return to table of content

Breaking "DRM" in Polish trains [video]

fbdab103
12 replies
16h22m

I am curious what other industries are likely to have booby-trapped software which has not yet been discovered. It was only through some weird circumstances + dedicated investigation by the hacker group (I thought they were given months of access to the hardware) that this was uncovered. Most organizations do not have the resources to investigate equipment behaving oddly.

For example, if HP programs printers to start failing after N pages printed, would that ever be uncovered?

Is there some kind of whistleblower law that would allow someone with knowledge to come forward?

f_devd
3 replies
14h55m

From personal experience it seems relatively common in the embedded-esque software space, although not always quite as sophisticated as seen here.

Is there some kind of whistleblower law that would allow someone with knowledge to come forward?

Depends on where you live, unfortunately anywhere with 'stong' IP laws you aren't allowed to patch anything. Usually reverse engineering analysis is still fine, although if there is a contract saying you're not allowed to you could be screwed anyway.

In the train case the locks were specifically for anti-competitive purposes, and so they can whistle-blow for that; and I think in the general case you can sue for misleading dealings/false advertising/etc but not for anything specific to the software locks/traps.

kvdveer
1 replies
3h43m

unfortunately anywhere with 'stong' IP laws you aren't allowed to patch anything.

I am not aware of any IP laws that prohibit patching, except for circumventing copy protection (DMCA). There are plenty of laws prohibiting distributing patches, but making and using them are not commonly prohibited AFAIK.

f_devd
0 replies
3m

You can technically distribute patches, a good example of what is possible is SNES ROM hacks, where only the deltas are be distributed, and the end-user provides their own 'legal' copy; this avoids the issue of redistributing copyrighted content.

However in the EU you aren't allowed to use information obtained through "decompilation" for the purpose development/production of a substantially similar program. Which means you cannot patch any program (exception exists for the purpose of interoperability), without risking some legal liability.

2009/24/EC Article 6 for anyone interested.

me_me_me
0 replies
1h1m

although not always quite as sophisticated as seen here

It feels that implementation of that system was quite complicated. Complicated enough that quite few people must have been involved in it.

Its quite sad that developers would implement this and all keep their mouth shut.

glandium
2 replies
8h45m

For example, if HP programs printers to start failing after N pages printed, would that ever be uncovered?

I can't find it right now, but wasn't there a story some months ago about some printers doing exactly that to make you buy new ink cartridges?

bayindirh
0 replies
6h0m

That was about HP's ink subscription service, "HP Instant Ink", where your printer stops printing if you stop renewing your ink subscription and try to print with the subscription supplied cartridge.

I'm on my 4th HP Inkjet, and none of them did anything remotely similar. One worn down (which was a bottom of the barrel model), the two of them was donated, and AFAIK one is still pretty operational.

I'm regularly using my Deskjet Ink Advantage 4515, which is ~10 years old at this point.

QVVRP4nYz
0 replies
2h43m

It is actually quite common in hellish world of printers, but with a bit more plausible deniability. "Our printed page counter indicated the cartridge/drum needs replacement, we couldn't know it was half full / it is all to preserve maximum quality" - so typical bullshit, that people somehow already got used to. The consumer electronic is already crazy, I mean people mod-chipped Keurig to use "pirated" coffee.

chrisandchris
2 replies
10h7m

According to this thread [1] (and an unrelated one I can't find anymore) some printer manufacturer region lock their printers accepted cartridges, which makes the product useless in some circumstances just because of your location.

I think the incentive is money. 1 train is worth much money, a single printer is not. Most people won't have any issue with the printer and if so, loss is low. If just 1 train has this issue, loss might be huge.

[1] https://news.ycombinator.com/item?id=31860845

probably_wrong
0 replies
7h30m

My parents are currently bitten by this - they can't find cartridges for their HP printer and I cannot send them any because they wouldn't match the region.

Also, some poor soul at The Verge went through hell and back to document the fun experience of trying to use an HP printer on a different region: https://www.theverge.com/23648726/hp-officejet-printer-regio...

bayindirh
0 replies
9h58m

HP does this. I'm not sure if you can reset the value after moving, but the cartridges have a "Region" value.

The cartridge region is printed per cartridge while printing "print quality" reports which prints full-nozzle lines to see whether there are any persistently clogged nozzles on your printhead.

p_l
0 replies
15h59m

A crucial part is the contract wording regarding what exactly was sold when NEWAG sold the trains to the operator - namely, the documentation for maintenance and repair was supposed to be complete. As in, should NEWAG encounter a critical existence failure, it should still be possible for a third party to service the trains so long as parts could be acquired, and in worst case, start working on replacement parts.

With most other right-to-repair cases there's way less recourse. With trains in Europe you have legal rules that disallow hiding critical maintenance data behind trade secrets, for example.

grishka
0 replies
3h20m

For example, if HP programs printers to start failing after N pages printed, would that ever be uncovered?

