Mastodawn

I can finally reveal some research I've been involved with over the past year or so.

We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.

1/4

We found that the PLC code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time. One version of the controller actually contained GPS coordinates to contain the behaviour to third party workshops.

It was also possible to unlock the trains by pressing a key combination in the cabin controls. None of this was documented.

2/4

The key unlock was deleted in newer PLC software versions, but the lock logic remained.

After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

3/4

@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.

For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.

@zaufanatrzeciastrona 's article about this: https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/

O trzech takich, co zhakowali prawdziwy pociąg – a nawet 30 pociągów | Zaufana Trzecia Strona

Pociąg produkcji polskiej firmy nagle zepsuł się w trakcie serwisu. Fachowcy byli bezradni - pociąg był w porządku, tylko nie chciał jechać. W ostatnim odruchu…

Zaufana Trzecia Strona

John Burns Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona

Is that a hack... or something put in place by company or its contractors?

Your post said 3rd party? Is that to mean they were using cheaper service providers?

---
I can only imagine what riders experienced.

@JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on...

John Burns Dec 5, 2023

Thank you.

Still feels like it should not have been part of operational code in the system.

To easy to abuse.

Raven667 Dec 6, 2023

@JohnJBurnsIII @wikiyu I don't think there is any scenario where the described functionality isn't abuse, the only purpose for that code is abuse and I hope it's illegal, against the contract, and the purchaser can throw the law book at them and get real consequences including jail time for the executives who ordered this or knew about it.

I'm probably going to be disappointed in the outcome, but jeez that is some shit behavior when you already sold a fricken *train* at a profit

×

The key unlock was deleted in newer PLC software versions, but the lock logic remained.

After a certain update by NEWAG, the cabin controls would also display scary messages about copyright violations if the HMI detected a subset of conditions that should've engaged the lock but the train was still operational.

The trains also had a GSM telemetry unit that was broadcasting lock conditions, and in some cases appeared to be able to lock the train remotely.

3/4

@redford and @mrtick held an unrecorded talk a bout this at OhMyHack in Warsaw - I unfortunately couldn't make it because of Munich snow.

For now this is making the rounds in Polish-speaking sources, but we do have a talk scheduled about this at 37C3, in which we plan to do a deep dive into this and actually publish our findings.

@zaufanatrzeciastrona 's article about this: https://zaufanatrzeciastrona.pl/post/o-trzech-takich-co-zhakowali-prawdziwy-pociag-a-nawet-30-pociagow/

O trzech takich, co zhakowali prawdziwy pociąg – a nawet 30 pociągów | Zaufana Trzecia Strona

Pociąg produkcji polskiej firmy nagle zepsuł się w trakcie serwisu. Fachowcy byli bezradni - pociąg był w porządku, tylko nie chciał jechać. W ostatnim odruchu…

Zaufana Trzecia Strona

ifrauding Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona

A talk which takes the #37c3 motto "unlocked" literally. 🤯

Cato [MOVED]Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona ohhh, that is one talk i CANNOT miss!!

jomo ☎5666 @ WHY2025 Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona nice research, really looking forward to this!

Dreit Dec 6, 2023

@jomo @q3k @redford @mrtick @zaufanatrzeciastrona If not, I hope EU will focus on it during this decade

John Burns Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona

Is that a hack... or something put in place by company or its contractors?

Your post said 3rd party? Is that to mean they were using cheaper service providers?

---
I can only imagine what riders experienced.

wikiyu Dec 5, 2023

@JohnJBurnsIII "3rd party repair" it means mostly - independent from manufacturer but doing all stuff provided by law and using certified materials, parts and so on...

John Burns Dec 5, 2023

Thank you.

Still feels like it should not have been part of operational code in the system.

To easy to abuse.

Raven667 Dec 6, 2023

@JohnJBurnsIII @wikiyu I don't think there is any scenario where the described functionality isn't abuse, the only purpose for that code is abuse and I hope it's illegal, against the contract, and the purchaser can throw the law book at them and get real consequences including jail time for the executives who ordered this or knew about it.

I'm probably going to be disappointed in the outcome, but jeez that is some shit behavior when you already sold a fricken *train* at a profit

sascha koyaanisqatsi of kmfdm Dec 5, 2023

@JohnJBurnsIII @q3k it reads to me as "DRM to ensure that orgs who bought the trains were only using maintenance contractors authorised by the manufacturer" and I'm pretty sure that there's regulation against that kind of thing in other vehicles (cars, say)

Adam Williamson

@outie @JohnJBurnsIII @q3k yeah, I think you're missing the story here, John. It's the train manufacturer doing very sketchy stuff to try and prevent operators from having them maintained anywhere but their shops. Like if your car maker slipped some bogus code in that made your car refuse to start if you had it serviced at the local garage. Or your phone manufacturer doing the same, ahem, Apple.

