in other countries? Yes It'll be interesting to see this become a multi-national scandal outside Poland as well, the EU will need to get involved, at least assuming only EU... It's like the train version of vw's diesel emissions "hacks".
-
I always thought these kind of practices were limited to consumer devices; apparently the whole industry is now infected.
-
Wow! It's amazing that a traditional company trusted to collaborate with the hackers to find these instead of just giving up!
-
The geofencing enforced shutdown and shutdown based on date code is 100% egregious abuse. I hope the city gets all their money back for these trains. Also the company should be investigated to see if this is internal practice to add this malware. If so, programmers and managers should go to jail.
-
After the case was revealed, Janusz Cieszyński (former Minister of Digital Affairs) admitted that the matter was known to the Council of Ministers and the special services since May 2023, when it was presented at the cybersecurity committee. Earlier, since 2022, the case was known to UOKiK and UTK. In October 2023, the Internal Security Agency filed a notification to the prosecutor's office in Nowy Sącz "regarding software for Impuls trains". In December, the regional prosecutor's office in Krakow took over the investigation and is conducting a case on the suspicion of committing crimes under Article 269 §1 and Article 286 §1 of the Penal Code.
-
i was not expecting to watch 1h long presentation about hacking trains and enjoy it so much!
-
That's mean... they made it look like parking the train for a while made the secondary compressor go bad... Finding the geo fencing areas feels a bit like those Diesel exhaust controller speed-distance regions.