Maybe. The problem with consumer devices is that they're much better protected from their end users, so it's harder to dump the firmware to reverse engineer it. Firmware update files, while you can easily get your hands on them, are usually encrypted. Sometimes it's so bad that the best course of action is to find an RCE vulnerability and exploit it.

Though, with inkjet printers being as popular in some parts of the world as they are for some reason, and being as annoying as they are, I'm surprised no one has done that yet.

lnsru
4 replies
6h52m

GPS spoofing might be a solution when such problem occurs. Just make the electronics think, the train moves along equator at 30 mph. I assume the malicious software does not check if train moves on some tracks or just moves.

p_l
3 replies
5h49m

It's mentioned in the talk, the software interrogates speed data from odometers.

alexvoda
2 replies
5h0m

Then place the train on a giant dynamometer while spoofing the GPS.

yetihehe
1 replies
4h10m

Much more simple - just rewrite nvram to disable the blocks before returning a train. More effective - sue manufacturer because this whole affair is breach of contract.

p_l
0 replies
1h19m

Manipulating odometers would be actually illegal from the pov of railway regulations.

Two wrongs don't make a right there.

HideousKojima
4 replies
14h17m

Has Newag provided any evidence of their claim that this is a conspiracy by their competitor and the hacker group? Or is it literally just them saying "no we didn't"?

avallach
1 replies
9h47m

In various trains, over 20 versions of the compiled firmware with unique variants of the locking algorithm were found. And to make matters worse, the trains were found to have something that appears to be a GSM-to-CAN bridge. It isn't reverse engineered yet but AFAIK shouldn't be there and in the worst case may be a remote control backdoor.

Maxious
0 replies
40m

Both these points were clarified in the audience questions - it's a UDP to CAN bridge so the Linux based passenger information system knows the state of the train. And only the Linux system is GSM connected (to get network announcements etc.), none of the firmwares were installed remotely, only when trains were sent back to the manufacturer physically.

seba_dos1
0 replies
13h38m

I think it goes without saying, but it's of course the latter.

ngcc_hk
0 replies
13h58m

The fact is they found those gps or even third party part denial and how could these be conspiracy I wonder?

everyone
1 replies
10h0m

Perhaps cases like this are good. Most people dont mind DRM at all, they couldnt even tell you what it is though their phones / cars / etc. are riddled with it.

A case like this involving a train that wont move is something that's easy to comprehend for the general public and is clearly utter bullshit.

trinsic2
0 replies
2h38m

Yes, this is a perfect example of what DRM is really about.

I'm a repair guy and I'm always trying to protect my customers against walled gardens, and what not. Talking about this article makes explaining right repair so much easier.

My concern is the changes they're making to bios in Consumer grade OEM Desktop and Laptops. With adding UEFI certificates to anti-theft software that is enabled by default people just don't understand what's really going on. This article explains it beautifully. Thank you Newtag!

Zuiii
1 replies
15h47m

Slight tangent, but I really looked forward to (and enjoyed!) the "This Year in Crypto" talks given by DJB and Tanja Lange at past C3s. It was a fun way for a non-cryptologist like me to keep track of all the major happenings in this field. Sadly they stopped giving them a few years back.

Does anyone know if there are similar end-of-year roundups that non-cryptologist s can follow to keep up to date?

namibj
0 replies
15h16m

The security nightmares talk at (also) 37c3?

toomuchtodo
0 replies
17h13m

Related:

Polish Hackers that repaired DRM trains threatened by train company - https://news.ycombinator.com/item?id=38628635 - Dec 2023 (142 comments)

Polish train maker denies claims its software bricked competitor rolling stock - https://news.ycombinator.com/item?id=38570654 - Dec 2023 (2 comments)

Dieselgate, but for trains – some heavyweight hardware hacking - https://news.ycombinator.com/item?id=38567687 - Dec 2023 (293 comments)

Polish trains lock up when serviced in third-party workshops - https://news.ycombinator.com/item?id=38530885 - Dec 2023 (360 comments)

tester756
0 replies
7h58m

Everytime I see news about this story

it gets crazier and crazier, holy shit!

fargle
0 replies
1m

Wow, it's a full hour presentation but time very well spent would be an understatement! This issue has been covered before, but only the rough outline compared to this talk.

Great job guys! We all need a lot more like you.

faitswulff
0 replies
16h54m

For English speakers intimidated by the introduction, the actual talk is in English.

albertzeyer
0 replies
7h49m
Log_out_
0 replies
6h50m

IoT aka mafia with chips strikes again

I worked with PLCs for some time and the whole "a dozen different versions" rings a USBell for me. if I Google newag plc programmer at linkedin, I promise you the number will be the same as the number of versions found in the trains, all branching away from one initial version by one initial programmer.

Ocassionally a fb gets exchanged on a USB stick, but the whole version controller magic never reaches the team.

Idesmi
0 replies
4h7m

These guys are my heroes.