John Burns Dec 5, 2023

@adamw @outie @q3k

OH. OK. Yes... I did not pick up it was OEM code.

This sounds like HP locking down their printers to only use ORM replacement cartridges. Or Keurig doing similar for coffee pods.

M.S. Bellows, Jr.Dec 5, 2023

@JohnJBurnsIII @adamw @outie @q3k Except this is like HP printers *pretending* they're out of ink when they're not, while warning you that only HP cartridges will work.

John Burns Dec 5, 2023

@msbellows @adamw @outie @q3k

🤔

And given you can't really see into those cartridges - I think I would not be surprised that is not the case.

I dumped my not quite 2 year old OfficeJet in 2012 - for repeated error codes no matter how many OEM new cartridges I stuck in there. In the end... >$100 in unused cartridges.

Happily using Epson since then... so 11 years of use and no repairs needed. Does what I need (rarely print, but need it when I need it).

just adrienne Dec 5, 2023

@JohnJBurnsIII @adamw @outie @q3k Both of which are also terrible and should be illegal, but definitely not on the same scale of badness as being able to REMOTELY DISABLE A PASSENGER VEHICLE!

Matěj Cepl 🇪🇺 🇨🇿 🇺🇦Dec 5, 2023

@adamw @outie @JohnJBurnsIII @q3k And now let's see what @EU_Commission will do about that. It's good to mention, that for the anticompetitive behaviour (and worse) they can fine the manufacturer up to 10% of their worldwide turnover (not profit, turnover).

Pepita Pepito Dec 6, 2023

@adamw @outie @JohnJBurnsIII @q3k checking against a blacklist of the GPS coordinates of third party repair shops is really out there compared to previously known hardware DRM shenanigans. what were the managers who authorised that thinking?! let's hope such examples lead to vigorous change in legislation. never thought we'd need "right to repair" for effing trains!

@outie @JohnJBurnsIII @q3k
I wouldn't be too sure about that. When your car phones home for update the corp can put anything they want in it. Just wait till you get a speeding ticket based on the recorded speeds of your car.

Dazzling Urbanite Dec 6, 2023

@mral @outie @JohnJBurnsIII @q3k

Hold yer horses there buckaroo.

Don't try to threaten me with the one GOOD outcome scenario...

@apressler @outie @JohnJBurnsIII @q3k
I'm not sure what I said that was good. do you really want a ticket everytime you speed up to safely pass another car. There are a lot of times when your doing 55 and the guy ahead is doing 54 so you speed up to pass without taking a mile.

@mral @apressler @outie @JohnJBurnsIII @q3k I'm sure there are ways to detect if you was just passing somebody or if you were speeding.

Dazzling Urbanite Dec 6, 2023

@mral @outie @JohnJBurnsIII @q3k

Such a method as proposed is frankly stupid since it only punishes after the fact and preventing speeding is the desirable goal. A mandatory geo-gated speed limiter on all motor vehicles would be much more efficient and effective solution. But if fines after the fact are all that are on offer, then yes. Give it to me.

But not for you, of course. You are special and deserve to be treated as such. I think you should be given lights and a siren.

@apressler @outie @JohnJBurnsIII @q3k
and so end productive discussion.

Supermoosie Dec 6, 2023

@outie
There might also be good reasons why its there.

Contract of purchase that maintenance has to be proformed by train manufacturer. Ie they might have paid less upfront as the profit is from the later maintenance over x years of contract.

Critical safety systems such as Automatic Train Control that should only be touched by suitably qualified staff. Mess with this and the safety certification goes, which might mean the train isn't allowed to run on the network, not have insurance or mass fatalities.

@JohnJBurnsIII @q3k

@SuperMoosie
This makes no sense. If this is put in place because of contract violations, the manufacturer can simply sue.

If the 3rd party workshop is unequipped to deal with the safety systems, which might mean loosing safety certification, then that is for actual authorities to decide and enforce

@SuperMoosie @outie @JohnJBurnsIII @q3k this not some random dude servicing the train. It's a train service yard with huge infrastructure and a huge contract. In this story they describe going through the huge maintenance manual and finding no mention of these things. If it's a certification thing then it should clearly state this.
https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking

Dieselgate, but for trains – some heavyweight hardware hacking – BadCyber

Supermoosie Dec 6, 2023

@Niall
Thanks for the translated article. Yeah, agree
@outie @JohnJBurnsIII @q3k

Robots can be gay deal with it Dec 7, 2023

@outie @JohnJBurnsIII @q3k These trains are owned by governments right?

