Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them

btp@kbin.social to Technology@lemmy.world – 1427 points –
Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them
404media.co

In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it.

After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service.

118

This story should be on every newspaper front page right below war correspondents.

Yeah, especially in the EU where apparently their laws regarding circumventing DRM might make the people who fixed this the bad guys instead of this comically evil manufacturer who put GPS kill switches on public passenger trains.

right below war correspondents

Eh, they should report war on the same page as the weather if you ask me.

Let us know what country you're in, so the next time you're invaded and genocided we'll remember it's barely as important as the weather forecast.

My reading of that was "climate change will kill most of our species in the long term if we don't take it seriously, so that's also something very important to track and belongs on the same page as wars.".

5 more...
6 more...
6 more...

"We didn't add a kill switch to our trains to force the use of our maintenance service, but fuck the hackers that removed the kill switch we didn't implement, and the trains that were hacked and don't have the kill switch we didn't add should be removed from service."

Dear Reader,

Regarding your recent free and non-profitable un-fucking of our problem, please use the honor system and manually refuck yourself.

Love, Technology Companies.

Someone's gonna figure out a horror movie for this called The Refucker

Wasn't free - they were paid to hack it.

But yeah.

"And how dare those hackers go through all the trouble of finding those (literal) GPS coordinates of train maintenance centers not in our system to circumvent us getting more money."

That's awesome. Man, fuck that company. Bricking a train? Outrageous.

Poland ought to ban that company from ever working or operating or selling any products inside of its country and any trains made by that company that are not currently owned by Poland should be prevented from traveling on the tracks that cross through Poland.

This is the kind of government intervention I can get behind. This story is so outrageous, it's hard to believe it's true.

Maybe make it the entire executive and senior management, rather than the company.

unfortunately they have a right wing government so it's likely they'll want more of this not less

They just swore in the new Cabinet today. They still have a far right President and Judiciary to contend with but the legislature is a coalition of centrists and leftists now.

I was wondering why Orban "left the room" when the EU Council voted for initiating membership negotiations with Ukraine (thus abstaining) rather than vote against it (and thus veto it) and thought that maybe he didn't have Poland covering his back anymore (in the sense of stopping later reprisals if he blocked it), at least when it came to his pro-Russia posture.

Now given that change in Poland, I'm thinking it's a much more far reaching thing and Hungary is now much closer to have their rights suspended as an EU Member.

Yes, however there is still a natural resistance to kicking anyone out of a political entity. Just because nobody wants to start those conversations for fear of their name getting floated.

I feel like train operators will have heard of this, and will not be accepting that company's tenders

Realistically, that would be quite an overreaction and the corporation does have valuable knowledge and skill in creating trains. But how great it would be if this were to cause open source code to be a requirement...

The person is doing a talk about it in hamburg, germany (37c3) next week. Its on my to watch list because that sounds hella interresting.

Edit : 37c3 list of talks : https://halfnarp.events.ccc.de/#dec115da17562cebafa9ba7a150a4fc607c25c880c03593dcc8da6087c9441a4

That actually does sound hella interesting. I'm saving your comment to try to remember but actually look it up in about two years when I scroll back though my saved posts.

Went to subscribe to it until I remembered i don't speak German lol

nearly all talks are either in English or have English translations. not sure if they're available on YouTube but you should be able to find everything on https://media.ccc.de

C3 talks are available online for quite some time after the actual event, so you might still be able to watch it then.

Where "quite some time" is "indefinite". Proper archives go back to 2002, 19c3.

Takes some time for stuff to show up in the archives though as start+end get cut manually, while the congress is running there's always an archive of raw steam dumps maybe that's the one you mean.

2 more...

It's 37c3, but thx for the hint. The talk is called Breaking "DRM" in Polish trains by Redford, q3k, MrTick

I will try to watch it on stage, unfortunately still no final schedule available

2 more...

Nowadays satire can never be as good as reality is.

Trump and the whole Brexit circus have set a very high bar, but somehow someone still manages to produce quality comedy.

Steam engine breaks, you can fix it.

Steam engine with digital circuit breaks, you're a hacker, a pirate. DRM was a mistake.

