Reverse engineering a train to analyze a suspicious malfunction
We’ve all been there: the trains you’re servicing for a customer suddenly brick themselves and the manufacturer claims that’s because you’ve interfered with a security system.
This talk will tell the story of a series of Polish EMUs (Electric Multiple Unit) that all refused to move a few days after arriving at an “unauthorized” service company. We’ll go over how a train control system actually works, how we reverse-engineered one and what sort of magical “security” systems we actually found inside of it.
Reality sometimes is stranger than the wildest CTF task. Reality sometimes is running `unlock.py` on a dozen trains.
The talk will be a mix of technical and non-technical aspects of analysis which should be understandable for anyone with a technical background. We’ll briefly explain how modern EMUs look like inside, how the Train Control & Monitoring System works, and how to analyze TriCore machine code.
Redford
q3k
MrTick
https://events.ccc.de/congress/2023/hub/event/breaking_drm_in_polish_trains/
#37c3 #HardwareMaking
37 Comments
Polisch Pride XD
I thought Denuvo was a cancer of AAA games, but I never thought that Polish trains could beat actually Denuvo DRM.
Such a sweet story! Now I am gonna celebrate compressor failure day too 😂also. Great work! Great work! 👏👏👏
I was expecting the cheatcode to start the train could be an easter egg referring to some brutality combo for Mortal Combat
…and they said the train had a flat tire
Super nice and smart guys! q3k's got my kind of humor 😂
Jest Moc !!!!!!!!!!!!!!!!!!
………………………yes, it is a double pun. In Polish, natch.
52:05 that was a good laugh 😀
I remember when there was such a breakdown in the Audi that when the cigarette lighter fuse blew, the car lost power.
When you replaced it with a working fuse, suddenly the car gained its acceleration
Amazing presentation!
This is such an amazing talk, I can't believe how difficult it must have been to reverse engineer all that code to find these awful anti-competitive blocks, well done to the team!
The timing is interesting on this.
Owner of the Newag company is politically connected to the party that has recently lost the election.
So this thing surfaced just as he lost his political backing.
12:33 wow. that 'ide' / software development environment. that looks awful.
Really cool talk!
i'm glad this went public, companies should not be allowed to do this, especially not when it involves crucial infrastructure.
this was an interesting presentation and i'm glad the had the balls to speak up about it despite companies being threatening with lawsuits.
66 Newag employees disliked this.
gratulacje!!
"that's not how you compare dates" – love these guys 🤣
I hope they got lifetime train passes
Great job guys! Polska przeciw Newagowym dziadkom!
This needs to be turned into a movie with a train chase staring keanu reeves as an assassin.
45:41, regarding the canbus <-> internet link… if you search youtube for "remote exploitation of an unaltered passenger vehicle" you'll find a defcon 23 video where some folks successfully altered one device after another to hop from the cell network to the can bus.
The same potential potentially exists here.
4:37 "so they googled Polish Hackers and found us" 😂
The question really is "Who Ownes The Train" the Manufacturer or the company who built it, this is happening in new cars sold with an internet connection, also BMW have started charging for functions that are built into the car and the charge you the customers for heated seats to be enabled, seriously?
Wonderful. Newag made their fatal error when they did not deliver to the tender. Worse for them, I bet if they black list you fellows that will be a badge of honor not shame.
I wonder how many OTHER customers they no longer have.
{o.o}
Incredibly important work. And to be honest I think they are doing fraud with this. On the back of the public which would have to pay higher ticket prices.
Too bad that the EU doesn't force all these safety critical vehicle manufacturers to provide full schematics or hardware and all their source code for software and throw in jail assholes to don't want to do that or put DRM in them!
As a Polish person, I feel like I have to add few things to get you a full picture (or at least more give info why it might happened)
1. Polish railways are corrupted to oblivion. (to be honest this drama seams just like top of an iceberg). Why is that? As you might know Poland was once under Iron curtain. Only in the 1989 my country "diched" communism in favor of democracy. People where happy but transition form one economic model to another was a hard task to complete. Some things went smoother than others. Unfortunately some institutions didn't change at all, or very little. Most frequently mentioned are Public Health (NFZ) and Polish railways (PKP). Why is that important? Well, I simply think that if it weren't found out by member of a party (he was the one that asked for rutine service of these trains, not the one that found the problem) that happens to be opposition for previous political party (which member is currently president of Polish railroads) we wouldn't get to know this. (And yes, there where some accusations before this one, but somehow it went under radar, I wonder why…)
2. Think of Newag more like Apple in US. Newag as a company isn't that bad, at least when it comes to design, durability and overall build quality, I would even risk it and say it was the best at what it did in Poland. Therefore I also believe they wanted to keep that status, by doing everything themselves (remember about that corruption form earlier). Does it makes it less atrocious? No, of course not, but I believe it is important to know.
Overall loved the video, and I hope this is the beginning of some changes! Maybe EU will pick up on this, at least I hope so (there is more to unpack than just Newag in Poland…)
The hacking team did a great job, as presented here brilliantly. I assume Newag's main motivation for this desperate act was to make more money. And here it would be interesting to know how the (fictional) service actions were reported and charged to their customers.
I believe that state prosecutors will adequately account the company at the court.
How common these practices are in industries. This creepy graphical programing. Just add machine number to tag? Boomshanka so much work we have..
29:00 “That’s called future proof”
😂😂😂 omfg i’m laughing to hard
that geofencing is wild
Someone who is more or less as smart as these guys must've implemented all this evil crap. That shakes what little faith in humanity I have left.
Ale sie newag wjebał
Brilliant work by you all! Wunderbar! And an excellent presentation, thank you!
Buying a vehicle (car or train) should bring with it an irrevocable, transferable with the vehicle license to it's essential software (everything except for things like Tesla's self driving).
oh THIS one that blew up in the news