Ohhh I think there will be laws against this soon.

@q3k That's terrifying! Thank you for sharing (once it was declassified!) 🙀 @redford @mrtick @zaufanatrzeciastrona

Phil M0OFX Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona Wow. That's a talk I'll be looking out for on media.c3! Sounds like they were taking a leaves out of John Deere and Apple's books. Hopefully it leads to a harsh lesson for NEWAG.

GreenSkyOverMe (Monika)Dec 5, 2023

@q3k O.M.G.

qwertyoruiopz Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona At what point do people call this kind of stuff a protection racket?

Rocketman Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona Very impressive work. Congratulations!

I understand there´s no write-up of this available in English at this point? That would be great...

@slothrop @redford @mrtick @zaufanatrzeciastrona

We'll release a full writeup as part of our 37C3 talk. It's a lot of work to gather all the data :).

GDR!Dec 5, 2023

@q3k @slothrop @redford @mrtick @zaufanatrzeciastrona Respect!

AURonline 🏡Dec 5, 2023

@slothrop @q3k @redford @mrtick @zaufanatrzeciastrona I let Edge translate the Polish article to English and it was very readable (machine translation has come a long way...). DeepL or Google Translate will most likely also work very well.

rugk Dec 5, 2023

@AUROnline sidenote: Firefox translations has a privacy-first local translation feature which works in your browser and works quite good, so you can use that too.

Isocat now → @isocat@tiggi.es Dec 5, 2023

Ugh. This gross, abusive violation of social contract brings Unauthorized Bread to mind:
https://raw.githubusercontent.com/wandyezj/reference/master/unauthorized-bread.pdf

@q3k @redford @mrtick @zaufanatrzeciastrona @kkarhan @raulinbonn @yacc143 @muiiio

Graham Sutherland / Polynomial Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona fascinating work! looking forward to the talk

gudenau Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona Dang, that really should be straight up illegal...

@q3k @redford @mrtick @zaufanatrzeciastrona

> Niestety pociąg, którym badacz podąża do serwisu, spóźnia się.

virkon Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona Looking forward to this talk.

Luke Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona Holymoly! 😮 I am really looking forward to this talk now! 🚃🔒

Phillipp Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona looking forward to the talk!

Felix B. Ohmann Dec 5, 2023

well done. companies should not be able to get away with this.

Marc-Oliver Schaake Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona OMG.

stansobczyk Dec 5, 2023

@q3k did you update the software to rerun the train on your own or Newag was forced to do it ?

Michał Kowalczyk Dec 5, 2023

@stansobczyk @q3k No, we found a way to reset the locks without modifying the software :)

rugk Dec 5, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona wow cool, is not that anti-competitive behaviour somehow and likely illegal? I hope it is…

I mean did you somehow report it or so?

Michał Kowalczyk Dec 5, 2023

@rugk @q3k @mrtick @zaufanatrzeciastrona
Yes, but not much happened so far...

Dr. Heather Etchevers Dec 20, 2023

@redford @rugk @q3k @mrtick @zaufanatrzeciastrona "We are not aware of any action taken either by the Office of Consumer and Competition Protection or by the Railway Transport Office, which would seem to be competent to eliminate from the market practices that are damaging to local government organisations that are incurring considerable losses and to passengers who are forced to travel in crowds or use substitute transport for months."

Ann Effes Dec 6, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona

Wow! Gross.

NiceMicro Dec 6, 2023

@q3k It seems like public transit is not really public as long as the trains are running on proprietary garbage.

The time has come for Free Software Urbanism.

#FreeSoftware #Urbanism

Markus Schlichting Dec 6, 2023

Sounds a lot like I found the first first entry to my #37c3 schedule! Looking forward to it 🤩@q3k @redford @mrtick @zaufanatrzeciastrona

Claus Cramon Houmann Dec 6, 2023

@q3k @redford @mrtick @zaufanatrzeciastrona impressive research, good job. And scary that someone would actually code this into a train system.....

Dr. Dek 👨‍🚀🐧🚀 )Dec 6, 2023

@q3k
@redford @mrtick
Amazing jobs thanks! 👏

uis Dec 6, 2023

It seems EU will have field day on rails. Polish police/security service maybe will have field day too: isn't NEWAG related to russian oligarchs or FSB, what if Putin himself will lock trains. Fun begins.