But how else could companies make more money off of something you already paid for? Will someone think of the shareholders‽

If you're allowed to do any maintenance you want on the physical components of something you own, then you should be allowed to do any maintenance you want on the software components of something you own.

It's not hacking (in the sense of "unauthorized intrusion") if you own it or have authorization to do it from the owner of it.

I wonder if they were taking notes from John Deere and the automotive industry or will it be the reverse here soon?

Just imagine all these vehicles that could be bricked for not going back to the stealerships for outrageous prices on parts and incompetent service.

Also the vehicles that could be disabled for not paying for device protection plan that allows your vehicle to operate safely. It would be a shame if your vehicle stopped working on your way to work or the hospital.

I suspect Tesla, BMW, and John Deere are the closest to this reality.

I sure hope the government doesn't help with another great cash for clunkers national program to get rid of more cars too old for these measures. Sure is a great way to drive new car sales though...

Oh don't count GM and a Ford out of it. They're already kicking android auto and Apple car to the curb so they can control more stuff and get access to more data. The savvier they get the closer that comes to reality.

Of course, by the end of our lives you won't own a car at all. You'll subscribe to a car company that will act like a hybrid ride share and rental program. Commutes will be on a rideshare basis and you'll be able to rent a car for a weekend road trip.

I just heard about GM this morning in my tech news. I didn't realize that about Ford too.

I've drawn a line in the sand with my vehicles at about 2011 for tech. I love tech and I love cars but just not into the current versions of everything being touch screen controls.

Give me knobs for climate controls, gear shifters, and gauges for the rest. They don't need all of these computer systems that fail or become outdated as soon as they are released like the manufacturer's nav systems. We also don't need them to stop working completely because a sensor failed and can only be replaced by the dealer.

My phone in a holder can be the smartest part of the car for me thanks.

I think you can go further. My 2017 A4 is still "normal."

I'm glad to hear that. Often I've driven rental cars and *last time I struggled to find the gear shifter which was replaced by buttons on the dash.

I've also seen just a video of a Tesla only new driver struggle to drive a ICE car because it had a gear shifter and didn't automatically brake. I'm feeling like a dinosaur now...

Stop reading my mind.

You can pry my older cars from my cold, dead, hand.

If the manufacturer can stop your trains, then obviously anyone with the necessary hacking skills can do it too. Certain governments might be very interested in tampering with the logistics of another country.

1 more...

SPS became desperate and Googled “Polish hackers” and came across a group called Dragon Sector, a reverse-engineering team made up of white hat hackers.

Hilarious. I hope 404 continues with this level of high quality journalism.

Dragon sector, who they hired, is a security capture the flag team.

https://dragonsector.pl/

Edit: Socials of those who worked on it

https://social.hackerspace.pl/@q3k
https://infosec.exchange/@mrtick
https://infosec.exchange/@redford

TIL that [security CTF](https://en.m.wikipedia.org/wiki/Capture_the_flag_(cybersecurity\)) is

an exercise in which participants attempt to find text strings, called "flags", which are secretly hidden in purposefully-vulnerable programs or websites

Never heard of this and I may not be alone in that. Thanks for pointing this out.

I did one before. They are SO MUCH FUN. Now I have too many children.

sob

edit: There are other ways of capturing the flag like having your team name on the home page of a local web server or whatever.

Finally, hackers with a cool name, like Bellingcat or Oryx. It's all I'm asking for, but the Russian and North Korean hackers are so disappointing in so many ways.

When the government bankrolls you, you're not allowed to have fun.

The anti-circumvention clause is being abused for some years now, it's disgusting.

This is the sort of case that can fix it

So which anti-circumvention clause do you mean?

Remember, US law doesn't apply in Europe and as much as I know there is nothing like that in the EU.

https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/ link for very detailed description of this story, highly recommend the read!

Thank you! Came here to ask if anyone had one source with the whole story. This keeps trickling out as it evolves.

Edit: this story is considerably weirder than I expected, and I was already expecting some weird shit.

Begs the question: How is any of this legal?

I would assume it is not, UE has some strict rules about fair competition, but the problem is to prove that in the court. Newag is arguing that the hacked and reverse engineered code is not the code they have. Probably in the meantime they run the cleaning protocol in the company...
But company's public image will hopefully suffer from the story, maybe at least they loose in eyes of potential buyers.

1 more...

This is good. Someone did that for printers too

And American Weight (?) digital scales. The ones that brick themselves after 2,000 uses because how dare you only pay once.

Lol. Always suspected there was a scam there, but every time I bring it up in a conversation - people just call me a conspiracy theorist.

This goes for pretty much everything though. Planned obsolescence is real, but people think it's just the natural way of things.

is there an article about this? Would love to read about it

There is no article that I could find, so I guess you take my word for it. But I'll fill you in on why I said it from what I remember. You can make up your mind on this:

I was looking for a digital scale during the pandemic and naturally went on Amazon. I found some within my budget (I live outside the US) but most of them had multiple reviews complaining about a weird error that they couldn't fix. I did some digging around, yet nobody seemed to know what the error really was that was showing up after some time of prolonged use without signs of wear. Eventually, I got to a thread on some technical forum that said it was a software error that strongly hinted at planned obsolescence after so many uses.

The weird thing is that I can't find any of the models that had this on Amazon anymore but it doesn't surprise me after some of the shit I've seen on there with people manipulating reviews on other products I've bought. So I guess it could go either way for someone review-bombing the product or it being a real issue, but that doesn't explain the error showing up on other sites. I wish I could remember what the error code was.

If anybody knows anything more about this, I'd love to hear it. It certainly was a strange surprise that ended up costing me a bit more than I was planning to spend. But I guess bullet dodged?

I like how, instead of recognizing that they got caught, now the train manufacturer is claiming this is some kind of dark PR strategy.

If it is, then please show the public that it's a dark PR strategy by explaining the hidden unlock codes and the DRM code!

I hate this fucking planet.

I think this is pretty cool. Sure, capitalists are gonna capitalist, but here we have subversive moves in a positive direction.

Oh yeah what the people did to get around this is fucking awesome I do love that side of this story don't get me wrong.

If they required the trains to be serviced by manufacturer they should have written it into a mandatory service contract at time of sales.

If anybody wants to know more, they can watch it here https://www.youtube.com/watch?v=w8NqBXT6Kos

Ah, Louis Rossmann, a real-life superhero. He did some great work in his career.

Why are you referring to him in the past tense? AFAIK he and his cat are still ranting about tech rights on the daily.

the world's not one's to fix, learn to protect yourself.

No the current model everywhere is to pay a vendor. I'm sure someone can get KPMG or Deloitte to fix the world.

1 more...
1 more...

Spewing bs about how they can't guarantee the safety and other outrageous shit pouring out their mouths as they provide clearly practiced lawyerspeak to squeeze money from public service into their owners pockets which will then be invested probably in war and killing children for profit.

But let's discuss ethics and shit! Fuck faces need to be brought to moral justice for the evil they commit every day of their brainwashed miserable hateful lives where they pretend to not harm people because they don't do it themselves but via money grabbing schemes. One day all of this shit will seem to be as stupid as hitting kids are these days

Every time I read about this kerfuffle, I am astounded by the sheer stupidity of the manufacturer. Even if they may be technically in the right here(I don't know, since the contracts they have with the operator aren't public), they effectively shoot themselves in the foot with this PR Desaster. Especially the various national rail operators across Europe will think twice about buying NEWAG, since these operators usually have their own maintenance and repair centers, and expect to service their rolling stock there. And those national operators still make up the lion's share of the European rail market.

This aint much of a problem. NEWAG operates almost exclusively on the internal market

I sure hope that they become a political talking point where the government loses votes if they contract with them again.

Apparently there was some kind of gps geo fencing going on - that the software detected the train went into an uncertified repair yard and bricked the thing. So I assume the hackers just purged that info, or unset the flags that denoted the brick condition so as far as the train software was concerned it was operating normally.

It's an interesting hack but there is a safety aspect to this too. A train is a complex machine that could go catastrophically wrong and kill a bunch of people. It's not quite Boeing 737 levels of safety criticality but neither is it something that should be taken lightly with regards to service procedure or parts procurement. So the manufacturer were being dicks to brick the train. But the train operator using an unauthorised repairer who might not have access to, let alone follow the correct servicing procedures or parts is not good either.

Is anyone else hearing Aquarela do Brasil or is it just me...